Re: [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd

The function logs an FD_PATH record that is associated with the current syscall. The record associates the given file descriptor with the current path of the file under it (if it is possible to retrieve such path). The reader of the log can then logically connect this information to the syscall arguments from the SYSCALL record (based on the syscall type). Record format: type=FD_PATH msg=audit(...): fd=<file descriptor> path=<file path>

Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com&gt; --- include/linux/audit.h | 10 ++++++++++ kernel/auditsc.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9334fbef7bae..95d338bb603a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -356,6 +356,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); extern void __audit_log_kern_module(char *name); extern void __audit_fanotify(unsigned int response); +extern void __audit_fd_path(int fd); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -458,6 +459,12 @@ static inline void audit_fanotify(unsigned int response) __audit_fanotify(response); } +static inline void audit_fd_path(int fd) +{ + if (fd >= 0 && !audit_dummy_context()) + __audit_fd_path(fd); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -584,6 +591,9 @@ static inline void audit_log_kern_module(char *name) static inline void audit_fanotify(unsigned int response) { } +static inline void audit_fd_path(int fd) +{ } + static inline void audit_ptrace(struct task_struct *t) { } #define audit_n_rules 0 diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d762e0b8160e..82dad69213a2 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -74,6 +74,8 @@ #include <linux/string.h> #include <linux/uaccess.h> #include <linux/fsnotify_backend.h> +#include <linux/file.h> +#include <linux/dcache.h> #include <uapi/linux/limits.h> #include "audit.h" @@ -2422,6 +2424,40 @@ void __audit_fanotify(unsigned int response) AUDIT_FANOTIFY, "resp=%u", response); } +void __audit_fd_path(int fd) +{ + struct audit_buffer *ab; + struct file *file; + char *buf, *path; + + if (!audit_enabled) + return; + + file = fget_raw(fd); + if (!file) + return; + + buf = kmalloc(PATH_MAX, GFP_KERNEL); + if (!buf) + return; + + path_get(&file->f_path); + path = d_absolute_path(&file->f_path, buf, PATH_MAX); + path_put(&file->f_path); + fput(file); + if (!path || IS_ERR(path)) + goto free_buf; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FD_PATH); + if (unlikely(!ab)) + goto free_buf; + audit_log_format(ab, "fd=%i path=", fd); + audit_log_untrustedstring(ab, path); + audit_log_end(ab); +free_buf: + kfree(buf); +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid;