On Tue, Oct 29, 2013 at 10:44 AM, William Roberts <bill.c.roberts@gmail.com> wrote:



On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb@redhat.com> wrote:
On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:
> On some devices, the cmdline and task info vary. For instance, on
> Android, the cmdline is set to the package name, and the task info
> is the name of the VM, which is not very helpful.
>
> The additional cmdline output only runs if the audit feature
> AUDIT_FEATURE_CMDLINE_OUTPUT is set high at runtime.

I don't exactly like this. The audit event records are very normalized. When
you have a specific kind of record, you can count on always having the certain
fields even if its value is (NULL). So, having fields swinging in and out by
configuration is not something I'd like to see start.

Can you show me an event that has the problem and what it looks like when its
fixed by this patch?

Thanks,
-Steve


I'm 100% ok with the dynamic option changing it from NULL to a real value IMO a like
that better then what I currently have.

Old:
type=1300 msg=audit(1383022671.232:230): arch=40000028 syscall=54 per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0 ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 comm=4173796E635461736B202331 exe="/system/bin/app_process" subj=u:r:nfc:s0 key=(null)

Issue:
comm field in task is only 16  chars, to small for most package names, and already contains the VM command. I really have no information of what Android App has created the issue.

Solution:
Get the proc cmdline info (not trust worthy, but can help debugging Android)

type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 per=840000 success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1 ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027 fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295 comm=4173796E635461736B202331 exe="/system/bin/app_process" cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)

Now I know it was the NFC app


FYI, from this point I would get the application from a trustworthy source and audit it, obviously this could be an app using setproctitle() and spoofing something legitimate. Like malicious app A pretending to be angry birds. I cant read this
cmdline value form userspace, as a denial from selinux may cause the app to crash. So sometimes the apps proc entry is gone before I can record what happened in userspace.