On Mon, Nov 18, 2013 at 04:41:19PM -0800, William Roberts wrote: > Audit records will now contain a new field, cmdline. > This is the value that is stored in proc/self/cmdline, > and is useful for debugging when processes are being run > via VM's. A primary example of this is Android, in which > package names are set in this location, and thread names > are set via PR_SET_NAME. The other benefit is this > is not limited to 16 bytes as COMM historically has.
This patch looks good to me. > Change-Id: I9bf0928a8aa249d22ecd55fa9cd27325dd394eb1 > Signed-off-by: William Roberts <[email protected]> > --- > fs/proc/base.c | 2 +- > include/linux/proc_fs.h | 1 + > kernel/auditsc.c | 33 +++++++++++++++++++++++++++++++++ > 3 files changed, 35 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 2f198da..25b73d3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task) > return mm_access(task, PTRACE_MODE_READ); > } > > -static int proc_pid_cmdline(struct task_struct *task, char * buffer) > +int proc_pid_cmdline(struct task_struct *task, char *buffer) > { > int res = 0; > unsigned int len; > diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h > index 85c5073..d85ac14 100644 > --- a/include/linux/proc_fs.h > +++ b/include/linux/proc_fs.h > @@ -118,6 +118,7 @@ struct pid_namespace; > > extern int pid_ns_prepare_proc(struct pid_namespace *ns); > extern void pid_ns_release_proc(struct pid_namespace *ns); > +extern int proc_pid_cmdline(struct task_struct *task, char *buffer); > > /* > * proc_tty.c > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 27ad9dd..45fd3d0 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -67,6 +67,7 @@ > #include <linux/syscalls.h> > #include <linux/capability.h> > #include <linux/fs_struct.h> > +#include <linux/proc_fs.h> > > #include "audit.h" > > @@ -1153,6 +1154,37 @@ error_path: > > EXPORT_SYMBOL(audit_log_task_context); > > +static void audit_log_add_cmdline(struct audit_buffer *ab, > + struct task_struct *tsk) > +{ > + int len; > + unsigned long page; > + char *msg = "(null)"; > + > + audit_log_format(ab, " cmdline="); > + > + /* Get the process cmdline */ > + page = __get_free_page(GFP_TEMPORARY); > + if (!page) { > + audit_log_untrustedstring(ab, msg); > + return; > + } > + len = proc_pid_cmdline(tsk, (char *)page); > + if (len <= 0) { > + free_page(page); > + audit_log_untrustedstring(ab, msg); > + return; > + } > + /* > + * Ensure NULL terminated! Application could > + * could be using setproctitle(3). > + */ > + ((char *)page)[len-1] = '\0'; > + msg = (char *)page; > + audit_log_untrustedstring(ab, msg); > + free_page(page); > +} > + > static void audit_log_task_info(struct audit_buffer *ab, struct task_struct > *tsk) > { > char name[sizeof(tsk->comm)]; > @@ -1179,6 +1211,7 @@ static void audit_log_task_info(struct audit_buffer > *ab, struct task_struct *tsk > } > up_read(&mm->mmap_sem); > } > + audit_log_add_cmdline(ab, tsk); > audit_log_task_context(ab); > } > > -- > 1.7.9.5 > - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
