From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Paul Moore <paul@paul-moore.com>,
Jeff Vander Stoep <jeffv@google.com>,
sds@tycho.nsa.gov, eparis@parisplace.org,
linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
selinux@tycho.nsa.gov, serge@hallyn.com
Subject: Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
Date: Wed, 20 May 2015 16:21:20 -0400 [thread overview]
Message-ID: <11866875.LIkutgAE8Q@x2> (raw)
In-Reply-To: <3322194.9bHnmkPx3f@sifl>
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
sds@tycho.nsa.gov, selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
Date: Wed, 20 May 2015 16:21:20 -0400 [thread overview]
Message-ID: <11866875.LIkutgAE8Q@x2> (raw)
In-Reply-To: <3322194.9bHnmkPx3f@sifl>
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
next prev parent reply other threads:[~2015-05-20 20:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
2015-04-10 12:33 ` Stephen Smalley
2015-04-10 21:18 ` Nick Kralevich
2015-04-23 22:25 ` Paul Moore
2015-04-24 0:00 ` James Morris
2015-05-20 20:06 ` Paul Moore
2015-05-20 20:06 ` Paul Moore
2015-05-20 20:21 ` Steve Grubb [this message]
2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:39 ` Steve Grubb
2015-05-20 20:39 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2015-06-12 16:01 Jeff Vander Stoep
2015-06-12 16:23 ` Nick Kralevich
2015-06-12 20:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11866875.LIkutgAE8Q@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=jeffv@google.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.