From: Richard Guy Briggs <rgb@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: William Roberts <wroberts@tresys.com>, linux-audit@redhat.com
Subject: Re: [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value
Date: Tue, 19 Nov 2013 09:11:02 -0500 [thread overview]
Message-ID: <20131119141102.GA15481@madcap2.tricolour.ca> (raw)
In-Reply-To: <1384821680-28829-2-git-send-email-wroberts@tresys.com>
On Mon, Nov 18, 2013 at 04:41:19PM -0800, William Roberts wrote:
> Audit records will now contain a new field, cmdline.
> This is the value that is stored in proc/self/cmdline,
> and is useful for debugging when processes are being run
> via VM's. A primary example of this is Android, in which
> package names are set in this location, and thread names
> are set via PR_SET_NAME. The other benefit is this
> is not limited to 16 bytes as COMM historically has.
This patch looks good to me.
> Change-Id: I9bf0928a8aa249d22ecd55fa9cd27325dd394eb1
> Signed-off-by: William Roberts <wroberts@tresys.com>
> ---
> fs/proc/base.c | 2 +-
> include/linux/proc_fs.h | 1 +
> kernel/auditsc.c | 33 +++++++++++++++++++++++++++++++++
> 3 files changed, 35 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 2f198da..25b73d3 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
> return mm_access(task, PTRACE_MODE_READ);
> }
>
> -static int proc_pid_cmdline(struct task_struct *task, char * buffer)
> +int proc_pid_cmdline(struct task_struct *task, char *buffer)
> {
> int res = 0;
> unsigned int len;
> diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
> index 85c5073..d85ac14 100644
> --- a/include/linux/proc_fs.h
> +++ b/include/linux/proc_fs.h
> @@ -118,6 +118,7 @@ struct pid_namespace;
>
> extern int pid_ns_prepare_proc(struct pid_namespace *ns);
> extern void pid_ns_release_proc(struct pid_namespace *ns);
> +extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
>
> /*
> * proc_tty.c
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 27ad9dd..45fd3d0 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -67,6 +67,7 @@
> #include <linux/syscalls.h>
> #include <linux/capability.h>
> #include <linux/fs_struct.h>
> +#include <linux/proc_fs.h>
>
> #include "audit.h"
>
> @@ -1153,6 +1154,37 @@ error_path:
>
> EXPORT_SYMBOL(audit_log_task_context);
>
> +static void audit_log_add_cmdline(struct audit_buffer *ab,
> + struct task_struct *tsk)
> +{
> + int len;
> + unsigned long page;
> + char *msg = "(null)";
> +
> + audit_log_format(ab, " cmdline=");
> +
> + /* Get the process cmdline */
> + page = __get_free_page(GFP_TEMPORARY);
> + if (!page) {
> + audit_log_untrustedstring(ab, msg);
> + return;
> + }
> + len = proc_pid_cmdline(tsk, (char *)page);
> + if (len <= 0) {
> + free_page(page);
> + audit_log_untrustedstring(ab, msg);
> + return;
> + }
> + /*
> + * Ensure NULL terminated! Application could
> + * could be using setproctitle(3).
> + */
> + ((char *)page)[len-1] = '\0';
> + msg = (char *)page;
> + audit_log_untrustedstring(ab, msg);
> + free_page(page);
> +}
> +
> static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> {
> char name[sizeof(tsk->comm)];
> @@ -1179,6 +1211,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
> }
> up_read(&mm->mmap_sem);
> }
> + audit_log_add_cmdline(ab, tsk);
> audit_log_task_context(ab);
> }
>
> --
> 1.7.9.5
>
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2013-11-19 14:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 0:41 [PATCH v3.4] - audit cmdline on events William Roberts
2013-11-19 0:41 ` [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value William Roberts
2013-11-19 14:11 ` Richard Guy Briggs [this message]
2013-11-19 0:41 ` [PATCH 2/2] audit: Enable cacheing of cmdline in audit_context William Roberts
2013-11-19 15:40 ` Richard Guy Briggs
2013-11-19 15:44 ` William Roberts
2013-11-19 16:00 ` Richard Guy Briggs
2013-11-19 16:25 ` William Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131119141102.GA15481@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=wroberts@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox