Re: [Linux-ima-user] integrity: Add fowner field into integrity_audit_msg output.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Mikhail,

On Mon, 2016-12-12 at 19:50 +0300, Mikhail Kurinnoi wrote:
> since we have "fowner=" option, is it possible add fowner into
> integrity_audit_msg output too? I found this useful in my case.

I don't have a problem with including additional audit information in
the logs.  As long as we're making changes, are there any other changes
needed?   Perhaps an indication as to whether the audit info is from the
init_user_ns?

Samples of format changes need to be sent to the audit mailing as well.

Mimi

> I mean something like this:
> 
> 
> --- a/security/integrity/integrity_audit.c.orig	2016-12-12 19:41:45.885938794 +0300
> +++ b/security/integrity/integrity_audit.c	2016-12-03 17:29:47.104503180 +0300
> @@ -56,6 +56,7 @@ void integrity_audit_msg(int audit_msgno
>  		audit_log_untrustedstring(ab, fname);
>  	}
>  	if (inode) {
> +		audit_log_format(ab, " fowner=%u", __kuid_val(inode->i_uid));
>  		audit_log_format(ab, " dev=");
>  		audit_log_untrustedstring(ab, inode->i_sb->s_id);
>  		audit_log_format(ab, " ino=%lu", inode->i_ino);
> 
> 