* [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-04-09 21:49 Jeff Vander Stoep
2015-04-10 12:33 ` Stephen Smalley
` (3 more replies)
0 siblings, 4 replies; 16+ messages in thread
From: Jeff Vander Stoep @ 2015-04-09 21:49 UTC (permalink / raw)
To: selinux; +Cc: linux-security-module, james.l.morris, sds
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
include/linux/lsm_audit.h | 7 +++++++
security/lsm_audit.c | 15 +++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 1cc89e9..ffb9c9d 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -40,6 +40,11 @@ struct lsm_network_audit {
} fam;
};
+struct lsm_ioctlop_audit {
+ struct path path;
+ u16 cmd;
+};
+
/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
char type;
@@ -53,6 +58,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_KMOD 8
#define LSM_AUDIT_DATA_INODE 9
#define LSM_AUDIT_DATA_DENTRY 10
+#define LSM_AUDIT_DATA_IOCTL_OP 11
union {
struct path path;
struct dentry *dentry;
@@ -68,6 +74,7 @@ struct common_audit_data {
} key_struct;
#endif
char *kmod_name;
+ struct lsm_ioctlop_audit *op;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 69fdf3b..7147c17 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
}
break;
}
+ case LSM_AUDIT_DATA_IOCTL_OP: {
+ struct inode *inode;
+
+ audit_log_d_path(ab, " path=", &a->u.op->path);
+
+ inode = a->u.op->path.dentry->d_inode;
+ if (inode) {
+ audit_log_format(ab, " dev=");
+ audit_log_untrustedstring(ab, inode->i_sb->s_id);
+ audit_log_format(ab, " ino=%lu", inode->i_ino);
+ }
+
+ audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
+ break;
+ }
case LSM_AUDIT_DATA_DENTRY: {
struct inode *inode;
--
2.2.0.rc0.207.ga3a616c
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
@ 2015-04-10 12:33 ` Stephen Smalley
2015-04-10 21:18 ` Nick Kralevich
` (2 subsequent siblings)
3 siblings, 0 replies; 16+ messages in thread
From: Stephen Smalley @ 2015-04-10 12:33 UTC (permalink / raw)
To: Jeff Vander Stoep, selinux; +Cc: linux-security-module, james.l.morris
On 04/09/2015 05:49 PM, Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
>
>
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
2015-04-10 12:33 ` Stephen Smalley
@ 2015-04-10 21:18 ` Nick Kralevich
2015-04-23 22:25 ` Paul Moore
2015-05-20 20:06 ` Paul Moore
3 siblings, 0 replies; 16+ messages in thread
From: Nick Kralevich @ 2015-04-10 21:18 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: linux-security-module, Stephen Smalley, James Morris, SELinux
On Thu, Apr 9, 2015 at 2:49 PM, Jeff Vander Stoep <jeffv@google.com> wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
>
> --
> 2.2.0.rc0.207.ga3a616c
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
2015-04-10 12:33 ` Stephen Smalley
2015-04-10 21:18 ` Nick Kralevich
@ 2015-04-23 22:25 ` Paul Moore
2015-04-24 0:00 ` James Morris
2015-05-20 20:06 ` Paul Moore
3 siblings, 1 reply; 16+ messages in thread
From: Paul Moore @ 2015-04-23 22:25 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: selinux, linux-security-module, James Morris, Stephen Smalley
On Thu, Apr 9, 2015 at 5:49 PM, Jeff Vander Stoep <jeffv@google.com> wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
While this isn't specific to a given LSM, at present it only makes
sense with the associated SELinux patches. James, unless you have any
objections I would prefer if this went in via the SELinux tree.
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
>
> --
> 2.2.0.rc0.207.ga3a616c
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-04-23 22:25 ` Paul Moore
@ 2015-04-24 0:00 ` James Morris
0 siblings, 0 replies; 16+ messages in thread
From: James Morris @ 2015-04-24 0:00 UTC (permalink / raw)
To: Paul Moore; +Cc: James Morris, linux-security-module, selinux, Stephen Smalley
On Thu, 23 Apr 2015, Paul Moore wrote:
> On Thu, Apr 9, 2015 at 5:49 PM, Jeff Vander Stoep <jeffv@google.com> wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> While this isn't specific to a given LSM, at present it only makes
> sense with the associated SELinux patches. James, unless you have any
> objections I would prefer if this went in via the SELinux tree.
Fine by me.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
@ 2015-05-20 20:06 ` Paul Moore
2015-04-10 21:18 ` Nick Kralevich
` (2 subsequent siblings)
3 siblings, 0 replies; 16+ messages in thread
From: Paul Moore @ 2015-05-20 20:06 UTC (permalink / raw)
To: Jeff Vander Stoep, sds, linux-audit
Cc: selinux, linux-security-module, eparis, serge, james.l.morris
On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
No real comment other than we should include the linux-audit list on this
patch (added to the To/CC line).
>From an audit perspective the only new field would be the ioctl number which
is represented by the "ioctlcmd" name. Does anyone in the audit space have
any strong feelings on this one way or another?
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer
> *ab, }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-05-20 20:06 ` Paul Moore
0 siblings, 0 replies; 16+ messages in thread
From: Paul Moore @ 2015-05-20 20:06 UTC (permalink / raw)
To: Jeff Vander Stoep, sds, linux-audit
Cc: linux-security-module, james.l.morris, selinux
On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
No real comment other than we should include the linux-audit list on this
patch (added to the To/CC line).
>From an audit perspective the only new field would be the ioctl number which
is represented by the "ioctlcmd" name. Does anyone in the audit space have
any strong feelings on this one way or another?
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer
> *ab, }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:06 ` Paul Moore
@ 2015-05-20 20:21 ` Steve Grubb
-1 siblings, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2015-05-20 20:21 UTC (permalink / raw)
To: linux-audit
Cc: Paul Moore, Jeff Vander Stoep, sds, eparis, linux-security-module,
james.l.morris, selinux, serge
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-05-20 20:21 ` Steve Grubb
0 siblings, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2015-05-20 20:21 UTC (permalink / raw)
To: linux-audit; +Cc: linux-security-module, james.l.morris, sds, selinux
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:21 ` Steve Grubb
@ 2015-05-20 20:22 ` Stephen Smalley
-1 siblings, 0 replies; 16+ messages in thread
From: Stephen Smalley @ 2015-05-20 20:22 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Cc: Paul Moore, Jeff Vander Stoep, eparis, linux-security-module,
james.l.morris, selinux, serge
On 05/20/2015 04:21 PM, Steve Grubb wrote:
> On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
>> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
>>> Add information about ioctl calls to the LSM audit data. Log the
>>> file path and command number.
>>>
>>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
>>> ---
>>>
>>> include/linux/lsm_audit.h | 7 +++++++
>>> security/lsm_audit.c | 15 +++++++++++++++
>>> 2 files changed, 22 insertions(+)
>>
>> No real comment other than we should include the linux-audit list on this
>> patch (added to the To/CC line).
>>
>> From an audit perspective the only new field would be the ioctl number
>> which is represented by the "ioctlcmd" name. Does anyone in the audit space
>> have any strong feelings on this one way or another?
>
> Isn't that in arg1 already? I know I wrote interpretations for it.
Only with syscall audit, often not enabled. This is to capture the
information on AVC denials for an extension to SELinux to support ioctl
whitelisting.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-05-20 20:22 ` Stephen Smalley
0 siblings, 0 replies; 16+ messages in thread
From: Stephen Smalley @ 2015-05-20 20:22 UTC (permalink / raw)
To: Steve Grubb, linux-audit; +Cc: james.l.morris, linux-security-module, selinux
On 05/20/2015 04:21 PM, Steve Grubb wrote:
> On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
>> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
>>> Add information about ioctl calls to the LSM audit data. Log the
>>> file path and command number.
>>>
>>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
>>> ---
>>>
>>> include/linux/lsm_audit.h | 7 +++++++
>>> security/lsm_audit.c | 15 +++++++++++++++
>>> 2 files changed, 22 insertions(+)
>>
>> No real comment other than we should include the linux-audit list on this
>> patch (added to the To/CC line).
>>
>> From an audit perspective the only new field would be the ioctl number
>> which is represented by the "ioctlcmd" name. Does anyone in the audit space
>> have any strong feelings on this one way or another?
>
> Isn't that in arg1 already? I know I wrote interpretations for it.
Only with syscall audit, often not enabled. This is to capture the
information on AVC denials for an extension to SELinux to support ioctl
whitelisting.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:22 ` Stephen Smalley
@ 2015-05-20 20:39 ` Steve Grubb
-1 siblings, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2015-05-20 20:39 UTC (permalink / raw)
To: Stephen Smalley
Cc: linux-audit, Paul Moore, Jeff Vander Stoep, eparis,
linux-security-module, james.l.morris, selinux, serge
On Wednesday, May 20, 2015 04:22:24 PM Stephen Smalley wrote:
> On 05/20/2015 04:21 PM, Steve Grubb wrote:
> > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> >>> Add information about ioctl calls to the LSM audit data. Log the
> >>> file path and command number.
> >>>
> >>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> >>> ---
> >>>
> >>> include/linux/lsm_audit.h | 7 +++++++
> >>> security/lsm_audit.c | 15 +++++++++++++++
> >>> 2 files changed, 22 insertions(+)
> >>
> >> No real comment other than we should include the linux-audit list on this
> >> patch (added to the To/CC line).
> >>
> >> From an audit perspective the only new field would be the ioctl number
> >> which is represented by the "ioctlcmd" name. Does anyone in the audit
> >> space have any strong feelings on this one way or another?
> >
> > Isn't that in arg1 already? I know I wrote interpretations for it.
>
> Only with syscall audit, often not enabled. This is to capture the
> information on AVC denials for an extension to SELinux to support ioctl
> whitelisting.
OK. ioctlcmd is fine. I'll add it to the lookup table to interpret the value.
-Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-05-20 20:39 ` Steve Grubb
0 siblings, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2015-05-20 20:39 UTC (permalink / raw)
To: Stephen Smalley
Cc: linux-security-module, linux-audit, james.l.morris, selinux
On Wednesday, May 20, 2015 04:22:24 PM Stephen Smalley wrote:
> On 05/20/2015 04:21 PM, Steve Grubb wrote:
> > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> >>> Add information about ioctl calls to the LSM audit data. Log the
> >>> file path and command number.
> >>>
> >>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> >>> ---
> >>>
> >>> include/linux/lsm_audit.h | 7 +++++++
> >>> security/lsm_audit.c | 15 +++++++++++++++
> >>> 2 files changed, 22 insertions(+)
> >>
> >> No real comment other than we should include the linux-audit list on this
> >> patch (added to the To/CC line).
> >>
> >> From an audit perspective the only new field would be the ioctl number
> >> which is represented by the "ioctlcmd" name. Does anyone in the audit
> >> space have any strong feelings on this one way or another?
> >
> > Isn't that in arg1 already? I know I wrote interpretations for it.
>
> Only with syscall audit, often not enabled. This is to capture the
> information on AVC denials for an extension to SELinux to support ioctl
> whitelisting.
OK. ioctlcmd is fine. I'll add it to the lookup table to interpret the value.
-Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
@ 2015-06-12 16:01 Jeff Vander Stoep
2015-06-12 16:23 ` Nick Kralevich
2015-06-12 20:41 ` Paul Moore
0 siblings, 2 replies; 16+ messages in thread
From: Jeff Vander Stoep @ 2015-06-12 16:01 UTC (permalink / raw)
To: selinux; +Cc: linux-security-module, james.l.morris, sds
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
include/linux/lsm_audit.h | 7 +++++++
security/lsm_audit.c | 15 +++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 1cc89e9..ffb9c9d 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -40,6 +40,11 @@ struct lsm_network_audit {
} fam;
};
+struct lsm_ioctlop_audit {
+ struct path path;
+ u16 cmd;
+};
+
/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
char type;
@@ -53,6 +58,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_KMOD 8
#define LSM_AUDIT_DATA_INODE 9
#define LSM_AUDIT_DATA_DENTRY 10
+#define LSM_AUDIT_DATA_IOCTL_OP 11
union {
struct path path;
struct dentry *dentry;
@@ -68,6 +74,7 @@ struct common_audit_data {
} key_struct;
#endif
char *kmod_name;
+ struct lsm_ioctlop_audit *op;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 1d34277..9f6c649 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
}
break;
}
+ case LSM_AUDIT_DATA_IOCTL_OP: {
+ struct inode *inode;
+
+ audit_log_d_path(ab, " path=", &a->u.op->path);
+
+ inode = a->u.op->path.dentry->d_inode;
+ if (inode) {
+ audit_log_format(ab, " dev=");
+ audit_log_untrustedstring(ab, inode->i_sb->s_id);
+ audit_log_format(ab, " ino=%lu", inode->i_ino);
+ }
+
+ audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
+ break;
+ }
case LSM_AUDIT_DATA_DENTRY: {
struct inode *inode;
--
2.2.0.rc0.207.ga3a616c
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-06-12 16:01 Jeff Vander Stoep
@ 2015-06-12 16:23 ` Nick Kralevich
2015-06-12 20:41 ` Paul Moore
1 sibling, 0 replies; 16+ messages in thread
From: Nick Kralevich @ 2015-06-12 16:23 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: linux-security-module, Stephen Smalley, James Morris, SELinux
On Fri, Jun 12, 2015 at 9:01 AM, Jeff Vander Stoep <jeffv@google.com> wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 1d34277..9f6c649 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
>
> --
> 2.2.0.rc0.207.ga3a616c
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-06-12 16:01 Jeff Vander Stoep
2015-06-12 16:23 ` Nick Kralevich
@ 2015-06-12 20:41 ` Paul Moore
1 sibling, 0 replies; 16+ messages in thread
From: Paul Moore @ 2015-06-12 20:41 UTC (permalink / raw)
To: Jeff Vander Stoep
Cc: selinux, linux-security-module, James Morris, Stephen Smalley
On Fri, Jun 12, 2015 at 12:01 PM, Jeff Vander Stoep <jeffv@google.com> wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
Applied to the SELinux next-queue, thanks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2015-06-12 20:41 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-09 21:49 [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Jeff Vander Stoep
2015-04-10 12:33 ` Stephen Smalley
2015-04-10 21:18 ` Nick Kralevich
2015-04-23 22:25 ` Paul Moore
2015-04-24 0:00 ` James Morris
2015-05-20 20:06 ` Paul Moore
2015-05-20 20:06 ` Paul Moore
2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:39 ` Steve Grubb
2015-05-20 20:39 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2015-06-12 16:01 Jeff Vander Stoep
2015-06-12 16:23 ` Nick Kralevich
2015-06-12 20:41 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.