So this still seems to be lingering as unresolved in my mind. I need to find out what the remaining reservations are on this feature. I am going to try and summarize...
Steve Grub: 1. Anyway to use argv values as cmdline could be a page (too big) 2. Doesn't like disappearing audit entries Richard Briggs: 1. Can we make it dynamic on/off Stephen Smalley: 1. Can we cache the data for performance reasons So I addressed RGB's issues, which led to one of steve Grub's concerns. Which I can address both with if feature on then print cmdline=value else print cmdline=(null) Unfortunately the data I want to audit, is the full proc/cmdline entry, which I think is the most generic way of getting at potential vm data through various fork mazes on Android, as well as gathering the data on other architectures as well. This also prevents us from hitting the 16 char width issue on task->comm. Increasing that will result in more non-pageable kernel memory use, versus my transient use of a page. I also need to make sure I can get this data before the process terminates, which can happen if I try to acquire it in user-space. Also, on error conditions, the last patch version will not print cmdline=(null) which is an error and can be trivially corrected. But before I put more time into it, I want to make sure the underlying idea will be accepted, architectures, cacheing, print formats etc are all trivial. -- Respectfully, William C Roberts
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
