[RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd

Sat Jul 14 16:26:35 UTC 2018

On Thursday, July 12, 2018 7:36:32 AM EDT Ondrej Mosnacek wrote:
> The function logs an FD_PATH record that is associated with the current
> syscall. The record associates the given file descriptor with the
> current path of the file under it (if it is possible to retrieve such
> path). The reader of the log can then logically connect this information
> to the syscall arguments from the SYSCALL record (based on the syscall
> type).
> 
> Record format:
> type=FD_PATH msg=audit(...): fd=<file descriptor> path=<file path>

Event looks OK to me. However, do you check for AT_FDCWD? If so, should we 
skip generating this record?

-Steve

> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
>  include/linux/audit.h | 10 ++++++++++
>  kernel/auditsc.c      | 36 ++++++++++++++++++++++++++++++++++++
>  2 files changed, 46 insertions(+)
> 
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 9334fbef7bae..95d338bb603a 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -356,6 +356,7 @@ extern void __audit_log_capset(const struct cred *new,
> const struct cred *old); extern void __audit_mmap_fd(int fd, int flags);
>  extern void __audit_log_kern_module(char *name);
>  extern void __audit_fanotify(unsigned int response);
> +extern void __audit_fd_path(int fd);
> 
>  static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>  {
> @@ -458,6 +459,12 @@ static inline void audit_fanotify(unsigned int
> response) __audit_fanotify(response);
>  }
> 
> +static inline void audit_fd_path(int fd)
> +{
> +	if (fd >= 0 && !audit_dummy_context())
> +		__audit_fd_path(fd);
> +}
> +
>  extern int audit_n_rules;
>  extern int audit_signals;
>  #else /* CONFIG_AUDITSYSCALL */
> @@ -584,6 +591,9 @@ static inline void audit_log_kern_module(char *name)
>  static inline void audit_fanotify(unsigned int response)
>  { }
> 
> +static inline void audit_fd_path(int fd)
> +{ }
> +
>  static inline void audit_ptrace(struct task_struct *t)
>  { }
>  #define audit_n_rules 0
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index d762e0b8160e..82dad69213a2 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -74,6 +74,8 @@
>  #include <linux/string.h>
>  #include <linux/uaccess.h>
>  #include <linux/fsnotify_backend.h>
> +#include <linux/file.h>
> +#include <linux/dcache.h>
>  #include <uapi/linux/limits.h>
> 
>  #include "audit.h"
> @@ -2422,6 +2424,40 @@ void __audit_fanotify(unsigned int response)
>  		AUDIT_FANOTIFY,	"resp=%u", response);
>  }
> 
> +void __audit_fd_path(int fd)
> +{
> +	struct audit_buffer *ab;
> +	struct file *file;
> +	char *buf, *path;
> +
> +	if (!audit_enabled)
> +		return;
> +
> +	file = fget_raw(fd);
> +	if (!file)
> +		return;
> +
> +	buf = kmalloc(PATH_MAX, GFP_KERNEL);
> +	if (!buf)
> +		return;
> +
> +	path_get(&file->f_path);
> +	path = d_absolute_path(&file->f_path, buf, PATH_MAX);
> +	path_put(&file->f_path);
> +	fput(file);
> +	if (!path || IS_ERR(path))
> +		goto free_buf;
> +
> +	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FD_PATH);
> +	if (unlikely(!ab))
> +		goto free_buf;
> +	audit_log_format(ab, "fd=%i path=", fd);
> +	audit_log_untrustedstring(ab, path);
> +	audit_log_end(ab);
> +free_buf:
> +	kfree(buf);
> +}
> +
>  static void audit_log_task(struct audit_buffer *ab)
>  {
>  	kuid_t auid, uid;