Re: [PATCH] audit: Add cmdline to taskinfo output

Hello, On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote: > On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: > I'm 100% ok with the dynamic option changing it from NULL to a real value > IMO a like that better then what I currently have. > > Old: > type=1300 msg=audit(1383022671.232:230): arch=40000028 This arch is not defined: arch=unknown elf type(40000028) Which one is it?

> syscall=54 > per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0 > ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > comm=4173796E635461736B202331 comm=AsyncTask #1 > exe="/system/bin/app_process" subj=u:r:nfc:s0 > key=(null) > > Issue: > comm field in task is only 16 chars, Yes, its a limitation on ALL arches. > to small for most package names, and > already contains the VM command. I really have no information of what > Android App has created the issue. This is true for all arches. Usually you can have it pretty narrowly defined to where you have a pretty good guess between 2 or 3 apps with the same root name. But in your case its totally named wrong.

> Solution: > Get the proc cmdline info (not trust worthy, but can help debugging Android) > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 per=840000 > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1 > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 > comm=4173796E635461736B202331 exe="/system/bin/app_process" > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null) > > Now I know it was the NFC app What do you get on x86_64 auditing a shell or python script with your same patch? Also, does cmdline potentially include arguments?

-Steve