Current directory for audit names.
We log pathnames which are passed as arguments to syscalls, but we don't
actually record the current working directory, from which those
pathnames are resolved.
--- linux-2.6.9/include/linux/audit.h~ 2005-05-26 11:25:59.000000000 +0100
+++ linux-2.6.9/include/linux/audit.h 2005-05-26 17:59:36.000000000 +0100
@@ -69,11 +69,12 @@ struct atomic_t;
#define AUDIT_SYSCALL 1300 /* Syscall event */
#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
-#define AUDIT_PATH 1302 /* Filname path information */
+#define AUDIT_PATH 1302 /* Filename path information */
#define AUDIT_IPC 1303 /* IPC record */
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
+#define AUDIT_CWD 1307 /* Current working directory */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
--- linux-2.6.9/kernel/auditsc.c~ 2005-05-26 14:17:45.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-05-26 18:02:52.000000000 +0100
@@ -565,6 +565,12 @@ static inline void audit_free_names(stru
if (context->names[i].name)
__putname(context->names[i].name);
context->name_count = 0;
+ if (context->pwd)
+ dput(context->pwd);
+ if (context->pwdmnt)
+ mntput(context->pwdmnt);
+ context->pwd = NULL;
+ context->pwdmnt = NULL;
}
static inline void audit_free_aux(struct audit_context *context)
@@ -778,10 +784,18 @@ static void audit_log_exit(struct audit_
audit_log_end(ab);
}
+ if (context->pwd && context->pwdmnt) {
+ ab = audit_log_start(context, AUDIT_CWD);
+ if (ab) {
+ audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
+ audit_log_end(ab);
+ }
+ }
for (i = 0; i < context->name_count; i++) {
ab = audit_log_start(context, AUDIT_PATH);
if (!ab)
continue; /* audit_panic has been called */
+
audit_log_format(ab, "item=%d", i);
if (context->names[i].name) {
audit_log_format(ab, " name=");
@@ -960,6 +974,13 @@ void audit_getname(const char *name)
context->names[context->name_count].name = name;
context->names[context->name_count].ino = (unsigned long)-1;
++context->name_count;
+ if (!context->pwd) {
+ read_lock(¤t->fs->lock);
+ context->pwd = dget(current->fs->pwd);
+ context->pwdmnt = mntget(current->fs->pwdmnt);
+ read_unlock(¤t->fs->lock);
+ }
+
}
/* Intercept a putname request. Called from
--
dwmw2