[PATCH] audit: Add cmdline to taskinfo output

William Roberts bill.c.roberts at gmail.com
Mon Oct 28 13:48:48 UTC 2013 

On Wed, Oct 23, 2013 at 1:40 PM, William Roberts
<bill.c.roberts at gmail.com>wrote:

> From 0a8623b8f9fa625da81364cf3b87d2799171f83e Mon Sep 17 00:00:00 2001
> From: William Roberts <wroberts at tresys.com>
> Date: Tue, 22 Oct 2013 14:23:27 -0700
> Subject: [PATCH] audit: Add cmdline to taskinfo output
>
> On some devices, the cmdline and task info vary. For instance, on
> Android, the cmdline is set to the package name, and the task info
> is the name of the VM, which is not very helpful.
>
> Change-Id: I98a417c9ab3b95664c49aa1c7513cfd8296b6a2a
> Signed-off-by: William Roberts <wroberts at tresys.com>
> ---
>  fs/proc/base.c          |    2 +-
>  include/linux/proc_fs.h |    1 +
>  kernel/auditsc.c        |   24 ++++++++++++++++++++++++
>  3 files changed, 26 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 2f198da..25b73d3 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
>   return mm_access(task, PTRACE_MODE_READ);
>  }
>
> -static int proc_pid_cmdline(struct task_struct *task, char * buffer)
> +int proc_pid_cmdline(struct task_struct *task, char *buffer)
>  {
>   int res = 0;
>   unsigned int len;
> diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
> index 85c5073..d85ac14 100644
> --- a/include/linux/proc_fs.h
> +++ b/include/linux/proc_fs.h
> @@ -118,6 +118,7 @@ struct pid_namespace;
>
>  extern int pid_ns_prepare_proc(struct pid_namespace *ns);
>  extern void pid_ns_release_proc(struct pid_namespace *ns);
> +extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
>
>  /*
>   * proc_tty.c
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 27ad9dd..7f2bf41 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -67,6 +67,7 @@
>  #include <linux/syscalls.h>
>  #include <linux/capability.h>
>  #include <linux/fs_struct.h>
> +#include <linux/proc_fs.h>
>
>  #include "audit.h"
>
> @@ -1158,6 +1159,8 @@ static void audit_log_task_info(struct audit_buffer
> *ab, struct task_struct *tsk
>   char name[sizeof(tsk->comm)];
>   struct mm_struct *mm = tsk->mm;
>   struct vm_area_struct *vma;
> + unsigned long page;
> + int len;
>
>   /* tsk == current */
>
> @@ -1179,6 +1182,27 @@ static void audit_log_task_info(struct audit_buffer
> *ab, struct task_struct *tsk
>   }
>   up_read(&mm->mmap_sem);
>   }
> +
> + /* Get the process cmdline */
> + page = __get_free_page(GFP_TEMPORARY);
> + if (!page)
> + goto out;
> +
> + len = proc_pid_cmdline(tsk, (char *)page);
> + if (len <= 0)
> + goto free;
> +
> + /*
> + * Ensure NULL terminated! Application could
> + * could be using setproctitle(3).
> + */
> + ((char *)page)[len-1] = '\0';
> +
> + audit_log_format(ab, " cmdline=");
> + audit_log_untrustedstring(ab, (char *)page);
> +free:
> + free_page(page);
> +out:
>   audit_log_task_context(ab);
>  }
>
> --
> 1.7.9.5
>
>

A few notes on this moving forward:
1. I forgot to put in the subject kernel v3.4.0, this only applies to that
2. Yes I know gmail mangled the path (i'm working on some smtp issues right
now)
3. The main purpose of this is to figure out upstream acceptance, Richard
Briggs has chimed in, and has no major objections
4. This could be a dynamic on/off setting, which brings me to my question,
of: "What is the status of E.Paris's generic feature set/get" patches fare?
This is a great use case for those.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131028/60b530d4/attachment.htm>

More information about the Linux-audit mailing list