From: Steve Grubb <sgrubb@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
William Roberts <wroberts@tresys.com>,
linux-audit@redhat.com
Subject: Re: [PATCH] audit: Add cmdline to taskinfo output
Date: Thu, 31 Oct 2013 10:36:27 -0400 [thread overview]
Message-ID: <3495583.L92f3yxRXA@x2> (raw)
In-Reply-To: <CAFftDdoAoj3ySyHzZkS9nk43FK84YsHOZ0diuiz1ceAVsGO0cA@mail.gmail.com>
On Wednesday, October 30, 2013 01:18:13 PM William Roberts wrote:
> On Wed, Oct 30, 2013 at 12:42 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > Again... the comm field got cut off and now I have no idea again.
> >
> > Which is the same as all arches. What I'm trying to say is that all arches
> > would benefit from fixing this problem. I don't like the idea of it
> > getting fixed
> > for one platform and leaving it for all others to figure out another day.
>
> By arches your don't mean arm right?
Any piece of hardware support the audit code. For example, x86_64/S390/PPC,
etc.
> This code runs the same on other architectures. If you mean platforms, like
> Android, vs some other Linux distro, then yes I want a generic approach,
> which I think cmdline gets us... no mater how many layers of VM exec/forking
> indirection hell you may find yourself in, you at least get a chance at
> what started the chain. On Android, that happens to be the packagename.
What I'm suggesting is to fix "comm" to have more characters than 16. Which may
mean getting it from somewhere else, or allowing a slightly bigger storage, or
allowing an alternate storage in the audit context.
> > Is there some reason that the length of that field must be set to 16? I've
> > seen
> > user id numbers increased by a config option. It might be that the naming
> > convention of android apps is enough to get a change.
> >
> > > I think exe= in the audit logs is essentially arg[0]... so thats not
> >
> > going
> >
> > > to work here,
>
> We can't change the naming convention of andorid apps, too large of an
> ecosystem to change and no real easy way to be backwards compatible. That
> one is off the table.
That wasn't my suggestion. I was meaning that because of the andriod naming
convention the current program name storage is useless and might need fixing.
> I have compiled kernels in the past with custom COMM widths, but the memory
> footprint goes up, at least here were not keeping a bunch of possibly unused
> data around in the kernel plus we're not allocating anything on the common
> case of it being turned off.
I don't like the idea of fields appearing and disappearing. The complaint is
"comm" is meaningless. Let's fix that.
-Steve
next prev parent reply other threads:[~2013-10-31 14:36 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-28 23:50 [PATCH] audit: Add cmdline to taskinfo output William Roberts
2013-10-29 15:14 ` Steve Grubb
2013-10-29 17:44 ` William Roberts
2013-10-29 17:55 ` William Roberts
2013-10-29 19:01 ` Steve Grubb
2013-10-29 19:12 ` William Roberts
2013-10-29 19:55 ` Steve Grubb
2013-10-29 20:25 ` William Roberts
2013-10-29 23:24 ` William Roberts
2013-10-30 0:43 ` William Roberts
2013-10-30 19:42 ` Steve Grubb
2013-10-30 20:18 ` William Roberts
2013-10-30 21:20 ` Eric Paris
2013-10-30 21:52 ` William Roberts
2013-10-31 14:36 ` Steve Grubb [this message]
2013-10-31 15:24 ` William Roberts
2013-10-31 15:28 ` Richard Guy Briggs
2013-10-31 15:33 ` William Roberts
2013-10-31 15:46 ` Richard Guy Briggs
2013-10-31 15:51 ` William Roberts
2013-10-31 15:52 ` William Roberts
-- strict thread matches above, loose matches on Subject: below --
2013-10-28 23:47 William Roberts
2013-10-23 20:40 William Roberts
2013-10-24 19:10 ` Richard Guy Briggs
2013-10-28 13:48 ` William Roberts
2013-10-28 15:10 ` Richard Guy Briggs
2013-10-28 16:30 ` William Roberts
2013-10-28 19:02 ` William Roberts
2013-10-28 21:52 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3495583.L92f3yxRXA@x2 \
--to=sgrubb@redhat.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
--cc=wroberts@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox