diff options
author | David Woodhouse <dwmw2@shinybook.infradead.org> | 2005-05-27 07:17:28 -0400 |
---|---|---|
committer | David Woodhouse <dwmw2@shinybook.infradead.org> | 2005-05-27 07:17:28 -0400 |
commit | 8f37d47c9bf74cb48692691086b482e315d07f40 (patch) | |
tree | b7d35bbd8e78d124455f3abbc9c50134bc9cee0a | |
parent | 7551ced334ce6eb2a7a765309871e619f645add1 (diff) |
AUDIT: Record working directory when syscall arguments are pathnames
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-rw-r--r-- | include/linux/audit.h | 3 | ||||
-rw-r--r-- | kernel/auditsc.c | 23 |
2 files changed, 25 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 3278ddf41ce6..bf2ad3ba72eb 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -61,11 +61,12 @@ | |||
61 | 61 | ||
62 | #define AUDIT_SYSCALL 1300 /* Syscall event */ | 62 | #define AUDIT_SYSCALL 1300 /* Syscall event */ |
63 | #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ | 63 | #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ |
64 | #define AUDIT_PATH 1302 /* Filname path information */ | 64 | #define AUDIT_PATH 1302 /* Filename path information */ |
65 | #define AUDIT_IPC 1303 /* IPC record */ | 65 | #define AUDIT_IPC 1303 /* IPC record */ |
66 | #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ | 66 | #define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */ |
67 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | 67 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ |
68 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ | 68 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ |
69 | #define AUDIT_CWD 1307 /* Current working directory */ | ||
69 | 70 | ||
70 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 71 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
71 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 72 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 7556c479d5af..e75f84e1a1a0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
@@ -145,6 +145,8 @@ struct audit_context { | |||
145 | int auditable; /* 1 if record should be written */ | 145 | int auditable; /* 1 if record should be written */ |
146 | int name_count; | 146 | int name_count; |
147 | struct audit_names names[AUDIT_NAMES]; | 147 | struct audit_names names[AUDIT_NAMES]; |
148 | struct dentry * pwd; | ||
149 | struct vfsmount * pwdmnt; | ||
148 | struct audit_context *previous; /* For nested syscalls */ | 150 | struct audit_context *previous; /* For nested syscalls */ |
149 | struct audit_aux_data *aux; | 151 | struct audit_aux_data *aux; |
150 | 152 | ||
@@ -552,6 +554,12 @@ static inline void audit_free_names(struct audit_context *context) | |||
552 | if (context->names[i].name) | 554 | if (context->names[i].name) |
553 | __putname(context->names[i].name); | 555 | __putname(context->names[i].name); |
554 | context->name_count = 0; | 556 | context->name_count = 0; |
557 | if (context->pwd) | ||
558 | dput(context->pwd); | ||
559 | if (context->pwdmnt) | ||
560 | mntput(context->pwdmnt); | ||
561 | context->pwd = NULL; | ||
562 | context->pwdmnt = NULL; | ||
555 | } | 563 | } |
556 | 564 | ||
557 | static inline void audit_free_aux(struct audit_context *context) | 565 | static inline void audit_free_aux(struct audit_context *context) |
@@ -745,10 +753,18 @@ static void audit_log_exit(struct audit_context *context) | |||
745 | audit_log_end(ab); | 753 | audit_log_end(ab); |
746 | } | 754 | } |
747 | 755 | ||
756 | if (context->pwd && context->pwdmnt) { | ||
757 | ab = audit_log_start(context, AUDIT_CWD); | ||
758 | if (ab) { | ||
759 | audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt); | ||
760 | audit_log_end(ab); | ||
761 | } | ||
762 | } | ||
748 | for (i = 0; i < context->name_count; i++) { | 763 | for (i = 0; i < context->name_count; i++) { |
749 | ab = audit_log_start(context, AUDIT_PATH); | 764 | ab = audit_log_start(context, AUDIT_PATH); |
750 | if (!ab) | 765 | if (!ab) |
751 | continue; /* audit_panic has been called */ | 766 | continue; /* audit_panic has been called */ |
767 | |||
752 | audit_log_format(ab, "item=%d", i); | 768 | audit_log_format(ab, "item=%d", i); |
753 | if (context->names[i].name) { | 769 | if (context->names[i].name) { |
754 | audit_log_format(ab, " name="); | 770 | audit_log_format(ab, " name="); |
@@ -929,6 +945,13 @@ void audit_getname(const char *name) | |||
929 | context->names[context->name_count].name = name; | 945 | context->names[context->name_count].name = name; |
930 | context->names[context->name_count].ino = (unsigned long)-1; | 946 | context->names[context->name_count].ino = (unsigned long)-1; |
931 | ++context->name_count; | 947 | ++context->name_count; |
948 | if (!context->pwd) { | ||
949 | read_lock(¤t->fs->lock); | ||
950 | context->pwd = dget(current->fs->pwd); | ||
951 | context->pwdmnt = mntget(current->fs->pwdmnt); | ||
952 | read_unlock(¤t->fs->lock); | ||
953 | } | ||
954 | |||
932 | } | 955 | } |
933 | 956 | ||
934 | /* Intercept a putname request. Called from | 957 | /* Intercept a putname request. Called from |