[PATCH] log more info for directory entry change events
When an audit event involves changes to a directory entry, include
a PATH record for the directory itself. A few other notable changes:
- fixed audit_inode_child() hooks in fsnotify_move()
- removed unused flags arg from audit_inode()
- added audit log routines for logging a portion of a string
Here's some sample output.
before patch:
type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
type=CWD msg=audit(1149821605.320:26): cwd="/root"
type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
after patch:
type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
type=CWD msg=audit(1149822032.332:24): cwd="/root"
type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Amy Griffis
Al Viro
+50
-4
@@ -1051,20 +1051,53 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
|
||||
skb_put(skb, len << 1); /* new string is twice the old string */
|
||||
}
|
||||
|
||||
/*
|
||||
* Format a string of no more than slen characters into the audit buffer,
|
||||
* enclosed in quote marks.
|
||||
*/
|
||||
static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
|
||||
const char *string)
|
||||
{
|
||||
int avail, new_len;
|
||||
unsigned char *ptr;
|
||||
struct sk_buff *skb;
|
||||
|
||||
BUG_ON(!ab->skb);
|
||||
skb = ab->skb;
|
||||
avail = skb_tailroom(skb);
|
||||
new_len = slen + 3; /* enclosing quotes + null terminator */
|
||||
if (new_len > avail) {
|
||||
avail = audit_expand(ab, new_len);
|
||||
if (!avail)
|
||||
return;
|
||||
}
|
||||
ptr = skb->tail;
|
||||
*ptr++ = '"';
|
||||
memcpy(ptr, string, slen);
|
||||
ptr += slen;
|
||||
*ptr++ = '"';
|
||||
*ptr = 0;
|
||||
skb_put(skb, slen + 2); /* don't include null terminator */
|
||||
}
|
||||
|
||||
/**
|
||||
* audit_log_unstrustedstring - log a string that may contain random characters
|
||||
* audit_log_n_unstrustedstring - log a string that may contain random characters
|
||||
* @ab: audit_buffer
|
||||
* @len: lenth of string (not including trailing null)
|
||||
* @string: string to be logged
|
||||
*
|
||||
* This code will escape a string that is passed to it if the string
|
||||
* contains a control character, unprintable character, double quote mark,
|
||||
* or a space. Unescaped strings will start and end with a double quote mark.
|
||||
* Strings that are escaped are printed in hex (2 digits per char).
|
||||
*
|
||||
* The caller specifies the number of characters in the string to log, which may
|
||||
* or may not be the entire string.
|
||||
*/
|
||||
const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
|
||||
const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
|
||||
const char *string)
|
||||
{
|
||||
const unsigned char *p = string;
|
||||
size_t len = strlen(string);
|
||||
|
||||
while (*p) {
|
||||
if (*p == '"' || *p < 0x21 || *p > 0x7f) {
|
||||
@@ -1073,10 +1106,23 @@ const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *strin
|
||||
}
|
||||
p++;
|
||||
}
|
||||
audit_log_format(ab, "\"%s\"", string);
|
||||
audit_log_n_string(ab, len, string);
|
||||
return p + 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* audit_log_unstrustedstring - log a string that may contain random characters
|
||||
* @ab: audit_buffer
|
||||
* @string: string to be logged
|
||||
*
|
||||
* Same as audit_log_n_unstrustedstring(), except that strlen is used to
|
||||
* determine string length.
|
||||
*/
|
||||
const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
|
||||
{
|
||||
return audit_log_n_untrustedstring(ab, strlen(string), string);
|
||||
}
|
||||
|
||||
/* This is a helper-function to print the escaped d_path */
|
||||
void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
|
||||
struct dentry *dentry, struct vfsmount *vfsmnt)
|
||||
|
||||
Reference in New Issue
Block a user