fs: add link restriction audit reporting

Adds audit messages for unexpected link restriction violations so that system owners will have some sort of potentially actionable information about misbehaving processes. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Kees Cook <keescook@chromium.org> 2012-07-25 20:29:08 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-07-29 13:43:08 -0400
commit: a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc (patch)
tree: f8ab532f946ec7f9ccdabb6a394d952981084122 /kernel/audit.c
parent: 800179c9b8a1e796e441674776d11cd4c05d61d7 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c7f2c61416b..fda8bd9e1d3a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1450,6 +1450,27 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 }
 /**
+ * audit_log_link_denied - report a link restriction denial
+ * @operation: specific link opreation
+ * @link: the path that triggered the restriction
+ */
+void audit_log_link_denied(const char *operation, struct path *link)
+{
+        struct audit_buffer *ab;
+        ab = audit_log_start(current->audit_context, GFP_KERNEL,
+                             AUDIT_ANOM_LINK);
+        audit_log_format(ab, "op=%s action=denied", operation);
+        audit_log_format(ab, " pid=%d comm=", current->pid);
+        audit_log_untrustedstring(ab, current->comm);
+        audit_log_d_path(ab, " path=", link);
+        audit_log_format(ab, " dev=");
+        audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
+        audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
+        audit_log_end(ab);
+}
+/**
 * audit_log_end - end one audit record
 * @ab: the audit_buffer
 *
author	Kees Cook <keescook@chromium.org>	2012-07-25 20:29:08 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-07-29 13:43:08 -0400
commit	a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc (patch)
tree	f8ab532f946ec7f9ccdabb6a394d952981084122 /kernel/audit.c
parent	800179c9b8a1e796e441674776d11cd4c05d61d7 (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 1c7f2c61416b..fda8bd9e1d3a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1450,6 +1450,27 @@ void audit_log_key(struct audit_buffer ab, char key)
1450	}	1450	}
1451		1451
1452	/**	1452	/**
		1453	* audit_log_link_denied - report a link restriction denial
		1454	* @operation: specific link opreation
		1455	* @link: the path that triggered the restriction
		1456	*/
		1457	void audit_log_link_denied(const char operation, struct path link)
		1458	{
		1459	struct audit_buffer *ab;
		1460
		1461	ab = audit_log_start(current->audit_context, GFP_KERNEL,
		1462	AUDIT_ANOM_LINK);
		1463	audit_log_format(ab, "op=%s action=denied", operation);
		1464	audit_log_format(ab, " pid=%d comm=", current->pid);
		1465	audit_log_untrustedstring(ab, current->comm);
		1466	audit_log_d_path(ab, " path=", link);
		1467	audit_log_format(ab, " dev=");
		1468	audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
		1469	audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
		1470	audit_log_end(ab);
		1471	}
		1472
		1473	/**
1453	* audit_log_end - end one audit record	1474	* audit_log_end - end one audit record
1454	* @ab: the audit_buffer	1475	* @ab: the audit_buffer
1455	*	1476	*