> On Oct 22, 2024 "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" <tweek@xxxxxxxxxx> wrote: > > > > Add a new audit message type to capture nlmsg-related information. This > > is similar to LSM_AUDIT_DATA_IOCTL_OP which was added for the other > > SELinux extended permission (ioctl). > > > > Adding a new type is preferred to adding to the existing > > lsm_network_audit structure which contains irrelevant information for > > the netlink sockets (i.e., dport, sport). > > > > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> > > --- > > include/linux/lsm_audit.h | 2 ++ > > security/lsm_audit.c | 3 +++ > > security/selinux/hooks.c | 4 ++-- > > 3 files changed, 7 insertions(+), 2 deletions(-) > > ... > > > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > > index 849e832719e2..b6544024f688 100644 > > --- a/security/lsm_audit.c > > +++ b/security/lsm_audit.c > > @@ -425,6 +425,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, > > case LSM_AUDIT_DATA_ANONINODE: > > audit_log_format(ab, " anonclass=%s", a->u.anonclass); > > break; > > + case LSM_AUDIT_DATA_NLMSGTYPE: > > + audit_log_format(ab, " nlmsg_type=%hu", a->u.nlmsg_type); > > + break; > > Based on the audit field dictionary, link below, it appears that netlink > related fields follow the "nlnk-XXX" pattern, and while I don't recall > any current users in the kernel, it seems like sticking with that pattern > is probably a good idea. With that in mind, what do you think about > changing "nlmsg_type" into "nlnk-msgtype"? > Thanks Paul, I wasn't aware of this list. I found one example of a netlink field in kernel/audit.c (function audit_log_multicast), which was added in commit 9d2161bed4e39. The field is 'nl-mcgrp'. The name was changed from nlnk-grp between v4 and v5 of the patch, but I can't seem to find the reasoning. Do you know if 'nlnk-fam' and 'nlnk-pid' were deprecated/removed at some point? I don't mind either way. If you think 'nlnk-msgtype' (or 'nl-msgtype') is more consistent with the other audit fields, I'm happy to send an updated version.
