Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names

On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > Audit link denied events for symlinks were missing the parent PATH > record. Add it. Since the full pathname may not be available, > reconstruct it from the path in the nameidata supplied. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > --- > fs/namei.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/fs/namei.c b/fs/namei.c > index 0edf133..bf1c046b 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd) > const struct inode *inode; > const struct inode *parent; > kuid_t puid; > + char *pathname; > > if (!sysctl_protected_symlinks) > return 0; > @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd) > if (nd->flags & LOOKUP_RCU) > return -ECHILD; > > + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL); > + if (!pathname) > + return -ENOMEM; > + audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link, pathname, > + PATH_MAX + 1)), > + nd->stack[0].link.dentry, 0); Hmm, it's been a while since I've looked at the audit vfs/inode code, but isn't the audit_inode() call directly above effectively a duplicate of the audit_inode(nd->name, nd->stack[0].link.dentry, 0) call you added in patch 3/4?

> + audit_inode(nd->name, nd->stack[0].link.dentry->d_parent, LOOKUP_PARENT); > + > audit_inode(nd->name, nd->stack[0].link.dentry, 0); > audit_log_link_denied("follow_link", &nd->stack[0].link); > return -EACCES; > -- > 1.8.3.1 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit