Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
On 05/20/2015 04:21 PM, Steve Grubb wrote:
On Wednesday, May 20, 2015 04:06:55 PM Paul Moore wrote:
> On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
>> Add information about ioctl calls to the LSM audit data. Log the
>> file path and command number.
>>
>> Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com>
>> ---
>>
>> include/linux/lsm_audit.h | 7 +++++++
>> security/lsm_audit.c | 15 +++++++++++++++
>> 2 files changed, 22 insertions(+)
>
> No real comment other than we should include the linux-audit list on this
> patch (added to the To/CC line).
>
> From an audit perspective the only new field would be the ioctl number
> which is represented by the "ioctlcmd" name. Does anyone in the audit
space
> have any strong feelings on this one way or another?
Isn't that in arg1 already? I know I wrote interpretations for it.
Only with syscall audit, often not enabled. This is to capture the
information on AVC denials for an extension to SELinux to support ioctl
whitelisting.