Re: [RFC][PATCH] audit: get inode pathname patch
Quoting Mimi Zohar (zohar(a)linux.vnet.ibm.com):
We are interested in using auditing's context pathname
information.
Is this the best way of accessing it?
Add support for accessing auditing's inode full pathname.
Interesting idea. It does seem to do what you need.
-serge
Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com>
Index: security-testing-2.6/include/linux/audit.h
===================================================================
--- security-testing-2.6.orig/include/linux/audit.h
+++ security-testing-2.6/include/linux/audit.h
@@ -403,6 +403,8 @@ extern void audit_syscall_entry(int arch
unsigned long a2, unsigned long a3);
extern void audit_syscall_exit(int failed, long return_code);
extern void __audit_getname(const char *name);
+extern const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode);
extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const char *dname, const struct dentry *dentry,
Index: security-testing-2.6/kernel/auditsc.c
===================================================================
--- security-testing-2.6.orig/kernel/auditsc.c
+++ security-testing-2.6/kernel/auditsc.c
@@ -1677,6 +1677,28 @@ retry:
#endif
}
+const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode)
+{
+ struct audit_context *context;
+ int idx;
+
+ context = tsk->audit_context;
+ if (!context)
+ return NULL;
+ for (idx = 0; idx < context->name_count; idx++) {
+ struct audit_names *n = &context->names[idx];
+
+ if (!n->name)
+ continue;
+
+ if (n->ino == inode->i_ino)
+ return n->name;
+ }
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(audit_get_inode_pathname);
+
/**
* audit_getname - add a name to the list
* @name: name to add
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit