[PATCH] audit: Add cmdline to taskinfo output

Tue Oct 29 20:25:54 UTC 2013

On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote:
> > > > to small for most package names, and
> > > > already contains the VM command. I really have no information of what
> > > > Android App has created the issue.
> > >
> > > This is true for all arches. Usually you can have it pretty narrowly
> > > defined to
> > > where you have a pretty good guess between 2 or 3 apps with the same
> root
> > > name. But in your case its totally named wrong.
> >
> > I could set the title via prctl and PR_SET_NAME, but again I would be
> > limited at 16 bytes, at least with cmdline I am limited at a page.
>
> A page would be a problem for audit records. What I see is a NULL
> terminated
> list of arguments which the program name is argv[0]. So, you'd want to grab
> that one. Butyou could have something in there with PATH_MAX and
> whitespaces
> which would be excessively long.
>
> > As a simple example, a basic example from samsung gets truncated.
> >
> > com.samsung.myapp
> >
> > > > Solution:
> > > > Get the proc cmdline info (not trust worthy, but can help debugging
> > >
> > > Android)
> > >
> > > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
> > >
> > > per=840000
> > >
> > > > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1
> > > > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027
> suid=1027
> > > > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> > > > comm=4173796E635461736B202331 exe="/system/bin/app_process"
> > > > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
> > > >
> > > > Now I know it was the NFC app
> > >
> > > What do you get on x86_64 auditing a shell or python script with your
> same
> > > patch? Also, does cmdline potentially include arguments?
> >
> > I would have to get back to you on this, but whatever is set in
> > /proc/<pid>/cmdline shows up here, which means
> > it could have arguments etc.
>
> The reason I'm asking is that it might be better for all arches to switch.
> All
> have the 16 character limit. But we would only want argv[0] and not the
> arguments.
>
> -Steve
>

I guess i'm thinking about how can I access the smallest set of data that I
need to get the information I want.... however, wouldn't argv[0] typically
be the vm name...
<vm> <program>
And on Android, to make it even more of a pain.... A VM is already running,
that then forks itself and then invokes the classloader, so their is no
explicit exec.

I guess I could just set the comm field explicitly via the packagename when
the classloader loads the value, but I was hoping for something more
generic that would
let me get larger package names then 16.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131029/b68d93e5/attachment.htm>