On some devices, the cmdline and task info vary. For instance, on Android, the cmdline is set to the package name, and the task info is the name of the VM, which is not very helpful.
The additional cmdline output only runs if the audit feature is set dynamically at run time. Change-Id: I98a417c9ab3b95664c49aa1c7513cfd8296b6a2a Signed-off-by: William Roberts <[email protected]> --- fs/proc/base.c | 2 +- include/linux/audit.h | 5 ++++- include/linux/proc_fs.h | 1 + kernel/audit.c | 7 +++++-- kernel/auditsc.c | 37 +++++++++++++++++++++++++++++++++++++ 5 files changed, 48 insertions(+), 4 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 2f198da..25b73d3 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task) return mm_access(task, PTRACE_MODE_READ); } -static int proc_pid_cmdline(struct task_struct *task, char * buffer) +int proc_pid_cmdline(struct task_struct *task, char *buffer) { int res = 0; unsigned int len; diff --git a/include/linux/audit.h b/include/linux/audit.h index abdb816..92b2f40 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -377,7 +377,10 @@ struct audit_features { __u32 lock; /* which features to lock */ }; -#define AUDIT_LAST_FEATURE -1 +#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0 +#define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1 +#define AUDIT_FEATURE_CMDLINE_OUTPUT 2 +#define AUDIT_LAST_FEATURE AUDIT_FEATURE_CMDLINE_OUTPUT #define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE) #define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */ diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 85c5073..d85ac14 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -118,6 +118,7 @@ struct pid_namespace; extern int pid_ns_prepare_proc(struct pid_namespace *ns); extern void pid_ns_release_proc(struct pid_namespace *ns); +extern int proc_pid_cmdline(struct task_struct *task, char *buffer); /* * proc_tty.c diff --git a/kernel/audit.c b/kernel/audit.c index b90c5a3..d40ad22 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -146,7 +146,10 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION, .features = 0, .lock = 0,}; -static char *audit_feature_names[0] = { +static char *audit_feature_names[3] = { + "not_implmented_place_holder", + "not_implmented_place_holder", + "audit_output_cmdline", }; @@ -680,7 +683,7 @@ static int audit_get_feature(struct sk_buff *skb) seq = nlmsg_hdr(skb)->nlmsg_seq; - audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0, + audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0, &af, sizeof(af)); return 0; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 27ad9dd..f4d5dc9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ #include <linux/syscalls.h> #include <linux/capability.h> #include <linux/fs_struct.h> +#include <linux/proc_fs.h> #include "audit.h" @@ -1151,6 +1152,40 @@ error_path: return; } + +static void audit_log_add_cmdline(struct audit_buffer *ab, + struct task_struct *tsk) +{ + int len; + unsigned long page; + + /* Ensure that the feature is set */ + if (!is_audit_feature_set(AUDIT_FEATURE_CMDLINE_OUTPUT)) + return; + + /* Get the process cmdline */ + page = __get_free_page(GFP_TEMPORARY); + if (!page) + return; + + len = proc_pid_cmdline(tsk, (char *)page); + if (len <= 0) { + free_page(page); + return; + } + + /* + * Ensure NULL terminated! Application could + * could be using setproctitle(3). + */ + ((char *)page)[len-1] = '\0'; + + audit_log_format(ab, " cmdline="); + audit_log_untrustedstring(ab, (char *)page); + + free_page(page); +} + EXPORT_SYMBOL(audit_log_task_context); static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) @@ -1179,6 +1214,8 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk } up_read(&mm->mmap_sem); } + + audit_log_add_cmdline(ab, tsk); audit_log_task_context(ab); } -- 1.7.9.5 -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
