Re: Exec call auditing

[Eric Paris <eparis@redhat.com>]

On Thu, 2010-05-06 at 23:04 +0500, Wahaj Ali wrote:
> Hello,
> 
> As part of my course I am required to look at the auditing code in the
> linux kernel, more specifically the part where the exec() calls are
> being logged. I would really appreciate any help, especially regarding
> where exactly that code in the whole database can be found, i.e. the
> part of the code that is logging the environment variables. My guess
> so far is that audit_log_single_execve_arg in auditsc.c is doing most
> part of the work.

a) I didn't think we logged the environment I thought we only logged the
execve arguments.  Maybe I'm wrong, it's been quite a while since I
rewrote a bunch of that stuff.

b) I feel like I'm doing your homework for you, but...

Actual logging is done in audit_log_exit().  This is run near syscall
exit and we print information that was collected during the syscall.  In
this case audit_log_exit() is going to call audit_execve_info() which
will call audit_log_single_execve_arg() for each argument in the list.
audit_log_single_execve_arg() takes care of making sure there is space
in the ab, creating new audit buffers if not and stuff like that.

The collection of that information is done back at the beginning of the
execve syscall entry in audit_bprm()   [it is actually called from
fs/exec.c::search_binary_handler().  I'll let you use grep to go farther
up in the tree to see how to get back to sys_execve()]  In audit_bprm()
you will see that we create and auxilary audit data struct to hold the
execve argument information pointer and attach it to the audit_context
so that we can find that information in audit_log_exit() later.

-Eric