[PATCH ghak8 ALT4 V4 2/3] audit: append new fstype field for anonymous PATH records

From: Richard Guy Briggs
Date: Mon Feb 12 2018 - 00:07:11 EST


Append a new fstype field that gives the filesystem type magic value in
hexadecimal to help identify previously null PATH records produced by
audit_inode_child logging requests on inodes with anonymous parents.

Sample output:
type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634
type=PATH msg=audit(1488317694.446:143): item=797 name=events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163
type=PATH msg=audit(1488317694.446:143): item=796 name=events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163
...
type=PATH msg=audit(1488317694.446:143): item=1 name=events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163
type=PATH msg=audit(1488317694.446:143): item=0 name=events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163
type=KERN_MODULE msg=audit(1488317694.446:143): name="nfsv4"
type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load"

See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42

Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
---
kernel/audit.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/kernel/audit.c b/kernel/audit.c
index 0c8d5a8..1c9d0a4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2076,6 +2076,8 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
const struct path *path, int record_num, int *call_panic)
{
struct audit_buffer *ab;
+ unsigned long fstype;
+
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
if (!ab)
return;
@@ -2120,6 +2122,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
}
audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, fullpathp ?: "?");
+ fstype = n->dentry->d_sb->s_magic;
if (fullpath)
kfree(fullpath);
} else {
@@ -2173,6 +2176,10 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
}

audit_log_fcaps(ab, n);
+ if (fstype)
+ audit_log_format(ab, " fstype=0x%lx", fstype);
+ else
+ audit_log_format(ab, " fstype=?");
audit_log_end(ab);
}

--
1.8.3.1