On Wed, Oct 23, 2013 at 01:40:42PM -0700, William Roberts wrote:
>From 0a8623b8f9fa625da81364cf3b87d2799171f83e Mon Sep 17 00:00:00
2001
From: William Roberts <wroberts(a)tresys.com>
Date: Tue, 22 Oct 2013 14:23:27 -0700
Subject: [PATCH] audit: Add cmdline to taskinfo output
Hi William (Bill?),
On some devices, the cmdline and task info vary. For instance, on
Android, the cmdline is set to the package name, and the task info
is the name of the VM, which is not very helpful.
Your patch doesn't apply to my tree for a couple of reasons. The
funciton audit_log_task_info() was moved from kernel/auditsc.c to
kernel/audit.c in commit b24a30a7 included in v3.10-rc1. We're up to
v3.12-rc6.
Please rebase, follow standard kernel coding style (or use a mailer that
won't mangle your patch), re-test and re-send. I use "git format-patch"
and "git send-email". Thanks!
Change-Id: I98a417c9ab3b95664c49aa1c7513cfd8296b6a2a
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
fs/proc/base.c | 2 +-
include/linux/proc_fs.h | 1 +
kernel/auditsc.c | 24 ++++++++++++++++++++++++
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2f198da..25b73d3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
return mm_access(task, PTRACE_MODE_READ);
}
-static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+int proc_pid_cmdline(struct task_struct *task, char *buffer)
{
int res = 0;
unsigned int len;
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 85c5073..d85ac14 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -118,6 +118,7 @@ struct pid_namespace;
extern int pid_ns_prepare_proc(struct pid_namespace *ns);
extern void pid_ns_release_proc(struct pid_namespace *ns);
+extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
/*
* proc_tty.c
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 27ad9dd..7f2bf41 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7 @@
#include <linux/syscalls.h>
#include <linux/capability.h>
#include <linux/fs_struct.h>
+#include <linux/proc_fs.h>
#include "audit.h"
@@ -1158,6 +1159,8 @@ static void audit_log_task_info(struct audit_buffer
*ab, struct task_struct *tsk
char name[sizeof(tsk->comm)];
struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;
+ unsigned long page;
+ int len;
/* tsk == current */
@@ -1179,6 +1182,27 @@ static void audit_log_task_info(struct audit_buffer
*ab, struct task_struct *tsk
}
up_read(&mm->mmap_sem);
}
+
+ /* Get the process cmdline */
+ page = __get_free_page(GFP_TEMPORARY);
+ if (!page)
+ goto out;
+
+ len = proc_pid_cmdline(tsk, (char *)page);
+ if (len <= 0)
+ goto free;
+
+ /*
+ * Ensure NULL terminated! Application could
+ * could be using setproctitle(3).
+ */
+ ((char *)page)[len-1] = '\0';
+
+ audit_log_format(ab, " cmdline=");
+ audit_log_untrustedstring(ab, (char *)page);
+free:
+ free_page(page);
+out:
audit_log_task_context(ab);
}
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545