Thank you for your advice.
Actually, I implemented like it.
----------------------------------------------------------------------------------------------------------------------------
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c7f2c6..19f769d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -396,6 +396,19 @@ static void audit_printk_skb(struct sk_buff *skb)
audit_hold_skb(skb);
}
+//jaejyn.shin
+static void audit_printk_skb_without_hold(struct sk_buff *skb)
+{
+ struct nlmsghdr *nlh = nlmsg_hdr(skb);
+ char *data = NLMSG_DATA(nlh);
+ if (nlh->nlmsg_type != AUDIT_EOE) {
+ if (printk_ratelimit())
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
+ else
+ audit_log_lost("printk limit exceeded\n");
+ }
+}
+
static void kauditd_send_skb(struct sk_buff *skb)
{
int err;
@@ -409,9 +422,11 @@ static void kauditd_send_skb(struct sk_buff *skb)
audit_pid = 0;
/* we might get lucky and get this in the next auditd */
audit_hold_skb(skb);
- } else
+ } else {
+ audit_printk_skb_without_hold(skb); //jaejyn.shin
/* drop the extra reference if sent ok */
consume_skb(skb);
+ }
}
----------------------------------------------------------------------------------------------------------------------------
The violation logs were successfully remained on the both sides (kernel
logs, and auditd logs).
But I am not sure that this source is safe and have no other problem.
I should also apply your solution.
Thank you
Best regards
2013/11/13 William Roberts <[email protected]>
> What you have is the older version.... I would recomend this change, its
> less invasive and more inline with an upstream audit change
>
> You may want these instead:
> Kernel:
> https://android-review.googlesource.com/#/c/60880/<https://android-review.googlesource.com/#/c/60880/1>
> https://android-review.googlesource.com/#/c/60881/
>
> Userspace:
> https://android-review.googlesource.com/#/c/58910/
>
>
>
>
>
> On Tue, Nov 12, 2013 at 6:52 PM, William Roberts <[email protected]
> > wrote:
>
>> You also need the kernel change:
>>
>> https://bitbucket.org/billcroberts/kernel-msm/commits/937eed8878ac2a3240d2e551e42a984029ce746d?at=seandroid-msm-mako-3.4-jb-mr1.1-auditlogsplit
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:19 PM, Jaejyn Shin <[email protected]>wrote:
>>
>>> Thank for your direction.
>>> I found the commit of Bill Roberts (
>>> https://bitbucket.org/billcroberts/system-core/commits/2d9108dde0fa81592d51968ee7002fb32e14f6cd
>>> )
>>>
>>> The reason why I want to do it is, I want to show the violation logs to
>>> application developer who do not want to see the kernel logs but the kernel
>>> log which have violation logs is needed to me to handle SEAndroid.
>>>
>>> To modify some policies or find the solution, I want to see the kernel
>>> logs around violation logs.
>>>
>>> Thank you
>>> Best regards
>>>
>>> 2013/11/13 Stephen Smalley <[email protected]>
>>>
>>>> On 11/10/2013 07:47 PM, Jaejyn Shin wrote:
>>>> > Thank you for your advice.
>>>> >
>>>> > Yes. I patched auditd to my kernel referring
>>>> > http://selinuxproject.org/page/NB_SEforAndroid_1#auditd_Daemon
>>>> >
>>>> > I am finding writing logs to both sides (/data/misc/audit and kernel
>>>> log)
>>>> > but it is not easy to find the way.
>>>>
>>>> Requires a kernel patch to support. Bill Roberts posted a patch and
>>>> uploaded it to gerrit a while back to support that functionality, but it
>>>> wasn't taken. I wasn't clear why you would want that to happen.
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>>
>>
>
>
> --
> Respectfully,
>
> William C Roberts
>
>
