On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote:
> > to small for most package names, and
> > already contains the VM command. I really have no information of what
> > Android App has created the issue.
>
> This is true for all arches. Usually you can have it pretty narrowly
> defined to
> where you have a pretty good guess between 2 or 3 apps with the same root
> name. But in your case its totally named wrong.
I could set the title via prctl and PR_SET_NAME, but again I would be
limited at 16 bytes, at least with cmdline I am limited at a page.
A page would be a problem for audit records. What I see is a NULL terminated
list of arguments which the program name is argv[0]. So, you'd want to grab
that one. Butyou could have something in there with PATH_MAX and whitespaces
which would be excessively long.
As a simple example, a basic example from samsung gets truncated.
com.samsung.myapp
> > Solution:
> > Get the proc cmdline info (not trust worthy, but can help debugging
>
> Android)
>
> > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
>
> per=840000
>
> > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1
> > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> > comm=4173796E635461736B202331 exe="/system/bin/app_process"
> > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
> >
> > Now I know it was the NFC app
>
> What do you get on x86_64 auditing a shell or python script with your same
> patch? Also, does cmdline potentially include arguments?
I would have to get back to you on this, but whatever is set in
/proc/<pid>/cmdline shows up here, which means
it could have arguments etc.
The reason I'm asking is that it might be better for all arches to switch. All
have the 16 character limit. But we would only want argv[0] and not the
arguments.
-Steve