selinux: print leading 0x on ioctlcmd audits

Message ID	1468524562-30981-1-git-send-email-william.c.roberts@intel.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3A7gNHmhe+b66rNEiyeTarX1+QlGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc+9Yx7h7PlgxGXEQZ/co6odzbGH6+a8AydZuMfJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/mj6buodaKOlQArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3wbNXso7pjrqQXb?= =?us-ascii?q?H0zI/mEbV2gKkhdVGE7E6h/9RZr69Dfrvep6ni+RJsawSLEwHjGr7qNuQRmvjz?= =?us-ascii?q?8bNjk/6ybMh8hxir9L8y+nvAF1lovdYYWJM6hlc6fce84KAHBMR9tcTDBpHpK3?= =?us-ascii?q?b4xJCfEIe+lfsd7mulEMoBCiUBSqH/7l0TRSh3X7jpE9hv8sFQDAwRwIA8MFsH?= =?us-ascii?q?OSqs78cqgVT7Ob1q7NmCrCa/dX0DK7487SdRosu+2XdbN2bcfVj0IoElCWxm6M?= =?us-ascii?q?oJDoamvGnt8GtHKWuq85De8=3D?= IronPort-PHdr: =?us-ascii?q?9a23=3AnUMU0RHBn1atFatkeM72TZ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ75osywAkXT6L1XgUPTWs2DsrQf2rKQ7/qrADVRqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?= =?us-ascii?q?IaytQ8iJ3pzxi7r5osSCKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjN92Mq+rhTH?= =?us-ascii?q?TA2S9lMAQ24WlVxOGAGD4xbkDbnrtS6vqet53CiTOIv9C6ozUzm487xDSRn0hS?= =?us-ascii?q?NBPDk8ozKfsdB5kK8O+EHpnBd42YOBJdjNbPc=3D?= From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov Subject: [PATCH] selinux: print leading 0x on ioctlcmd audits Date: Thu, 14 Jul 2016 12:29:22 -0700 Message-Id: <1468524562-30981-1-git-send-email-william.c.roberts@intel.com> Precedence: list Cc: seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Roberts, William C July 14, 2016, 7:29 p.m. UTC

From: William Roberts <william.c.roberts@intel.com>

ioctlcmd is currently printing hex numbers, but their is no leading
0x. Thus things like ioctlcmd=1234 are misleading, as the base is
not evident.

Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes ioctlcmd=0x1234.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 security/lsm_audit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Paul Moore July 14, 2016, 10:17 p.m. UTC | #1

On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
> From: William Roberts <william.c.roberts@intel.com>
>
> ioctlcmd is currently printing hex numbers, but their is no leading
> 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> not evident.
>
> Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes ioctlcmd=0x1234.
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>
> ---
>  security/lsm_audit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

NOTE: adding Steve Grubb and the audit mailing list to the CC line

Like it or not, I believe the general standard/convention when it
comes to things like this is to leave off the "0x" prefix; the idea
being that is saves precious space in the audit logs and the value is
only ever going to be in hex anyway.

> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index cccbf30..82e4dbb 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -257,7 +257,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
>                         audit_log_format(ab, " ino=%lu", inode->i_ino);
>                 }
>
> -               audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> +               audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
>                 break;
>         }
>         case LSM_AUDIT_DATA_DENTRY: {
> --
> 1.9.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

William Roberts July 14, 2016, 11:18 p.m. UTC | #2

On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <paul@paul-moore.com> wrote:

> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > ioctlcmd is currently printing hex numbers, but their is no leading
> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> > not evident.
> >
> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> ioctlcmd=0x1234.
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> >  security/lsm_audit.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>
> Like it or not, I believe the general standard/convention when it
> comes to things like this is to leave off the "0x" prefix; the idea
> being that is saves precious space in the audit logs and the value is
> only ever going to be in hex anyway.
>

Is it always in hex, what about pid?


>
> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> > index cccbf30..82e4dbb 100644
> > --- a/security/lsm_audit.c
> > +++ b/security/lsm_audit.c
> > @@ -257,7 +257,7 @@ static void dump_common_audit_data(struct
> audit_buffer *ab,
> >                         audit_log_format(ab, " ino=%lu", inode->i_ino);
> >                 }
> >
> > -               audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> > +               audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
> >                 break;
> >         }
> >         case LSM_AUDIT_DATA_DENTRY: {
> > --
> > 1.9.1
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
> --
> paul moore
> www.paul-moore.com
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

William Roberts July 14, 2016, 11:33 p.m. UTC | #3

On Thu, Jul 14, 2016 at 4:18 PM, William Roberts <bill.c.roberts@gmail.com>
wrote:

>
>
> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <paul@paul-moore.com> wrote:
>
>> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
>> > From: William Roberts <william.c.roberts@intel.com>
>> >
>> > ioctlcmd is currently printing hex numbers, but their is no leading
>> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
>> > not evident.
>> >
>> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
>> ioctlcmd=0x1234.
>> >
>> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>> > ---
>> >  security/lsm_audit.c | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>>
>> Like it or not, I believe the general standard/convention when it
>> comes to things like this is to leave off the "0x" prefix; the idea
>> being that is saves precious space in the audit logs and the value is
>> only ever going to be in hex anyway.
>>
>
> Is it always in hex, what about pid?
>

Outside of escaped untrusted input, everything I see is printed in base10.
But if its convention that "you should just know", I am fine
with that too, its just that it wasn't self evident in the logs, and the
first time I encountered it their was no documentation or tooling
supporting it.


>
>>
>> > diff --git a/security/lsm_audit.c b/security/lsm_audit.c
>> > index cccbf30..82e4dbb 100644
>> > --- a/security/lsm_audit.c
>> > +++ b/security/lsm_audit.c
>> > @@ -257,7 +257,7 @@ static void dump_common_audit_data(struct
>> audit_buffer *ab,
>> >                         audit_log_format(ab, " ino=%lu", inode->i_ino);
>> >                 }
>> >
>> > -               audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
>> > +               audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
>> >                 break;
>> >         }
>> >         case LSM_AUDIT_DATA_DENTRY: {
>> > --
>> > 1.9.1
>> >
>> > _______________________________________________
>> > Selinux mailing list
>> > Selinux@tycho.nsa.gov
>> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> > To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>> --
>> paul moore
>> www.paul-moore.com
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
>

Paul Moore July 15, 2016, 6:19 p.m. UTC | #4

On Thu, Jul 14, 2016 at 7:33 PM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Thu, Jul 14, 2016 at 4:18 PM, William Roberts wrote:
>> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore <paul@paul-moore.com> wrote:
>>> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
>>> > From: William Roberts <william.c.roberts@intel.com>
>>> >
>>> > ioctlcmd is currently printing hex numbers, but their is no leading
>>> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
>>> > not evident.
>>> >
>>> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
>>> > ioctlcmd=0x1234.
>>> >
>>> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>>> > ---
>>> >  security/lsm_audit.c | 2 +-
>>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>>>
>>> Like it or not, I believe the general standard/convention when it
>>> comes to things like this is to leave off the "0x" prefix; the idea
>>> being that is saves precious space in the audit logs and the value is
>>> only ever going to be in hex anyway.
>>
>> Is it always in hex, what about pid?
>
> Outside of escaped untrusted input ...

That's what I've been working on the past few days and it colored my
view of things.  I tracked down Steve just now and it looks like the
preference *is* to have a "0x" prefix, my apologies for the confusion.
I'll add this to the SELinux next queue.

Steve Grubb July 15, 2016, 6:54 p.m. UTC | #5

On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> From:	Paul Moore <paul@paul-moore.com>
> To:	william.c.roberts@intel.com
> CC:	selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, Stephen Smalley
> <sds@tycho.nsa.gov>, Me, linux-audit@redhat.com Date:	Yesterday 6:17 PM
> 
> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
> > From: William Roberts <william.c.roberts@intel.com>
> > 
> > ioctlcmd is currently printing hex numbers, but their is no leading
> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> > not evident.
> > 
> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> > ioctlcmd=0x1234.
> > 
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> > security/lsm_audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> NOTE: adding Steve Grubb and the audit mailing list to the CC line
> 
> Like it or not, I believe the general standard/convention when it
> comes to things like this is to leave off the "0x" prefix; the idea
> being that is saves precious space in the audit logs and the value is
> only ever going to be in hex anyway.

We normally like the 0x prefix on anything that is hex so that stroul can figure 
it out itself. And since AVC's should in theory be rare or occassional, log 
space is not a concern.

That said, what is this ioctlcmd field name? Is this the ioctl number? As in 
syscall arg a1? If so, it should be hooked up to the interpretation for that.

Also, we have a field dictionary with some basic info about each field used in 
audit events:

http://people.redhat.com/sgrubb/audit/field-dictionary.txt

This is important so that people don't make up new ones that do the same 
thing. The ioctlcmd field name should be recorded. Are there more that need 
documenting?

-Steve

Paul Moore July 15, 2016, 7:02 p.m. UTC | #6

On Fri, Jul 15, 2016 at 2:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
>> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
>> From: Paul Moore <paul@paul-moore.com>
>> To:   william.c.roberts@intel.com
>> CC:   selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, Stephen Smalley
>> <sds@tycho.nsa.gov>, Me, linux-audit@redhat.com Date: Yesterday 6:17 PM
>>
>> On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
>> > From: William Roberts <william.c.roberts@intel.com>
>> >
>> > ioctlcmd is currently printing hex numbers, but their is no leading
>> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
>> > not evident.
>> >
>> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
>> > ioctlcmd=0x1234.
>> >
>> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>> > ---
>> > security/lsm_audit.c | 2 +-
>> > 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> NOTE: adding Steve Grubb and the audit mailing list to the CC line
>>
>> Like it or not, I believe the general standard/convention when it
>> comes to things like this is to leave off the "0x" prefix; the idea
>> being that is saves precious space in the audit logs and the value is
>> only ever going to be in hex anyway.
>
> We normally like the 0x prefix on anything that is hex so that stroul can figure
> it out itself. And since AVC's should in theory be rare or occassional, log
> space is not a concern.
>
> That said, what is this ioctlcmd field name? Is this the ioctl number? As in
> syscall arg a1? If so, it should be hooked up to the interpretation for that.
>
> Also, we have a field dictionary with some basic info about each field used in
> audit events:
>
> http://people.redhat.com/sgrubb/audit/field-dictionary.txt

Correction, that file now lives at the link below, the file on Steve's
people page is deprecated.

https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

> This is important so that people don't make up new ones that do the same
> thing. The ioctlcmd field name should be recorded. Are there more that need
> documenting?

Steve/William, one of you want to send a patch/PR for the field dictionary?

Roberts, William C July 15, 2016, 7:31 p.m. UTC | #7

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Friday, July 15, 2016 11:54 AM
> To: Paul Moore <paul@paul-moore.com>
> Cc: Roberts, William C <william.c.roberts@intel.com>; selinux@tycho.nsa.gov;
> seandroid-list@tycho.nsa.gov; Stephen Smalley <sds@tycho.nsa.gov>; linux-
> audit@redhat.com
> Subject: Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> 
> On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
> > Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> > From:	Paul Moore <paul@paul-moore.com>
> > To:	william.c.roberts@intel.com
> > CC:	selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, Stephen Smalley
> > <sds@tycho.nsa.gov>, Me, linux-audit@redhat.com Date:	Yesterday 6:17
> PM
> >
> > On Thu, Jul 14, 2016 at 3:29 PM,  <william.c.roberts@intel.com> wrote:
> > > From: William Roberts <william.c.roberts@intel.com>
> > >
> > > ioctlcmd is currently printing hex numbers, but their is no leading
> > > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> > > not evident.
> > >
> > > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> > > ioctlcmd=0x1234.
> > >
> > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > > ---
> > > security/lsm_audit.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > NOTE: adding Steve Grubb and the audit mailing list to the CC line
> >
> > Like it or not, I believe the general standard/convention when it
> > comes to things like this is to leave off the "0x" prefix; the idea
> > being that is saves precious space in the audit logs and the value is
> > only ever going to be in hex anyway.
> 
> We normally like the 0x prefix on anything that is hex so that stroul can figure it
> out itself. And since AVC's should in theory be rare or occassional, log space is not
> a concern.

Does this mean then the patch will be applied?

> 
> That said, what is this ioctlcmd field name? Is this the ioctl number? As in syscall
> arg a1? If so, it should be hooked up to the interpretation for that.
> 
> Also, we have a field dictionary with some basic info about each field used in
> audit events:
> 
> http://people.redhat.com/sgrubb/audit/field-dictionary.txt
> 
> This is important so that people don't make up new ones that do the same thing.
> The ioctlcmd field name should be recorded. Are there more that need
> documenting?
> 
> -Steve

Roberts, William C July 15, 2016, 7:33 p.m. UTC | #8

<snip>
> > This is important so that people don't make up new ones that do the
> > same thing. The ioctlcmd field name should be recorded. Are there more
> > that need documenting?
> 
> Steve/William, one of you want to send a patch/PR for the field dictionary?

I'll send it over.

Paul Moore July 15, 2016, 7:35 p.m. UTC | #9

On Fri, Jul 15, 2016 at 3:31 PM, Roberts, William C
<william.c.roberts@intel.com> wrote:
> Does this mean then the patch will be applied?

As I mentioned earlier, I added it to the SELinux next queue, as soon
as the merge window closes (approx two weeks from this weekend) I will
rotate the patch into the SELinux next branch.

Steve Grubb July 15, 2016, 7:41 p.m. UTC | #10

On Friday, July 15, 2016 7:33:09 PM EDT Roberts, William C wrote:
> <snip>
> 
> > > This is important so that people don't make up new ones that do the
> > > same thing. The ioctlcmd field name should be recorded. Are there more
> > > that need documenting?
> > 
> > Steve/William, one of you want to send a patch/PR for the field
> > dictionary?
> 
> I'll send it over.

I also asked some other questions.  Is this the ioctl number? As in syscall 
arg a1? I need to know if its the same thing so that I can hook up its 
translation if so.

Thanks,
-Steve

Roberts, William C July 15, 2016, 7:49 p.m. UTC | #11

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Friday, July 15, 2016 12:42 PM
> To: Roberts, William C <william.c.roberts@intel.com>
> Cc: Paul Moore <pmoore@redhat.com>; William Roberts
> <bill.c.roberts@gmail.com>; seandroid-list@tycho.nsa.gov;
> selinux@tycho.nsa.gov; linux-audit@redhat.com
> Subject: Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> 
> On Friday, July 15, 2016 7:33:09 PM EDT Roberts, William C wrote:
> > <snip>
> >
> > > > This is important so that people don't make up new ones that do
> > > > the same thing. The ioctlcmd field name should be recorded. Are
> > > > there more that need documenting?
> > >
> > > Steve/William, one of you want to send a patch/PR for the field
> > > dictionary?
> >
> > I'll send it over.
> 
> I also asked some other questions.  Is this the ioctl number? As in syscall arg a1? I
> need to know if its the same thing so that I can hook up its translation if so.

Yes, per man ioctl, it's the "request number".  Assuming a0 is the file descriptor, then a1 is the
Ioctlcmd value.


> 
> Thanks,
> -Steve

Steve Grubb July 15, 2016, 8:12 p.m. UTC | #12

On Friday, July 15, 2016 7:49:22 PM EDT Roberts, William C wrote:
> > I also asked some other questions.  Is this the ioctl number? As in
> > syscall arg a1? I need to know if its the same thing so that I can hook
> > up its translation if so.
>
> Yes, per man ioctl, it's the "request number".  Assuming a0 is the file
> descriptor, then a1 is the Ioctlcmd value.

OK, great. I hooked this field up to the translator so that the ioctl name can 
be printed (if known).

Thanks,
-Steve

selinux: print leading 0x on ioctlcmd audits

Commit Message

Comments

Patch