Previously I posted a patch to print during audit the proc/self/cmdline value.

Steve Grubb had some concerns, as he has seen this before of "lets fix this

once and for all, properly"

The major concerns (consolidated) were:

1. The value could be set by the process at runtime and therefore easily spoofed

2. The value could be too large (truncated at page level)

3. Performance concerns of copying a whole page from userspace on every record

Steve Grubb proposed adding some field in struct task and extending the prctl interface

for getter/setter.

My concern here, is the spoofing portion. Obviously this needs to be controlled by someone

other then the process to which this applies, right now the PR_SET_NAME would have the

same issue as cmdline, except be truncated to 16 bytes.

I don't see any capabilities or restrictions on existing prctl interfaces, outside of the MAC hook.

Can anyone chime in and either tell me my concerns are over kill or what here?

I don't want to go coding down a bad path on this.

--
Respectfully,

William C Roberts