[PATCH 1/2] security: lsm_audit: add ioctl specific auditing
Steve Grubb
sgrubb at redhat.com
Wed May 20 20:39:14 UTC 2015
On Wednesday, May 20, 2015 04:22:24 PM Stephen Smalley wrote:
> On 05/20/2015 04:21 PM, Steve Grubb wrote:
> > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> >>> Add information about ioctl calls to the LSM audit data. Log the
> >>> file path and command number.
> >>>
> >>> Signed-off-by: Jeff Vander Stoep <jeffv at google.com>
> >>> ---
> >>>
> >>> include/linux/lsm_audit.h | 7 +++++++
> >>> security/lsm_audit.c | 15 +++++++++++++++
> >>> 2 files changed, 22 insertions(+)
> >>
> >> No real comment other than we should include the linux-audit list on this
> >> patch (added to the To/CC line).
> >>
> >> From an audit perspective the only new field would be the ioctl number
> >> which is represented by the "ioctlcmd" name. Does anyone in the audit
> >> space have any strong feelings on this one way or another?
> >
> > Isn't that in arg1 already? I know I wrote interpretations for it.
>
> Only with syscall audit, often not enabled. This is to capture the
> information on AVC denials for an extension to SELinux to support ioctl
> whitelisting.
OK. ioctlcmd is fine. I'll add it to the lookup table to interpret the value.
-Steve
More information about the Linux-audit
mailing list