Previously I posted a patch to print during audit the proc/self/cmdline value.
Steve Grubb had some concerns, as he has seen this before of "lets fix this once and for all, properly" The major concerns (consolidated) were: 1. The value could be set by the process at runtime and therefore easily spoofed 2. The value could be too large (truncated at page level) 3. Performance concerns of copying a whole page from userspace on every record Steve Grubb proposed adding some field in struct task and extending the prctl interface for getter/setter. My concern here, is the spoofing portion. Obviously this needs to be controlled by someone other then the process to which this applies, right now the PR_SET_NAME would have the same issue as cmdline, except be truncated to 16 bytes. I don't see any capabilities or restrictions on existing prctl interfaces, outside of the MAC hook. Can anyone chime in and either tell me my concerns are over kill or what here? I don't want to go coding down a bad path on this. -- Respectfully, William C Roberts
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
