Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

AUDIT: Record working directory when syscall arguments are pathnames

Browse source 
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
David Woodhouse 2005-05-27 12:17:28 +01:00
parent 7551ced334
commit 8f37d47c9b
2 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
include/linux/audit.h
View file

@ -61,11 +61,12 @@
#define AUDIT_SYSCALL 1300 /* Syscall event */ #define AUDIT_SYSCALL 1300 /* Syscall event */
#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
#define AUDIT_PATH 1302 /* Filname path information */ #define AUDIT_PATH 1302 /* Filename path information */
#define AUDIT_IPC 1303 /* IPC record */ #define AUDIT_IPC 1303 /* IPC record */
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
#define AUDIT_CWD 1307 /* Current working directory */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

23
kernel/auditsc.c
View file

@ -145,6 +145,8 @@ struct audit_context {
int auditable; /* 1 if record should be written */ int auditable; /* 1 if record should be written */
int name_count; int name_count;
struct audit_names names[AUDIT_NAMES]; struct audit_names names[AUDIT_NAMES];
struct dentry * pwd;
struct vfsmount * pwdmnt;
struct audit_context *previous; /* For nested syscalls */ struct audit_context *previous; /* For nested syscalls */
struct audit_aux_data *aux; struct audit_aux_data *aux;
@ -552,6 +554,12 @@ static inline void audit_free_names(struct audit_context *context)
if (context->names[i].name) if (context->names[i].name)
__putname(context->names[i].name); __putname(context->names[i].name);
context->name_count = 0; context->name_count = 0;
if (context->pwd)
dput(context->pwd);
if (context->pwdmnt)
mntput(context->pwdmnt);
context->pwd = NULL;
context->pwdmnt = NULL;
} }
static inline void audit_free_aux(struct audit_context *context) static inline void audit_free_aux(struct audit_context *context)
@ -745,10 +753,18 @@ static void audit_log_exit(struct audit_context *context)
audit_log_end(ab); audit_log_end(ab);
} }
if (context->pwd && context->pwdmnt) {
ab = audit_log_start(context, AUDIT_CWD);
if (ab) {
audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
audit_log_end(ab);
}
}
for (i = 0; i < context->name_count; i++) { for (i = 0; i < context->name_count; i++) {
ab = audit_log_start(context, AUDIT_PATH); ab = audit_log_start(context, AUDIT_PATH);
if (!ab) if (!ab)
continue; /* audit_panic has been called */ continue; /* audit_panic has been called */
audit_log_format(ab, "item=%d", i); audit_log_format(ab, "item=%d", i);
if (context->names[i].name) { if (context->names[i].name) {
audit_log_format(ab, " name="); audit_log_format(ab, " name=");
@ -929,6 +945,13 @@ void audit_getname(const char *name)
context->names[context->name_count].name = name; context->names[context->name_count].name = name;
context->names[context->name_count].ino = (unsigned long)-1; context->names[context->name_count].ino = (unsigned long)-1;
++context->name_count; ++context->name_count;
if (!context->pwd) {
read_lock(&current->fs->lock);
context->pwd = dget(current->fs->pwd);
context->pwdmnt = mntget(current->fs->pwdmnt);
read_unlock(&current->fs->lock);
}
} }
/* Intercept a putname request. Called from /* Intercept a putname request. Called from