Re: Process arguments

Dave Clausen wrote:
Hello list,

I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run on the command line from within the kernel for security purposes by loading a kernel module which redefines execve(). I've successfully created the KLD and have it working, but am having problems saving the command's arguments.
Could anyone point me to where in the kernel I should be looking for the arguments sent to the process? p->p_args gives me the parent process's cmdname only (sh, in this case), and uap->argv is just the relative pathname of uap->fname. Ideally, I'd like the user, full command line, and cwd logged for each command entered.

Here's an example of what I've been working away on:

int
new_execve (struct thread *td, struct execve_args *uap)
{
char *user;
struct proc *p = td->td_proc;

user = p->p_pgrp->pg_session->s_login;
if (p->p_ucred->cr_ruid == 1001) {
printf("%s %d %s\n", user, p->p_pid, uap->fname);
}
return (execve(td,uap));
}

Running 'ls -al' with the above, I get the username, pid, and absolute filename printed such as, but can't find the actual arguments:
dave 6689 /bin/ls

If I'm not mistaken pjd@ has written similar module which is called lrexec for RELENG_4 and RELENG_5. See his web site.
Also recently rwatson@ enabled audit support in RELENG_6 and CURRENT, though I don't know yet whether it can log arguments.

hth,

Ganbold



Any help would be appreciated.


_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"




_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: [PATCH 19-rc1] Fix typos in /Documentation : Misc
    ... +do not have a corresponding kernel virtual address space mapping) and ... This command sets the scale factor for the ABSOLUTE MOUSE POSITIONING mode. ... If you check the source code you will see that what I draw here as a frame ... interrupt-parent: contains the phandle of the interrupt ...
    (Linux-Kernel)
  • [PATCH 19-rc1] Fix typos in /Documentation : Misc
    ... -> bus translation). ... +do not have a corresponding kernel virtual address space mapping) and ... This command sets the scale factor for the ABSOLUTE MOUSE POSITIONING mode. ... If you check the source code you will see that what I draw here as a frame ...
    (Linux-Kernel)
  • [PATCH] nfs: Update Documentation/nfsroot.txt to include dhcp, syslinux and isolinux
    ... Document the ip command a little differently to make the ... Update autoconfiguration the current set of options, ... The following text describes on how to use NFS for the ... Kernel command line ...
    (Linux-Kernel)
  • Re: allocating kernel threads from a pool
    ... kernel level threads to do IO, so that a user-level thread's IO calls ... you don't need signals at all. ... another thread writes a pointer to a command to another end of the ...
    (comp.unix.programmer)
  • Re: Compaq WIFI card not recognized by FC4
    ... you'll see that the command I wrote was: ... The * matches anything else so you will see all the kernel ... Jonathan ... >> kernel module as well. ...
    (Fedora)