On Tue, Oct 29, 2013 at 12:01 PM, Steve Grubb <sgr...@redhat.com> wrote:
> Hello, > > On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote: > > On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgr...@redhat.com> wrote: > > > On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: > > I'm 100% ok with the dynamic option changing it from NULL to a real value > > IMO a like that better then what I currently have. > > > > Old: > > type=1300 msg=audit(1383022671.232:230): arch=40000028 > > This arch is not defined: > arch=unknown elf type(40000028) > > Which one is it? > FYI this is on Android with my patch backported to a 3.4 Kernel, so pretty much all of my testing is around this setup. Also were running a custom stripped down auditd over here, so it doesn't fix anything up. The architecture is ARM > > > syscall=54 > > per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0 > > ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 > > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > > comm=4173796E635461736B202331 > > comm=AsyncTask #1 > > > exe="/system/bin/app_process" subj=u:r:nfc:s0 > > key=(null) > > > > Issue: > > comm field in task is only 16 chars, > > Yes, its a limitation on ALL arches. > > > to small for most package names, and > > already contains the VM command. I really have no information of what > > Android App has created the issue. > > This is true for all arches. Usually you can have it pretty narrowly > defined to > where you have a pretty good guess between 2 or 3 apps with the same root > name. But in your case its totally named wrong. > I could set the title via prctl and PR_SET_NAME, but again I would be limited at 16 bytes, at least with cmdline I am limited at a page. As a simple example, a basic example from samsung gets truncated. com.samsung.myapp > > > > Solution: > > Get the proc cmdline info (not trust worthy, but can help debugging > Android) > > > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 > per=840000 > > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1 > > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 > > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > > comm=4173796E635461736B202331 exe="/system/bin/app_process" > > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null) > > > > Now I know it was the NFC app > > What do you get on x86_64 auditing a shell or python script with your same > patch? Also, does cmdline potentially include arguments? > I would have to get back to you on this, but whatever is set in /proc/<pid>/cmdline shows up here, which means it could have arguments etc. > > -Steve > -- Respectfully, William C Roberts
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit