aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Woodhouse <dwmw2@shinybook.infradead.org>2005-05-27 07:17:28 -0400
committerDavid Woodhouse <dwmw2@shinybook.infradead.org>2005-05-27 07:17:28 -0400
commit8f37d47c9bf74cb48692691086b482e315d07f40 (patch)
treeb7d35bbd8e78d124455f3abbc9c50134bc9cee0a
parent7551ced334ce6eb2a7a765309871e619f645add1 (diff)
AUDIT: Record working directory when syscall arguments are pathnames
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-rw-r--r--include/linux/audit.h3
-rw-r--r--kernel/auditsc.c23
2 files changed, 25 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 3278ddf41ce6..bf2ad3ba72eb 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -61,11 +61,12 @@
61 61
62#define AUDIT_SYSCALL 1300 /* Syscall event */ 62#define AUDIT_SYSCALL 1300 /* Syscall event */
63#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ 63#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
64#define AUDIT_PATH 1302 /* Filname path information */ 64#define AUDIT_PATH 1302 /* Filename path information */
65#define AUDIT_IPC 1303 /* IPC record */ 65#define AUDIT_IPC 1303 /* IPC record */
66#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ 66#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
67#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ 67#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
68#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ 68#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
69#define AUDIT_CWD 1307 /* Current working directory */
69 70
70#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 71#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
71#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 72#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7556c479d5af..e75f84e1a1a0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -145,6 +145,8 @@ struct audit_context {
145 int auditable; /* 1 if record should be written */ 145 int auditable; /* 1 if record should be written */
146 int name_count; 146 int name_count;
147 struct audit_names names[AUDIT_NAMES]; 147 struct audit_names names[AUDIT_NAMES];
148 struct dentry * pwd;
149 struct vfsmount * pwdmnt;
148 struct audit_context *previous; /* For nested syscalls */ 150 struct audit_context *previous; /* For nested syscalls */
149 struct audit_aux_data *aux; 151 struct audit_aux_data *aux;
150 152
@@ -552,6 +554,12 @@ static inline void audit_free_names(struct audit_context *context)
552 if (context->names[i].name) 554 if (context->names[i].name)
553 __putname(context->names[i].name); 555 __putname(context->names[i].name);
554 context->name_count = 0; 556 context->name_count = 0;
557 if (context->pwd)
558 dput(context->pwd);
559 if (context->pwdmnt)
560 mntput(context->pwdmnt);
561 context->pwd = NULL;
562 context->pwdmnt = NULL;
555} 563}
556 564
557static inline void audit_free_aux(struct audit_context *context) 565static inline void audit_free_aux(struct audit_context *context)
@@ -745,10 +753,18 @@ static void audit_log_exit(struct audit_context *context)
745 audit_log_end(ab); 753 audit_log_end(ab);
746 } 754 }
747 755
756 if (context->pwd && context->pwdmnt) {
757 ab = audit_log_start(context, AUDIT_CWD);
758 if (ab) {
759 audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
760 audit_log_end(ab);
761 }
762 }
748 for (i = 0; i < context->name_count; i++) { 763 for (i = 0; i < context->name_count; i++) {
749 ab = audit_log_start(context, AUDIT_PATH); 764 ab = audit_log_start(context, AUDIT_PATH);
750 if (!ab) 765 if (!ab)
751 continue; /* audit_panic has been called */ 766 continue; /* audit_panic has been called */
767
752 audit_log_format(ab, "item=%d", i); 768 audit_log_format(ab, "item=%d", i);
753 if (context->names[i].name) { 769 if (context->names[i].name) {
754 audit_log_format(ab, " name="); 770 audit_log_format(ab, " name=");
@@ -929,6 +945,13 @@ void audit_getname(const char *name)
929 context->names[context->name_count].name = name; 945 context->names[context->name_count].name = name;
930 context->names[context->name_count].ino = (unsigned long)-1; 946 context->names[context->name_count].ino = (unsigned long)-1;
931 ++context->name_count; 947 ++context->name_count;
948 if (!context->pwd) {
949 read_lock(&current->fs->lock);
950 context->pwd = dget(current->fs->pwd);
951 context->pwdmnt = mntget(current->fs->pwdmnt);
952 read_unlock(&current->fs->lock);
953 }
954
932} 955}
933 956
934/* Intercept a putname request. Called from 957/* Intercept a putname request. Called from