Chapter 19: Auditing
} else {
audited = requested;
if (!(audited & avd->auditallow))
return;
}
...If an audit message needs to be created, the basic information (granting or denial, the access vector in
question, and the task’s PID) is generated as follows:security/selinux/avc.c
ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC);
if (!ab)
return; /* audit_panic has been called */
audit_log_format(ab, "avc: %s ", denied? "denied" : "granted");
avc_dump_av(ab, tclass,audited);
audit_log_format(ab, " for ");
if (a && a->tsk)
tsk = a->tsk;
if (tsk && tsk->pid) {
audit_log_format(ab, " pid=%d comm=", tsk->pid);
audit_log_untrustedstring(ab, tsk->comm);
}
...avc_dump_avis used to display an access vector in human-readable form (this is a purely cosmetic con-
version). If auxiliary data are associated with the query, it is also put into the audit record. Afterwards
the record can be closed.security/selinux/avc.c
if (a) {
switch (a->type) {
case AVC_AUDIT_DATA_IPC:
audit_log_format(ab, " key=%d", a->u.ipc_id);
break;
case AVC_AUDIT_DATA_CAP:
audit_log_format(ab, " capability=%d", a->u.cap);
break;
...
case AVC_AUDIT_DATA_NET:
/* Audit networking related information */
...
}
}
audit_log_format(ab, " ");
avc_dump_query(ab, ssid, tsid, tclass);
audit_log_end(ab);
}StandardHooks
Although it is sufficient to record only entry and exit for most system calls, some can provide more infor-
mation to the audit subsystem. Section 19.3.1 mentioned that the audit context provides the capability