On Oct 22, 2024 "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" <tweek@xxxxxxxxxx> wrote: > > Add a new audit message type to capture nlmsg-related information. This > is similar to LSM_AUDIT_DATA_IOCTL_OP which was added for the other > SELinux extended permission (ioctl). > > Adding a new type is preferred to adding to the existing > lsm_network_audit structure which contains irrelevant information for > the netlink sockets (i.e., dport, sport). > > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> > --- > include/linux/lsm_audit.h | 2 ++ > security/lsm_audit.c | 3 +++ > security/selinux/hooks.c | 4 ++-- > 3 files changed, 7 insertions(+), 2 deletions(-) ... > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 849e832719e2..b6544024f688 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -425,6 +425,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, > case LSM_AUDIT_DATA_ANONINODE: > audit_log_format(ab, " anonclass=%s", a->u.anonclass); > break; > + case LSM_AUDIT_DATA_NLMSGTYPE: > + audit_log_format(ab, " nlmsg_type=%hu", a->u.nlmsg_type); > + break; Based on the audit field dictionary, link below, it appears that netlink related fields follow the "nlnk-XXX" pattern, and while I don't recall any current users in the kernel, it seems like sticking with that pattern is probably a good idea. With that in mind, what do you think about changing "nlmsg_type" into "nlnk-msgtype"? https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv > } /* switch (a->type) */ > } > -- paul-moore.com
