possible "comm"

[Steve Grubb]

On Monday 04 August 2008 18:18:17 LC Bruzenak wrote:
> Since the audit-viewer script has:
> exec /usr/bin/python -O /usr/share/audit-viewer/main.py "$@"
>
> I'd guess that you were pointing in the right direction.
> But I would prefer that the comm field be more trustworthy.

I don't know how to make it more trustworthy without making it bigger. That 
item lives in the task struct and is copied at every fork and rewritten on 
exec. using kmalloc would add some overhead and picking anything bigger might 
not be acceptable upstream.

Al, do you have any suggestions here?


> In reality, the /usr/bin/audit-viewer executable script really called
> the python exec which then interpreted the main.py script...I think. I'm
> not getting that from this event, however.

Its almost there.  :)   You have to make some assumptions which may or may not 
be palatable. For one, you have to assume that no one has written anything 
you don't know about. And you have to asume that they have not added 
directories that you don't know about. Given those boundaries, you can 
sometimes guess what it is when full paths are used.


> I guess the real issue here (as you pointed out) is that we have
> different entities - interpreted script/interpreter executable as
> opposed to command/resulting executable, but the same structure is used
> for each.

Well, we have 2 models...interpreter + script and just executable. We fit both 
into the same structuire as the interpreter is the executable while the 
script is the command. When you have an elf binary, the command and the 
executable are the same thing.

-Steve