* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing [not found] <1428616171-14767-1-git-send-email-jeffv@google.com> @ 2015-05-20 20:06 ` Paul Moore 2015-05-20 20:21 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Paul Moore @ 2015-05-20 20:06 UTC (permalink / raw) To: Jeff Vander Stoep, sds, linux-audit Cc: selinux, linux-security-module, eparis, serge, james.l.morris On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: > Add information about ioctl calls to the LSM audit data. Log the > file path and command number. > > Signed-off-by: Jeff Vander Stoep <jeffv@google.com> > --- > include/linux/lsm_audit.h | 7 +++++++ > security/lsm_audit.c | 15 +++++++++++++++ > 2 files changed, 22 insertions(+) No real comment other than we should include the linux-audit list on this patch (added to the To/CC line). >From an audit perspective the only new field would be the ioctl number which is represented by the "ioctlcmd" name. Does anyone in the audit space have any strong feelings on this one way or another? > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > index 1cc89e9..ffb9c9d 100644 > --- a/include/linux/lsm_audit.h > +++ b/include/linux/lsm_audit.h > @@ -40,6 +40,11 @@ struct lsm_network_audit { > } fam; > }; > > +struct lsm_ioctlop_audit { > + struct path path; > + u16 cmd; > +}; > + > /* Auxiliary data to use in generating the audit record. */ > struct common_audit_data { > char type; > @@ -53,6 +58,7 @@ struct common_audit_data { > #define LSM_AUDIT_DATA_KMOD 8 > #define LSM_AUDIT_DATA_INODE 9 > #define LSM_AUDIT_DATA_DENTRY 10 > +#define LSM_AUDIT_DATA_IOCTL_OP 11 > union { > struct path path; > struct dentry *dentry; > @@ -68,6 +74,7 @@ struct common_audit_data { > } key_struct; > #endif > char *kmod_name; > + struct lsm_ioctlop_audit *op; > } u; > /* this union contains LSM specific data */ > union { > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 69fdf3b..7147c17 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer > *ab, } > break; > } > + case LSM_AUDIT_DATA_IOCTL_OP: { > + struct inode *inode; > + > + audit_log_d_path(ab, " path=", &a->u.op->path); > + > + inode = a->u.op->path.dentry->d_inode; > + if (inode) { > + audit_log_format(ab, " dev="); > + audit_log_untrustedstring(ab, inode->i_sb->s_id); > + audit_log_format(ab, " ino=%lu", inode->i_ino); > + } > + > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd); > + break; > + } > case LSM_AUDIT_DATA_DENTRY: { > struct inode *inode; -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing 2015-05-20 20:06 ` [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Paul Moore @ 2015-05-20 20:21 ` Steve Grubb 2015-05-20 20:22 ` Stephen Smalley 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2015-05-20 20:21 UTC (permalink / raw) To: linux-audit Cc: Paul Moore, Jeff Vander Stoep, sds, eparis, linux-security-module, james.l.morris, selinux, serge On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote: > On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: > > Add information about ioctl calls to the LSM audit data. Log the > > file path and command number. > > > > Signed-off-by: Jeff Vander Stoep <jeffv@google.com> > > --- > > > > include/linux/lsm_audit.h | 7 +++++++ > > security/lsm_audit.c | 15 +++++++++++++++ > > 2 files changed, 22 insertions(+) > > No real comment other than we should include the linux-audit list on this > patch (added to the To/CC line). > > From an audit perspective the only new field would be the ioctl number > which is represented by the "ioctlcmd" name. Does anyone in the audit space > have any strong feelings on this one way or another? Isn't that in arg1 already? I know I wrote interpretations for it. -Steve > > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > > index 1cc89e9..ffb9c9d 100644 > > --- a/include/linux/lsm_audit.h > > +++ b/include/linux/lsm_audit.h > > @@ -40,6 +40,11 @@ struct lsm_network_audit { > > > > } fam; > > > > }; > > > > +struct lsm_ioctlop_audit { > > + struct path path; > > + u16 cmd; > > +}; > > + > > > > /* Auxiliary data to use in generating the audit record. */ > > struct common_audit_data { > > > > char type; > > > > @@ -53,6 +58,7 @@ struct common_audit_data { > > > > #define LSM_AUDIT_DATA_KMOD 8 > > #define LSM_AUDIT_DATA_INODE 9 > > #define LSM_AUDIT_DATA_DENTRY 10 > > > > +#define LSM_AUDIT_DATA_IOCTL_OP 11 > > > > union { > > > > struct path path; > > struct dentry *dentry; > > > > @@ -68,6 +74,7 @@ struct common_audit_data { > > > > } key_struct; > > > > #endif > > > > char *kmod_name; > > > > + struct lsm_ioctlop_audit *op; > > > > } u; > > /* this union contains LSM specific data */ > > union { > > > > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > > index 69fdf3b..7147c17 100644 > > --- a/security/lsm_audit.c > > +++ b/security/lsm_audit.c > > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct > > audit_buffer > > *ab, } > > > > break; > > > > } > > > > + case LSM_AUDIT_DATA_IOCTL_OP: { > > + struct inode *inode; > > + > > + audit_log_d_path(ab, " path=", &a->u.op->path); > > + > > + inode = a->u.op->path.dentry->d_inode; > > + if (inode) { > > + audit_log_format(ab, " dev="); > > + audit_log_untrustedstring(ab, inode->i_sb->s_id); > > + audit_log_format(ab, " ino=%lu", inode->i_ino); > > + } > > + > > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd); > > + break; > > + } > > > > case LSM_AUDIT_DATA_DENTRY: { > > > > struct inode *inode; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing 2015-05-20 20:21 ` Steve Grubb @ 2015-05-20 20:22 ` Stephen Smalley 2015-05-20 20:39 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Stephen Smalley @ 2015-05-20 20:22 UTC (permalink / raw) To: Steve Grubb, linux-audit Cc: Paul Moore, Jeff Vander Stoep, eparis, linux-security-module, james.l.morris, selinux, serge On 05/20/2015 04:21 PM, Steve Grubb wrote: > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote: >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: >>> Add information about ioctl calls to the LSM audit data. Log the >>> file path and command number. >>> >>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com> >>> --- >>> >>> include/linux/lsm_audit.h | 7 +++++++ >>> security/lsm_audit.c | 15 +++++++++++++++ >>> 2 files changed, 22 insertions(+) >> >> No real comment other than we should include the linux-audit list on this >> patch (added to the To/CC line). >> >> From an audit perspective the only new field would be the ioctl number >> which is represented by the "ioctlcmd" name. Does anyone in the audit space >> have any strong feelings on this one way or another? > > Isn't that in arg1 already? I know I wrote interpretations for it. Only with syscall audit, often not enabled. This is to capture the information on AVC denials for an extension to SELinux to support ioctl whitelisting. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing 2015-05-20 20:22 ` Stephen Smalley @ 2015-05-20 20:39 ` Steve Grubb 0 siblings, 0 replies; 4+ messages in thread From: Steve Grubb @ 2015-05-20 20:39 UTC (permalink / raw) To: Stephen Smalley Cc: linux-audit, Paul Moore, Jeff Vander Stoep, eparis, linux-security-module, james.l.morris, selinux, serge On Wednesday, May 20, 2015 04:22:24 PM Stephen Smalley wrote: > On 05/20/2015 04:21 PM, Steve Grubb wrote: > > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote: > >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: > >>> Add information about ioctl calls to the LSM audit data. Log the > >>> file path and command number. > >>> > >>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com> > >>> --- > >>> > >>> include/linux/lsm_audit.h | 7 +++++++ > >>> security/lsm_audit.c | 15 +++++++++++++++ > >>> 2 files changed, 22 insertions(+) > >> > >> No real comment other than we should include the linux-audit list on this > >> patch (added to the To/CC line). > >> > >> From an audit perspective the only new field would be the ioctl number > >> which is represented by the "ioctlcmd" name. Does anyone in the audit > >> space have any strong feelings on this one way or another? > > > > Isn't that in arg1 already? I know I wrote interpretations for it. > > Only with syscall audit, often not enabled. This is to capture the > information on AVC denials for an extension to SELinux to support ioctl > whitelisting. OK. ioctlcmd is fine. I'll add it to the lookup table to interpret the value. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-20 20:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1428616171-14767-1-git-send-email-jeffv@google.com>
2015-05-20 20:06 ` [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Paul Moore
2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:39 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).