RE: [PATCH] selinux: print leading 0x on ioctlcmd audits
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, July 15, 2016 11:54 AM
To: Paul Moore <paul(a)paul-moore.com>
Cc: Roberts, William C <william.c.roberts(a)intel.com>; selinux(a)tycho.nsa.gov;
seandroid-list(a)tycho.nsa.gov; Stephen Smalley <sds(a)tycho.nsa.gov>; linux-
audit(a)redhat.com
Subject: Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> From: Paul Moore <paul(a)paul-moore.com>
> To: william.c.roberts(a)intel.com
> CC: selinux(a)tycho.nsa.gov, seandroid-list(a)tycho.nsa.gov, Stephen Smalley
> <sds(a)tycho.nsa.gov>, Me, linux-audit(a)redhat.com Date: Yesterday 6:17
PM
>
> On Thu, Jul 14, 2016 at 3:29 PM, <william.c.roberts(a)intel.com> wrote:
> > From: William Roberts <william.c.roberts(a)intel.com>
> >
> > ioctlcmd is currently printing hex numbers, but their is no leading
> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> > not evident.
> >
> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> > ioctlcmd=0x1234.
> >
> > Signed-off-by: William Roberts <william.c.roberts(a)intel.com>
> > ---
> > security/lsm_audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>
> Like it or not, I believe the general standard/convention when it
> comes to things like this is to leave off the "0x" prefix; the idea
> being that is saves precious space in the audit logs and the value is
> only ever going to be in hex anyway.
We normally like the 0x prefix on anything that is hex so that stroul can figure it
out itself. And since AVC's should in theory be rare or occassional, log space is
not
a concern.
Does this mean then the patch will be applied?
That said, what is this ioctlcmd field name? Is this the ioctl number? As in syscall
arg a1? If so, it should be hooked up to the interpretation for that.
Also, we have a field dictionary with some basic info about each field used in
audit events:
http://people.redhat.com/sgrubb/audit/field-dictionary.txt
This is important so that people don't make up new ones that do the same thing.
The ioctlcmd field name should be recorded. Are there more that need
documenting?
-Steve