From: Richard Guy Briggs <rgb@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd
Date: Mon, 16 Jul 2018 13:30:13 -0400 [thread overview]
Message-ID: <20180716173013.ierunnw34umfjcus@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAFqZXNvz2VDHXvXNZtbh4C550jUMdo=tkUXnyiwfpfk=-z4KFg@mail.gmail.com>
On 2018-07-16 10:29, Ondrej Mosnacek wrote:
> On Fri, Jul 13, 2018 at 5:17 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-07-12 13:36, Ondrej Mosnacek wrote:
> > > The function logs an FD_PATH record that is associated with the current
> > > syscall. The record associates the given file descriptor with the
> > > current path of the file under it (if it is possible to retrieve such
> > > path). The reader of the log can then logically connect this information
> > > to the syscall arguments from the SYSCALL record (based on the syscall
> > > type).
> > >
> > > Record format:
> > > type=FD_PATH msg=audit(...): fd=<file descriptor> path=<file path>
> > >
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > include/linux/audit.h | 10 ++++++++++
> > > kernel/auditsc.c | 36 ++++++++++++++++++++++++++++++++++++
> > > 2 files changed, 46 insertions(+)
> > >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 9334fbef7bae..95d338bb603a 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -356,6 +356,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old);
> > > extern void __audit_mmap_fd(int fd, int flags);
> > > extern void __audit_log_kern_module(char *name);
> > > extern void __audit_fanotify(unsigned int response);
> > > +extern void __audit_fd_path(int fd);
> > >
> > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > > {
> > > @@ -458,6 +459,12 @@ static inline void audit_fanotify(unsigned int response)
> > > __audit_fanotify(response);
> > > }
> > >
> > > +static inline void audit_fd_path(int fd)
> > > +{
> > > + if (fd >= 0 && !audit_dummy_context())
> >
> > Isn't an fd of 0 valid?
>
> It is treated as valid by the above condition (it only rejects
> negative values), so I'm not sure if you mean "valid" or "invalid"...
> I suppose an fd of 0 is unlikely to be used as dirfd in openat(2) et
> al., but in general it is a valid fd and I don't think we should
> explicitly exclude it here. The corresponding syscalls' input checks
> will already filter out values that are invalid for them.
Sorry, that must have been a brain fart on my part. I must have seen
">" when I first reviewed it, then later saw ">="... so that should be
fine.
> > > + __audit_fd_path(fd);
> > > +}
> > > +
> > > extern int audit_n_rules;
> > > extern int audit_signals;
> > > #else /* CONFIG_AUDITSYSCALL */
> > > @@ -584,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
> > > static inline void audit_fanotify(unsigned int response)
> > > { }
> > >
> > > +static inline void audit_fd_path(int fd)
> > > +{ }
> > > +
> > > static inline void audit_ptrace(struct task_struct *t)
> > > { }
> > > #define audit_n_rules 0
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index d762e0b8160e..82dad69213a2 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -74,6 +74,8 @@
> > > #include <linux/string.h>
> > > #include <linux/uaccess.h>
> > > #include <linux/fsnotify_backend.h>
> > > +#include <linux/file.h>
> > > +#include <linux/dcache.h>
> > > #include <uapi/linux/limits.h>
> > >
> > > #include "audit.h"
> > > @@ -2422,6 +2424,40 @@ void __audit_fanotify(unsigned int response)
> > > AUDIT_FANOTIFY, "resp=%u", response);
> > > }
> > >
> > > +void __audit_fd_path(int fd)
> > > +{
> > > + struct audit_buffer *ab;
> > > + struct file *file;
> > > + char *buf, *path;
> > > +
> > > + if (!audit_enabled)
> > > + return;
> > > +
> > > + file = fget_raw(fd);
> > > + if (!file)
> > > + return;
> > > +
> > > + buf = kmalloc(PATH_MAX, GFP_KERNEL);
> > > + if (!buf)
> >
> > I think we need an fput(file) here.
>
> Indeed we do, will fix in next revision.
>
> >
> > > + return;
> > > +
> > > + path_get(&file->f_path);
> > > + path = d_absolute_path(&file->f_path, buf, PATH_MAX);
> > > + path_put(&file->f_path);
> > > + fput(file);
> > > + if (!path || IS_ERR(path))
> > > + goto free_buf;
> > > +
> > > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FD_PATH);
> > > + if (unlikely(!ab))
> > > + goto free_buf;
> > > + audit_log_format(ab, "fd=%i path=", fd);
> > > + audit_log_untrustedstring(ab, path);
> > > + audit_log_end(ab);
> > > +free_buf:
> > > + kfree(buf);
> > > +}
> > > +
> > > static void audit_log_task(struct audit_buffer *ab)
> > > {
> > > kuid_t auid, uid;
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Associate Software Engineer, Security Technologies
> Red Hat, Inc.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-07-16 17:30 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-12 11:36 [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type Ondrej Mosnacek
2018-07-13 14:51 ` Richard Guy Briggs
2018-07-16 8:19 ` Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd Ondrej Mosnacek
2018-07-13 15:15 ` Richard Guy Briggs
2018-07-16 8:29 ` Ondrej Mosnacek
2018-07-16 17:30 ` Richard Guy Briggs [this message]
2018-07-14 16:26 ` Steve Grubb
2018-07-16 8:31 ` Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 3/3] [WIP] fs: Add audit_fd_path() calls to syscall handlers Ondrej Mosnacek
2018-07-13 15:20 ` Richard Guy Briggs
2018-07-18 20:41 ` [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Paul Moore
2018-07-20 10:11 ` Ondrej Mosnacek
2018-07-23 20:49 ` Paul Moore
2018-07-24 14:12 ` Ondrej Mosnacek
2018-07-24 22:15 ` Paul Moore
2018-07-25 1:11 ` Steve Grubb
2018-07-25 7:44 ` Ondrej Mosnacek
2018-07-25 12:48 ` Steve Grubb
2018-07-25 13:02 ` Ondrej Mosnacek
2018-07-25 13:11 ` Steve Grubb
2018-07-26 8:12 ` Ondrej Mosnacek
2018-07-26 9:12 ` Ondrej Mosnacek
2018-08-02 23:58 ` Paul Moore
2018-08-03 9:19 ` Ondrej Mosnacek
2018-08-02 23:16 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180716173013.ierunnw34umfjcus@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=omosnace@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox