Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
> ---
>  include/linux/lsm_audit.h |  7 +++++++
>  security/lsm_audit.c      | 15 +++++++++++++++
>  2 files changed, 22 insertions(+)

No real comment other than we should include the linux-audit list on this 
patch (added to the To/CC line).

>From an audit perspective the only new field would be the ioctl number which 
is represented by the "ioctlcmd" name.  Does anyone in the audit space have 
any strong feelings on this one way or another?

> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
>  	} fam;
>  };
> 
> +struct lsm_ioctlop_audit {
> +	struct path path;
> +	u16 cmd;
> +};
> +
>  /* Auxiliary data to use in generating the audit record. */
>  struct common_audit_data {
>  	char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
>  #define LSM_AUDIT_DATA_KMOD	8
>  #define LSM_AUDIT_DATA_INODE	9
>  #define LSM_AUDIT_DATA_DENTRY	10
> +#define LSM_AUDIT_DATA_IOCTL_OP	11
>  	union 	{
>  		struct path path;
>  		struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
>  		} key_struct;
>  #endif
>  		char *kmod_name;
> +		struct lsm_ioctlop_audit *op;
>  	} u;
>  	/* this union contains LSM specific data */
>  	union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer
> *ab, }
>  		break;
>  	}
> +	case LSM_AUDIT_DATA_IOCTL_OP: {
> +		struct inode *inode;
> +
> +		audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> +		inode = a->u.op->path.dentry->d_inode;
> +		if (inode) {
> +			audit_log_format(ab, " dev=");
> +			audit_log_untrustedstring(ab, inode->i_sb->s_id);
> +			audit_log_format(ab, " ino=%lu", inode->i_ino);
> +		}
> +
> +		audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> +		break;
> +	}
>  	case LSM_AUDIT_DATA_DENTRY: {
>  		struct inode *inode;

-- 
paul moore
www.paul-moore.com

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux