[PATCH 1/2] security: lsm_audit: add ioctl specific auditing

Wed May 20 20:21:20 UTC 2015

On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> > 
> > Signed-off-by: Jeff Vander Stoep <jeffv at google.com>
> > ---
> > 
> >  include/linux/lsm_audit.h |  7 +++++++
> >  security/lsm_audit.c      | 15 +++++++++++++++
> >  2 files changed, 22 insertions(+)
> 
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
> 
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name.  Does anyone in the audit space
> have any strong feelings on this one way or another?

Isn't that in arg1 already? I know I wrote interpretations for it.

-Steve

> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> > 
> >  	} fam;
> >  
> >  };
> > 
> > +struct lsm_ioctlop_audit {
> > +	struct path path;
> > +	u16 cmd;
> > +};
> > +
> > 
> >  /* Auxiliary data to use in generating the audit record. */
> >  struct common_audit_data {
> >  
> >  	char type;
> > 
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> > 
> >  #define LSM_AUDIT_DATA_KMOD	8
> >  #define LSM_AUDIT_DATA_INODE	9
> >  #define LSM_AUDIT_DATA_DENTRY	10
> > 
> > +#define LSM_AUDIT_DATA_IOCTL_OP	11
> > 
> >  	union 	{
> >  	
> >  		struct path path;
> >  		struct dentry *dentry;
> > 
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> > 
> >  		} key_struct;
> >  
> >  #endif
> >  
> >  		char *kmod_name;
> > 
> > +		struct lsm_ioctlop_audit *op;
> > 
> >  	} u;
> >  	/* this union contains LSM specific data */
> >  	union {
> > 
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> > 
> >  		break;
> >  	
> >  	}
> > 
> > +	case LSM_AUDIT_DATA_IOCTL_OP: {
> > +		struct inode *inode;
> > +
> > +		audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > +		inode = a->u.op->path.dentry->d_inode;
> > +		if (inode) {
> > +			audit_log_format(ab, " dev=");
> > +			audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > +			audit_log_format(ab, " ino=%lu", inode->i_ino);
> > +		}
> > +
> > +		audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > +		break;
> > +	}
> > 
> >  	case LSM_AUDIT_DATA_DENTRY: {
> >  	
> >  		struct inode *inode;