Add LSM_AUDIT_DATA_SOCKET type to log socket-related data in audit_log_lsm_data(). This may be useful (for example) to log socket creation denials. Signed-off-by: Mikhail Ivanov --- include/linux/lsm_audit.h | 8 ++++++++ security/lsm_audit.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 382c56a97bba..7c7617df41b5 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -57,6 +57,12 @@ struct lsm_ibendport_audit { u8 port; }; +struct lsm_socket_audit { + s32 family; + s32 type; + s32 protocol; +}; + /* Auxiliary data to use in generating the audit record. */ struct common_audit_data { char type; @@ -78,6 +84,7 @@ struct common_audit_data { #define LSM_AUDIT_DATA_NOTIFICATION 16 #define LSM_AUDIT_DATA_ANONINODE 17 #define LSM_AUDIT_DATA_NLMSGTYPE 18 +#define LSM_AUDIT_DATA_SOCKET 19 union { struct path path; struct dentry *dentry; @@ -97,6 +104,7 @@ struct common_audit_data { struct file *file; struct lsm_ibpkey_audit *ibpkey; struct lsm_ibendport_audit *ibendport; + struct lsm_socket_audit *socket; int reason; const char *anonclass; u16 nlmsg_type; diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 7d623b00495c..7e18241290ce 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -403,6 +403,10 @@ void audit_log_lsm_data(struct audit_buffer *ab, case LSM_AUDIT_DATA_NLMSGTYPE: audit_log_format(ab, " nl-msgtype=%hu", a->u.nlmsg_type); break; + case LSM_AUDIT_DATA_SOCKET: + audit_log_format(ab, " family=%d sock_type=%d protocol=%d", + a->u.socket->family, a->u.socket->type, a->u.socket->protocol); + break; } /* switch (a->type) */ } -- 2.34.1