* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
[not found] <1428616171-14767-1-git-send-email-jeffv@google.com>
@ 2015-05-20 20:06 ` Paul Moore
2015-05-20 20:21 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2015-05-20 20:06 UTC (permalink / raw)
To: Jeff Vander Stoep, sds, linux-audit
Cc: selinux, linux-security-module, eparis, serge, james.l.morris
On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
No real comment other than we should include the linux-audit list on this
patch (added to the To/CC line).
>From an audit perspective the only new field would be the ioctl number which
is represented by the "ioctlcmd" name. Does anyone in the audit space have
any strong feelings on this one way or another?
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer
> *ab, }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:06 ` [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Paul Moore
@ 2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:22 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2015-05-20 20:21 UTC (permalink / raw)
To: linux-audit
Cc: Paul Moore, Jeff Vander Stoep, sds, eparis, linux-security-module,
james.l.morris, selinux, serge
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> > Add information about ioctl calls to the LSM audit data. Log the
> > file path and command number.
> >
> > Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> > ---
> >
> > include/linux/lsm_audit.h | 7 +++++++
> > security/lsm_audit.c | 15 +++++++++++++++
> > 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
-Steve
> > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> > index 1cc89e9..ffb9c9d 100644
> > --- a/include/linux/lsm_audit.h
> > +++ b/include/linux/lsm_audit.h
> > @@ -40,6 +40,11 @@ struct lsm_network_audit {
> >
> > } fam;
> >
> > };
> >
> > +struct lsm_ioctlop_audit {
> > + struct path path;
> > + u16 cmd;
> > +};
> > +
> >
> > /* Auxiliary data to use in generating the audit record. */
> > struct common_audit_data {
> >
> > char type;
> >
> > @@ -53,6 +58,7 @@ struct common_audit_data {
> >
> > #define LSM_AUDIT_DATA_KMOD 8
> > #define LSM_AUDIT_DATA_INODE 9
> > #define LSM_AUDIT_DATA_DENTRY 10
> >
> > +#define LSM_AUDIT_DATA_IOCTL_OP 11
> >
> > union {
> >
> > struct path path;
> > struct dentry *dentry;
> >
> > @@ -68,6 +74,7 @@ struct common_audit_data {
> >
> > } key_struct;
> >
> > #endif
> >
> > char *kmod_name;
> >
> > + struct lsm_ioctlop_audit *op;
> >
> > } u;
> > /* this union contains LSM specific data */
> > union {
> >
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index 69fdf3b..7147c17 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct
> > audit_buffer
> > *ab, }
> >
> > break;
> >
> > }
> >
> > + case LSM_AUDIT_DATA_IOCTL_OP: {
> > + struct inode *inode;
> > +
> > + audit_log_d_path(ab, " path=", &a->u.op->path);
> > +
> > + inode = a->u.op->path.dentry->d_inode;
> > + if (inode) {
> > + audit_log_format(ab, " dev=");
> > + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > + audit_log_format(ab, " ino=%lu", inode->i_ino);
> > + }
> > +
> > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > + break;
> > + }
> >
> > case LSM_AUDIT_DATA_DENTRY: {
> >
> > struct inode *inode;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:21 ` Steve Grubb
@ 2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:39 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2015-05-20 20:22 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Cc: Paul Moore, Jeff Vander Stoep, eparis, linux-security-module,
james.l.morris, selinux, serge
On 05/20/2015 04:21 PM, Steve Grubb wrote:
> On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
>> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
>>> Add information about ioctl calls to the LSM audit data. Log the
>>> file path and command number.
>>>
>>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
>>> ---
>>>
>>> include/linux/lsm_audit.h | 7 +++++++
>>> security/lsm_audit.c | 15 +++++++++++++++
>>> 2 files changed, 22 insertions(+)
>>
>> No real comment other than we should include the linux-audit list on this
>> patch (added to the To/CC line).
>>
>> From an audit perspective the only new field would be the ioctl number
>> which is represented by the "ioctlcmd" name. Does anyone in the audit space
>> have any strong feelings on this one way or another?
>
> Isn't that in arg1 already? I know I wrote interpretations for it.
Only with syscall audit, often not enabled. This is to capture the
information on AVC denials for an extension to SELinux to support ioctl
whitelisting.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
2015-05-20 20:22 ` Stephen Smalley
@ 2015-05-20 20:39 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2015-05-20 20:39 UTC (permalink / raw)
To: Stephen Smalley
Cc: linux-audit, Paul Moore, Jeff Vander Stoep, eparis,
linux-security-module, james.l.morris, selinux, serge
On Wednesday, May 20, 2015 04:22:24 PM Stephen Smalley wrote:
> On 05/20/2015 04:21 PM, Steve Grubb wrote:
> > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> >>> Add information about ioctl calls to the LSM audit data. Log the
> >>> file path and command number.
> >>>
> >>> Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
> >>> ---
> >>>
> >>> include/linux/lsm_audit.h | 7 +++++++
> >>> security/lsm_audit.c | 15 +++++++++++++++
> >>> 2 files changed, 22 insertions(+)
> >>
> >> No real comment other than we should include the linux-audit list on this
> >> patch (added to the To/CC line).
> >>
> >> From an audit perspective the only new field would be the ioctl number
> >> which is represented by the "ioctlcmd" name. Does anyone in the audit
> >> space have any strong feelings on this one way or another?
> >
> > Isn't that in arg1 already? I know I wrote interpretations for it.
>
> Only with syscall audit, often not enabled. This is to capture the
> information on AVC denials for an extension to SELinux to support ioctl
> whitelisting.
OK. ioctlcmd is fine. I'll add it to the lookup table to interpret the value.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-20 20:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1428616171-14767-1-git-send-email-jeffv@google.com>
2015-05-20 20:06 ` [PATCH 1/2] security: lsm_audit: add ioctl specific auditing Paul Moore
2015-05-20 20:21 ` Steve Grubb
2015-05-20 20:22 ` Stephen Smalley
2015-05-20 20:39 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).