I guess i'm thinking about how can I access the smallest set of data that I need to get the information I want.... however, wouldn't argv[0] typically be the vm name...On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb <sgrubb@redhat.com> wrote:
On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote:A page would be a problem for audit records. What I see is a NULL terminated
> > > to small for most package names, and
> > > already contains the VM command. I really have no information of what
> > > Android App has created the issue.
> >
> > This is true for all arches. Usually you can have it pretty narrowly
> > defined to
> > where you have a pretty good guess between 2 or 3 apps with the same root
> > name. But in your case its totally named wrong.
>
> I could set the title via prctl and PR_SET_NAME, but again I would be
> limited at 16 bytes, at least with cmdline I am limited at a page.
list of arguments which the program name is argv[0]. So, you'd want to grab
that one. Butyou could have something in there with PATH_MAX and whitespaces
which would be excessively long.
The reason I'm asking is that it might be better for all arches to switch. All
> As a simple example, a basic example from samsung gets truncated.
>
> com.samsung.myapp
>
> > > Solution:
> > > Get the proc cmdline info (not trust worthy, but can help debugging
> >
> > Android)
> >
> > > type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5
> >
> > per=840000
> >
> > > success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1
> > > ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> > > fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> > > comm=4173796E635461736B202331 exe="/system/bin/app_process"
> > > cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
> > >
> > > Now I know it was the NFC app
> >
> > What do you get on x86_64 auditing a shell or python script with your same
> > patch? Also, does cmdline potentially include arguments?
>
> I would have to get back to you on this, but whatever is set in
> /proc/<pid>/cmdline shows up here, which means
> it could have arguments etc.
have the 16 character limit. But we would only want argv[0] and not the
arguments.
-Steve
<vm> <program>And on Android, to make it even more of a pain.... A VM is already running, that then forks itself and then invokes the classloader, so their is no
explicit exec.I guess I could just set the comm field explicitly via the packagename when the classloader loads the value, but I was hoping for something more generic that wouldlet me get larger package names then 16.