From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] audit: Add cmdline to taskinfo output
Date: Tue, 29 Oct 2013 15:01:01 -0400
Message-ID: <2472056.zCCx4kfXXD@x2>
References: <1383004238-10998-1-git-send-email-wroberts@tresys.com>
	<41913182.01FMG6Aupv@x2>
	<CAFftDdqvt=nXPuw4Y4THyhuEjqHp9RsOsuxE3ff_m4RMavNwMQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAFftDdqvt=nXPuw4Y4THyhuEjqHp9RsOsuxE3ff_m4RMavNwMQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: William Roberts <bill.c.roberts@gmail.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, William Roberts <wroberts@tresys.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote:
> On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, October 28, 2013 04:50:38 PM William Roberts wrote:
> I'm 100% ok with the dynamic option changing it from NULL to a real value
> IMO a like that better then what I currently have.
> 
> Old:
> type=1300 msg=audit(1383022671.232:230): arch=40000028 

This arch is not defined:
arch=unknown elf type(40000028)

Which one is it?

> syscall=54
> per=840000 success=yes exit=0 a0=23 a1=fa05 a2=0 a3=74e1ee34 items=0
> ppid=298 pid=1431 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> comm=4173796E635461736B202331

comm=AsyncTask #1 

> exe="/system/bin/app_process" subj=u:r:nfc:s0
> key=(null)
> 
> Issue:
> comm field in task is only 16  chars,

Yes, its a limitation on ALL arches.

> to small for most package names, and
> already contains the VM command. I really have no information of what
> Android App has created the issue.

This is true for all arches. Usually you can have it pretty narrowly defined to 
where you have a pretty good guess between 2 or 3 apps with the same root 
name. But in your case its totally named wrong.


> Solution:
> Get the proc cmdline info (not trust worthy, but can help debugging Android)
> 
> type=1300 msg=audit(1383068585.326:205): arch=40000028 syscall=5 per=840000
> success=yes exit=38 a0=74d86d34 a1=20241 a2=180 a3=74d86d0c items=1
> ppid=296 pid=1378 auid=4294967295 uid=1027 gid=1027 euid=1027 suid=1027
> fsuid=1027 egid=1027 sgid=1027 fsgid=1027 tty=(none) ses=4294967295
> comm=4173796E635461736B202331 exe="/system/bin/app_process"
> cmdline="com.android.nfc" subj=u:r:nfc:s0 key=(null)
> 
> Now I know it was the NFC app

What do you get on x86_64 auditing a shell or python script with your same 
patch? Also, does cmdline potentially include arguments?

-Steve