On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb <sgr...@redhat.com> wrote:
> On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote: > > > > to small for most package names, and > > > > already contains the VM command. I really have no information of what > > > > Android App has created the issue. > > > > > > This is true for all arches. Usually you can have it pretty narrowly > > > defined to > > > where you have a pretty good guess between 2 or 3 apps with the same > root > > > name. But in your case its totally named wrong. > > > > I could set the title via prctl and PR_SET_NAME, but again I would be > > limited at 16 bytes, at least with cmdline I am limited at a page. > > A page would be a problem for audit records. What I see is a NULL > terminated > list of arguments which the program name is argv[0]. So, you'd want to grab > that one. Butyou could have something in there with PATH_MAX and > whitespaces > which would be excessively long. > > > As a simple example, a basic example from samsung gets truncated. > > > > com.samsung.myapp > > > > > > Solution: > > > > Get the proc cmdline info (not trust worthy, but can help debugging > > > > > > Android) > > > > > > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 > > > > > > per=840000 > > > > > > > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1 > > > > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 > suid=1027 > > > > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > > > > comm=4173796E635461736B202331 exe="/system/bin/app_process" > > > > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null) > > > > > > > > Now I know it was the NFC app > > > > > > What do you get on x86_64 auditing a shell or python script with your > same > > > patch? Also, does cmdline potentially include arguments? > > > > I would have to get back to you on this, but whatever is set in > > /proc/<pid>/cmdline shows up here, which means > > it could have arguments etc. > > The reason I'm asking is that it might be better for all arches to switch. > All > have the 16 character limit. But we would only want argv[0] and not the > arguments. > > -Steve > I guess i'm thinking about how can I access the smallest set of data that I need to get the information I want.... however, wouldn't argv[0] typically be the vm name... <vm> <program> And on Android, to make it even more of a pain.... A VM is already running, that then forks itself and then invokes the classloader, so their is no explicit exec. I guess I could just set the comm field explicitly via the packagename when the classloader loads the value, but I was hoping for something more generic that would let me get larger package names then 16.
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit