Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing

On 05/20/2015 04:21 PM, Steve Grubb wrote: > On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote: >> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: >>> Add information about ioctl calls to the LSM audit data. Log the >>> file path and command number. >>> >>> Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com&gt; >>> --- >>> >>> include/linux/lsm_audit.h | 7 +++++++ >>> security/lsm_audit.c | 15 +++++++++++++++ >>> 2 files changed, 22 insertions(+) >> >> No real comment other than we should include the linux-audit list on this >> patch (added to the To/CC line). >> >> From an audit perspective the only new field would be the ioctl number >> which is represented by the "ioctlcmd" name. Does anyone in the audit >> space have any strong feelings on this one way or another? > > Isn't that in arg1 already? I know I wrote interpretations for it. Only with syscall audit, often not enabled. This is to capture the information on AVC denials for an extension to SELinux to support ioctl whitelisting.