Received: by 10.223.185.116 with SMTP id b49csp1826203wrg; Sun, 11 Feb 2018 22:29:56 -0800 (PST) X-Google-Smtp-Source: AH8x227MMpkKMjvLAuBVLW8s/168/aUmEFSA7WXoq39B+SXUHVdqsbtjFsLfmV47JXz4jy361c7o X-Received: by 10.98.58.11 with SMTP id h11mr10808933pfa.65.1518416996631; Sun, 11 Feb 2018 22:29:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518416996; cv=none; d=google.com; s=arc-20160816; b=KglVDf32OTqMWcyPvP/CvsChM7f+pSqA4QbV4B9PvUpJRNZJeF+uMQacmWVXjNdorb egYfYsHL7W9F+ml6eYsfX/0ayTRX6nW84r8MmoRhdmP/2dOjvVrMCjjFoSApoZB44OV5 R2X0Q6NPU5ccdkiAk0LD+sHtKvU9vCGtNuEqF0BcYznXRsJbuBibzb/oZG2K4auagDkr zZegQWeQe1363Gx3UrJyYI2fPX94LzyyJmPKS9dr8SN+sD4B9cMQ4LGyFoGGeR+RbwPv VjfzuxDsKCg4kZo9qM7p8WHGyABqsGA13T7Oqt3GlvlOB9tWZjN9GvwUBD4S8NP6Orxw L4gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+FJSv4MPjJaqYG/tgLGCdJDDBWbuC9suOWDgtTwg+s4=; b=qmKzYHYEq5Lew/yzwH8QrmsSX4pk5CLrlRKCzI4LDmjx0bQ5deKihbW+ZDTISjSeqE 9Wg452PmhLQ8yGCDHM7jRYjAvz+4AL8wKj116JN+8+rW21aSAUR7Sspyye9epezL23iw jk32oBhxStaFWFXCG1ox9oYR/97kdrnB20kon2y+v8zEq7ZidIZGoNv1Oaei+t5INbjV KJyVnxTboVLpMLOTCKU4e/UIBwOazKqtITZ/RG4EjPkJHt4qjG8lSkD8naloWt4crhrp Mnx3aw3N069KJ8nPMLLhHHk2Y53hAuL7MfaVss0jjhsf4Htac3ldMTVeOrK6GjxyoNhS jJZg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l6si2921256pgp.5.2018.02.11.22.29.30; Sun, 11 Feb 2018 22:29:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751216AbeBLFHE (ORCPT + 99 others); Mon, 12 Feb 2018 00:07:04 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:34512 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750980AbeBLFGk (ORCPT ); Mon, 12 Feb 2018 00:06:40 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4B4174084FE8; Mon, 12 Feb 2018 05:06:40 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 387EA2017DD4; Mon, 12 Feb 2018 05:06:39 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML Cc: Paul Moore , Eric Paris , Steve Grubb , Richard Guy Briggs Subject: [PATCH ghak8 ALT4 V4 2/3] audit: append new fstype field for anonymous PATH records Date: Mon, 12 Feb 2018 00:02:22 -0500 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 12 Feb 2018 05:06:40 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Mon, 12 Feb 2018 05:06:40 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Append a new fstype field that gives the filesystem type magic value in hexadecimal to help identify previously null PATH records produced by audit_inode_child logging requests on inodes with anonymous parents. Sample output: type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634 type=PATH msg=audit(1488317694.446:143): item=797 name=events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=PATH msg=audit(1488317694.446:143): item=796 name=events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 ... type=PATH msg=audit(1488317694.446:143): item=1 name=events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=PATH msg=audit(1488317694.446:143): item=0 name=events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=KERN_MODULE msg=audit(1488317694.446:143): name="nfsv4" type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load" See: https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 0c8d5a8..1c9d0a4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2076,6 +2076,8 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, const struct path *path, int record_num, int *call_panic) { struct audit_buffer *ab; + unsigned long fstype; + ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); if (!ab) return; @@ -2120,6 +2122,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } audit_log_format(ab, " name="); audit_log_untrustedstring(ab, fullpathp ?: "?"); + fstype = n->dentry->d_sb->s_magic; if (fullpath) kfree(fullpath); } else { @@ -2173,6 +2176,10 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } audit_log_fcaps(ab, n); + if (fstype) + audit_log_format(ab, " fstype=0x%lx", fstype); + else + audit_log_format(ab, " fstype=?"); audit_log_end(ab); } -- 1.8.3.1