Ahh I didn't know they split them to events as well. The one reason they did away with auditd as it was submitted was to reduce memory consumption, so adding a new buffer for audit only may not fly if you try to upstream it.
The main issue with these smaller memory backed buffers is on chatty systems you can roll over before adb is even running, especially with engineering builds where C libs may have more verbose logs. You may miss early boot denial on modem and other critical systems. Also, on shutdown, you may miss denials after adb shuts down, in this case you need to look in /proc/last_kmsg. Thats the one nice thing of having a dedicated, persistant source, is you didn't need to look in N places. Also, a crafty exploit could generate a lot of messages, events, etc to help assist in rolling over the limited memory logs to hide their activity. Unlikely yes, but plausable. The same thing could be said about any persistent backed logs, except the threshold for rotation can be larger, making it more difficult. On Thu, Jun 19, 2014 at 7:12 AM, Stephen Smalley <[email protected]> wrote: > On 06/19/2014 09:16 AM, William Roberts wrote: >> That works fine in a development scenario, for deployed devices just >> filter on logcat with an app and save to disk or offload. The drawback >> there is that you have to filter a stream at one point that was isolated >> from the stuff you didn't care about, thus wasting battery for nothing. >> As we have all seen, logcat is quite chatty. >> >> The other option is to hack logd to send to logcat and a separate >> stream, perhaps to disk or wherever you would like. > > I guess the question is whether one of the existing options (/proc/kmsg, > logcat -b events, logcat -b main) is sufficient already or if you truly > need a dedicated audit-only stream. Not sure offhand how hard it is to > add new buffers/streams to logd and the underlying infrastructure. > > -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
