Audit records will now contain a new field, cmdline. This is the value that is stored in proc/self/cmdline, and is useful for debugging when processes are being run via VM's. A primary example of this is Android, in which package names are set in this location, and thread names are set via PR_SET_NAME. The other benefit is this is not limited to 16 bytes as COMM historically has.
Change-Id: I9bf0928a8aa249d22ecd55fa9cd27325dd394eb1 Signed-off-by: William Roberts <[email protected]> --- fs/proc/base.c | 2 +- include/linux/proc_fs.h | 1 + kernel/auditsc.c | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 2f198da..25b73d3 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task) return mm_access(task, PTRACE_MODE_READ); } -static int proc_pid_cmdline(struct task_struct *task, char * buffer) +int proc_pid_cmdline(struct task_struct *task, char *buffer) { int res = 0; unsigned int len; diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 85c5073..d85ac14 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -118,6 +118,7 @@ struct pid_namespace; extern int pid_ns_prepare_proc(struct pid_namespace *ns); extern void pid_ns_release_proc(struct pid_namespace *ns); +extern int proc_pid_cmdline(struct task_struct *task, char *buffer); /* * proc_tty.c diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 27ad9dd..45fd3d0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ #include <linux/syscalls.h> #include <linux/capability.h> #include <linux/fs_struct.h> +#include <linux/proc_fs.h> #include "audit.h" @@ -1153,6 +1154,37 @@ error_path: EXPORT_SYMBOL(audit_log_task_context); +static void audit_log_add_cmdline(struct audit_buffer *ab, + struct task_struct *tsk) +{ + int len; + unsigned long page; + char *msg = "(null)"; + + audit_log_format(ab, " cmdline="); + + /* Get the process cmdline */ + page = __get_free_page(GFP_TEMPORARY); + if (!page) { + audit_log_untrustedstring(ab, msg); + return; + } + len = proc_pid_cmdline(tsk, (char *)page); + if (len <= 0) { + free_page(page); + audit_log_untrustedstring(ab, msg); + return; + } + /* + * Ensure NULL terminated! Application could + * could be using setproctitle(3). + */ + ((char *)page)[len-1] = '\0'; + msg = (char *)page; + audit_log_untrustedstring(ab, msg); + free_page(page); +} + static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { char name[sizeof(tsk->comm)]; @@ -1179,6 +1211,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk } up_read(&mm->mmap_sem); } + audit_log_add_cmdline(ab, tsk); audit_log_task_context(ab); } -- 1.7.9.5 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
