On Oct 22, 2013 2:30 PM, "William Roberts" <bill.c.robe...@gmail.com> wrote:
>
>
> Sorry for attaching the patch, I need to get my git mail set up.... gmail
might have mangled
> it but I included it below inline for simple commenting.
>
> Anyways, the attached, and rough patch will capture the cmdline data and
> add it into the audit logs. I have some XXX's in it and would really
appreciate
> comments and concerns, things I could improve.
>
> Tested on jfltexx on cm 10.1
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 27ad9dd..9e3e59d 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1151,6 +1151,57 @@ error_path:
> return;
> }
>
> +/*
> + * XXX Is their a helper for this, should I move this??
> + * Alot of this is ripped off of proc_pid_cmdline(), possible
> + * refactor here.
> +*/
> +static char *get_proc_cmdline(struct task_struct *task)
> +{
> + int res = 0;
> + unsigned int len;
> + char *buffer = NULL;
> +
> + struct mm_struct *mm = get_task_mm(task);
> + if (!mm)
> + goto out;
> + if (!mm->arg_end)
> + goto out_mm; /* Shh! No looking before we're done */
> +
> + /* Get the length */
> + /* XXX Can this go negative making len, reallly big? */
> + len = mm->arg_end - mm->arg_start;
> +
> + /* Attempt to alloc a buffer */
> + /* XXX can a process make this really big to cause a failure?,
> + should I bound this? */
> + buffer = kmalloc(len, GFP_KERNEL);
> + if (!buffer)
> + goto out;
> +
> + res = access_process_vm(task, mm->arg_start, buffer, len, 0);
> +
> + // If the nul at the end of args has been overwritten, then
> + // assume application is using setproctitle(3).
> + if (res > 0 && buffer[res-1] != '\0' && len < PAGE_SIZE) {
> + len = strnlen(buffer, res);
> + if (len < res) {
> + res = len;
> + } else {
> + len = mm->env_end - mm->env_start;
> + if (len > PAGE_SIZE - res)
> + len = PAGE_SIZE - res;
> + res += access_process_vm(task, mm->env_start,
buffer+res, len, 0);
> + res = strnlen(buffer, res);
> + }
> + }
> +out_mm:
> + mmput(mm);
> +out:
> + return buffer;
> +
> +}
> +
> EXPORT_SYMBOL(audit_log_task_context);
>
> static void audit_log_task_info(struct audit_buffer *ab, struct
task_struct *tsk)
> @@ -1158,6 +1209,7 @@ static void audit_log_task_info(struct audit_buffer
*ab, struct task_struct *tsk
> char name[sizeof(tsk->comm)];
> struct mm_struct *mm = tsk->mm;
> struct vm_area_struct *vma;
> + char *cmdline;
>
> /* tsk == current */
>
> @@ -1179,6 +1231,14 @@ static void audit_log_task_info(struct
audit_buffer *ab, struct task_struct *tsk
> }
> up_read(&mm->mmap_sem);
> }
> +
> + /* Get the process cmdline */
> + cmdline = get_proc_cmdline(tsk);
> + if (cmdline) {
> + audit_log_format(ab, " cmdline=");
> + audit_log_untrustedstring(ab, cmdline);
And memory leak
> + }
> +
> audit_log_task_context(ab);
> }
>
>
> --
> Respectfully,
>
> William C Roberts
>
