[PATCH 1/2] security: lsm_audit: add ioctl specific auditing
Steve Grubb
sgrubb at redhat.com
Wed May 20 20:21:20 UTC 2015
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv at google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
More information about the Linux-audit
mailing list