[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] get dev value for inode audit records - take 2



* Darrel Goeddel (dgoeddel trustedcs com) wrote:
> Don't forget the mode for completeness :)  That should be similar to a 

Thanks, I got it ;-)  I checked BSM to make sure I was recording what
was needed there.

> portion of the (rough idea) patch that I submitted to the list on Jan 21.  

You're right, I forgot.  Thanks, I just grabbed your initialized bit.
I have this vague recollection that i_ino == 0 doesn't happen (start at
1), but I can't find justification for this.  If that's wrong it's simple
to add init member.

> I believe you stated that this information would be redundant with Tim's 
> audit additions (although I could have misinterpreted that).  Is that no 
> longer the case?  I apologize for my ignorance here - I really do hope to 
> be able to start playing with Tim's patches soon (and David's prelim IPC 
> audit patch).

I agree it's needed, and I think the confusion was around adding the lsm
inode bit (maybe I was the confused one).

This one does mode (including upper bits), uid, gid, dev, ino, rdev
(do we want to keep that?).  Erich, does this let you filter on dev/ino
pair as expected?

thanks,
-chris

===== kernel/auditsc.c 1.6 vs edited =====
--- 1.6/kernel/auditsc.c	2005-01-30 22:33:47 -08:00
+++ edited/kernel/auditsc.c	2005-02-24 12:21:40 -08:00
@@ -89,6 +89,10 @@ enum audit_state {
 struct audit_names {
 	const char	*name;
 	unsigned long	ino;
+	dev_t		dev;
+	umode_t		mode;
+	uid_t		uid;
+	gid_t		gid;
 	dev_t		rdev;
 };
 
@@ -338,7 +342,7 @@ static int audit_filter_rules(struct tas
 		case AUDIT_DEVMAJOR:
 			if (ctx) {
 				for (j = 0; j < ctx->name_count; j++) {
-					if (MAJOR(ctx->names[j].rdev)==value) {
+					if (MAJOR(ctx->names[j].dev)==value) {
 						++result;
 						break;
 					}
@@ -348,7 +352,7 @@ static int audit_filter_rules(struct tas
 		case AUDIT_DEVMINOR:
 			if (ctx) {
 				for (j = 0; j < ctx->name_count; j++) {
-					if (MINOR(ctx->names[j].rdev)==value) {
+					if (MINOR(ctx->names[j].dev)==value) {
 						++result;
 						break;
 					}
@@ -615,13 +619,15 @@ static void audit_log_exit(struct audit_
 		if (context->names[i].name)
 			audit_log_format(ab, " name=%s",
 					 context->names[i].name);
-		if (context->names[i].ino != (unsigned long)-1)
-			audit_log_format(ab, " inode=%lu",
-					 context->names[i].ino);
-		/* FIXME: should use format_dev_t, but ab structure is
-		 * opaque. */
-		if (context->names[i].rdev != -1)
-			audit_log_format(ab, " dev=%02x:%02x",
+		if (context->names[i].ino)
+			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
+					     " uid=%d gid=%d rdev=%02x:%02x",
+					 context->names[i].ino,
+					 MAJOR(context->names[i].dev),
+					 MINOR(context->names[i].dev),
+					 context->names[i].mode,
+					 context->names[i].uid,
+					 context->names[i].gid,
 					 MAJOR(context->names[i].rdev),
 					 MINOR(context->names[i].rdev));
 		audit_log_end(ab);
@@ -811,8 +817,7 @@ void audit_getname(const char *name)
 	}
 	BUG_ON(context->name_count >= AUDIT_NAMES);
 	context->names[context->name_count].name = name;
-	context->names[context->name_count].ino  = (unsigned long)-1;
-	context->names[context->name_count].rdev = -1;
+	context->names[context->name_count].ino = 0;
 	++context->name_count;
 }
 
@@ -859,7 +864,7 @@ EXPORT_SYMBOL(audit_putname);
 
 /* Store the inode and device from a lookup.  Called from
  * fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, unsigned long ino, dev_t rdev)
+void audit_inode(const char *name, const struct inode *inode)
 {
 	int idx;
 	struct audit_context *context = current->audit_context;
@@ -885,8 +890,12 @@ void audit_inode(const char *name, unsig
 		++context->ino_count;
 #endif
 	}
-	context->names[idx].ino  = ino;
-	context->names[idx].rdev = rdev;
+	context->names[idx].ino  = inode->i_ino;
+	context->names[idx].dev	 = inode->i_sb->s_dev;
+	context->names[idx].mode = inode->i_mode;
+	context->names[idx].uid  = inode->i_uid;
+	context->names[idx].gid  = inode->i_gid;
+	context->names[idx].rdev = inode->i_rdev;
 }
 
 void audit_get_stamp(struct audit_context *ctx,
===== fs/namei.c 1.118 vs edited =====
--- 1.118/fs/namei.c	2005-01-20 21:00:21 -08:00
+++ edited/fs/namei.c	2005-02-24 11:21:26 -08:00
@@ -981,9 +981,7 @@ int fastcall path_lookup(const char *nam
 	retval = link_path_walk(name, nd);
 	if (unlikely(current->audit_context
 		     && nd && nd->dentry && nd->dentry->d_inode))
-		audit_inode(name,
-			    nd->dentry->d_inode->i_ino,
-			    nd->dentry->d_inode->i_rdev);
+		audit_inode(name, nd->dentry->d_inode);
 	return retval;
 }
 
===== include/linux/audit.h 1.2 vs edited =====
--- 1.2/include/linux/audit.h	2005-01-30 22:33:47 -08:00
+++ edited/include/linux/audit.h	2005-02-24 11:20:53 -08:00
@@ -141,7 +141,7 @@ extern void audit_syscall_entry(struct t
 extern void audit_syscall_exit(struct task_struct *task, int return_code);
 extern void audit_getname(const char *name);
 extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+extern void audit_inode(const char *name, const struct inode *inode);
 
 				/* Private API (for audit.c only) */
 extern int  audit_receive_filter(int type, int pid, int uid, int seq,
@@ -157,7 +157,7 @@ extern uid_t audit_get_loginuid(struct a
 #define audit_syscall_exit(t,r) do { ; } while (0)
 #define audit_getname(n) do { ; } while (0)
 #define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i) do { ; } while (0)
 #define audit_get_loginuid(c) ({ -1; })
 #endif
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]