On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: > Add information about ioctl calls to the LSM audit data. Log the > file path and command number. > > Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> > --- > include/linux/lsm_audit.h | 7 +++++++ > security/lsm_audit.c | 15 +++++++++++++++ > 2 files changed, 22 insertions(+) No real comment other than we should include the linux-audit list on this patch (added to the To/CC line). >From an audit perspective the only new field would be the ioctl number which is represented by the "ioctlcmd" name. Does anyone in the audit space have any strong feelings on this one way or another? > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > index 1cc89e9..ffb9c9d 100644 > --- a/include/linux/lsm_audit.h > +++ b/include/linux/lsm_audit.h > @@ -40,6 +40,11 @@ struct lsm_network_audit { > } fam; > }; > > +struct lsm_ioctlop_audit { > + struct path path; > + u16 cmd; > +}; > + > /* Auxiliary data to use in generating the audit record. */ > struct common_audit_data { > char type; > @@ -53,6 +58,7 @@ struct common_audit_data { > #define LSM_AUDIT_DATA_KMOD 8 > #define LSM_AUDIT_DATA_INODE 9 > #define LSM_AUDIT_DATA_DENTRY 10 > +#define LSM_AUDIT_DATA_IOCTL_OP 11 > union { > struct path path; > struct dentry *dentry; > @@ -68,6 +74,7 @@ struct common_audit_data { > } key_struct; > #endif > char *kmod_name; > + struct lsm_ioctlop_audit *op; > } u; > /* this union contains LSM specific data */ > union { > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 69fdf3b..7147c17 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer > *ab, } > break; > } > + case LSM_AUDIT_DATA_IOCTL_OP: { > + struct inode *inode; > + > + audit_log_d_path(ab, " path=", &a->u.op->path); > + > + inode = a->u.op->path.dentry->d_inode; > + if (inode) { > + audit_log_format(ab, " dev="); > + audit_log_untrustedstring(ab, inode->i_sb->s_id); > + audit_log_format(ab, " ino=%lu", inode->i_ino); > + } > + > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd); > + break; > + } > case LSM_AUDIT_DATA_DENTRY: { > struct inode *inode; -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.