From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ondrej Mosnacek Subject: [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd Date: Thu, 12 Jul 2018 13:36:32 +0200 Message-ID: <20180712113633.10687-3-omosnace@redhat.com> References: <20180712113633.10687-1-omosnace@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB5901948A for ; Thu, 12 Jul 2018 11:36:25 +0000 (UTC) Received: from mail-wm0-f72.google.com (mail-wm0-f72.google.com [74.125.82.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 978EA81113 for ; Thu, 12 Jul 2018 11:36:25 +0000 (UTC) Received: by mail-wm0-f72.google.com with SMTP id n14-v6so1417921wmh.1 for ; Thu, 12 Jul 2018 04:36:25 -0700 (PDT) In-Reply-To: <20180712113633.10687-1-omosnace@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com The function logs an FD_PATH record that is associated with the current syscall. The record associates the given file descriptor with the current path of the file under it (if it is possible to retrieve such path). The reader of the log can then logically connect this information to the syscall arguments from the SYSCALL record (based on the syscall type). Record format: type=FD_PATH msg=audit(...): fd= path= Signed-off-by: Ondrej Mosnacek --- include/linux/audit.h | 10 ++++++++++ kernel/auditsc.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9334fbef7bae..95d338bb603a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -356,6 +356,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); +extern void __audit_fd_path(int fd); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -458,6 +459,12 @@ static inline void audit_fanotify(unsigned int response) __audit_fanotify(response); } +static inline void audit_fd_path(int fd) +{ + if (fd >= 0 && !audit_dummy_context()) + __audit_fd_path(fd); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -584,6 +591,9 @@ static inline void audit_log_kern_module(char *name) static inline void audit_fanotify(unsigned int response) { } +static inline void audit_fd_path(int fd) +{ } + static inline void audit_ptrace(struct task_struct *t) { } #define audit_n_rules 0 diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d762e0b8160e..82dad69213a2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -74,6 +74,8 @@ #include #include #include +#include +#include #include #include "audit.h" @@ -2422,6 +2424,40 @@ void __audit_fanotify(unsigned int response) AUDIT_FANOTIFY, "resp=%u", response); } +void __audit_fd_path(int fd) +{ + struct audit_buffer *ab; + struct file *file; + char *buf, *path; + + if (!audit_enabled) + return; + + file = fget_raw(fd); + if (!file) + return; + + buf = kmalloc(PATH_MAX, GFP_KERNEL); + if (!buf) + return; + + path_get(&file->f_path); + path = d_absolute_path(&file->f_path, buf, PATH_MAX); + path_put(&file->f_path); + fput(file); + if (!path || IS_ERR(path)) + goto free_buf; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FD_PATH); + if (unlikely(!ab)) + goto free_buf; + audit_log_format(ab, "fd=%i path=", fd); + audit_log_untrustedstring(ab, path); + audit_log_end(ab); +free_buf: + kfree(buf); +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid; -- 2.17.1