From: Ondrej Mosnacek <omosnace@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd
Date: Thu, 12 Jul 2018 13:36:32 +0200 [thread overview]
Message-ID: <20180712113633.10687-3-omosnace@redhat.com> (raw)
In-Reply-To: <20180712113633.10687-1-omosnace@redhat.com>
The function logs an FD_PATH record that is associated with the current
syscall. The record associates the given file descriptor with the
current path of the file under it (if it is possible to retrieve such
path). The reader of the log can then logically connect this information
to the syscall arguments from the SYSCALL record (based on the syscall
type).
Record format:
type=FD_PATH msg=audit(...): fd=<file descriptor> path=<file path>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
include/linux/audit.h | 10 ++++++++++
kernel/auditsc.c | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9334fbef7bae..95d338bb603a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -356,6 +356,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_log_kern_module(char *name);
extern void __audit_fanotify(unsigned int response);
+extern void __audit_fd_path(int fd);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -458,6 +459,12 @@ static inline void audit_fanotify(unsigned int response)
__audit_fanotify(response);
}
+static inline void audit_fd_path(int fd)
+{
+ if (fd >= 0 && !audit_dummy_context())
+ __audit_fd_path(fd);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -584,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
static inline void audit_fanotify(unsigned int response)
{ }
+static inline void audit_fd_path(int fd)
+{ }
+
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d762e0b8160e..82dad69213a2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -74,6 +74,8 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
+#include <linux/file.h>
+#include <linux/dcache.h>
#include <uapi/linux/limits.h>
#include "audit.h"
@@ -2422,6 +2424,40 @@ void __audit_fanotify(unsigned int response)
AUDIT_FANOTIFY, "resp=%u", response);
}
+void __audit_fd_path(int fd)
+{
+ struct audit_buffer *ab;
+ struct file *file;
+ char *buf, *path;
+
+ if (!audit_enabled)
+ return;
+
+ file = fget_raw(fd);
+ if (!file)
+ return;
+
+ buf = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!buf)
+ return;
+
+ path_get(&file->f_path);
+ path = d_absolute_path(&file->f_path, buf, PATH_MAX);
+ path_put(&file->f_path);
+ fput(file);
+ if (!path || IS_ERR(path))
+ goto free_buf;
+
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FD_PATH);
+ if (unlikely(!ab))
+ goto free_buf;
+ audit_log_format(ab, "fd=%i path=", fd);
+ audit_log_untrustedstring(ab, path);
+ audit_log_end(ab);
+free_buf:
+ kfree(buf);
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
--
2.17.1
next prev parent reply other threads:[~2018-07-12 11:36 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-12 11:36 [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type Ondrej Mosnacek
2018-07-13 14:51 ` Richard Guy Briggs
2018-07-16 8:19 ` Ondrej Mosnacek
2018-07-12 11:36 ` Ondrej Mosnacek [this message]
2018-07-13 15:15 ` [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd Richard Guy Briggs
2018-07-16 8:29 ` Ondrej Mosnacek
2018-07-16 17:30 ` Richard Guy Briggs
2018-07-14 16:26 ` Steve Grubb
2018-07-16 8:31 ` Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 3/3] [WIP] fs: Add audit_fd_path() calls to syscall handlers Ondrej Mosnacek
2018-07-13 15:20 ` Richard Guy Briggs
2018-07-18 20:41 ` [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Paul Moore
2018-07-20 10:11 ` Ondrej Mosnacek
2018-07-23 20:49 ` Paul Moore
2018-07-24 14:12 ` Ondrej Mosnacek
2018-07-24 22:15 ` Paul Moore
2018-07-25 1:11 ` Steve Grubb
2018-07-25 7:44 ` Ondrej Mosnacek
2018-07-25 12:48 ` Steve Grubb
2018-07-25 13:02 ` Ondrej Mosnacek
2018-07-25 13:11 ` Steve Grubb
2018-07-26 8:12 ` Ondrej Mosnacek
2018-07-26 9:12 ` Ondrej Mosnacek
2018-08-02 23:58 ` Paul Moore
2018-08-03 9:19 ` Ondrej Mosnacek
2018-08-02 23:16 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180712113633.10687-3-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox