[PATCH] log more info for directory entry change events

When an audit event involves changes to a directory entry, include a PATH record for the directory itself. A few other notable changes: - fixed audit_inode_child() hooks in fsnotify_move() - removed unused flags arg from audit_inode() - added audit log routines for logging a portion of a string Here's some sample output. before patch: type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255 type=CWD msg=audit(1149821605.320:26): cwd="/root" type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0 after patch: type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255 type=CWD msg=audit(1149822032.332:24): cwd="/root" type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0 type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0 Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Amy Griffis <amy.griffis@hp.com> 2006-06-08 23:19:31 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2006-06-20 05:25:28 -0400
commit: 9c937dcc71021f2dbf78f904f03d962dd9bcc130 (patch)
tree: 6ab53c1cf1235515307d521cecc4f76afa34e137 /kernel/audit.c
parent: 6a2bceec0ea7fdc47aef9a3f2f771c201eaabe5d (diff)
1 files changed, 50 insertions, 4 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 0fbf1c116363..7dfac7031bd7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1051,20 +1051,53 @@ void audit_log_hex(struct audit_buffer *ab, const unsigned char *buf,
        skb_put(skb, len << 1); /* new string is twice the old string */
 }
+/*
+ * Format a string of no more than slen characters into the audit buffer,
+ * enclosed in quote marks.
+ */
+static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
+                               const char *string)
+{
+        int avail, new_len;
+        unsigned char *ptr;
+        struct sk_buff *skb;
+        BUG_ON(!ab->skb);
+        skb = ab->skb;
+        avail = skb_tailroom(skb);
+        new_len = slen + 3;     /* enclosing quotes + null terminator */
+        if (new_len > avail) {
+                avail = audit_expand(ab, new_len);
+                if (!avail)
+                        return;
+        }
+        ptr = skb->tail;
+        *ptr++ = '"';
+        memcpy(ptr, string, slen);
+        ptr += slen;
+        *ptr++ = '"';
+        *ptr = 0;
+        skb_put(skb, slen + 2); /* don't include null terminator */
+}
 /**
- * audit_log_unstrustedstring - log a string that may contain random characters
+ * audit_log_n_unstrustedstring - log a string that may contain random characters
 * @ab: audit_buffer
+ * @len: lenth of string (not including trailing null)
 * @string: string to be logged
 *
 * This code will escape a string that is passed to it if the string
 * contains a control character, unprintable character, double quote mark,
 * or a space. Unescaped strings will start and end with a double quote mark.
 * Strings that are escaped are printed in hex (2 digits per char).
+ *
+ * The caller specifies the number of characters in the string to log, which may
+ * or may not be the entire string.
 */
-const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
+                                        const char *string)
 {
        const unsigned char *p = string;
-        size_t len = strlen(string);
        while (*p) {
                if (*p == '"' || *p < 0x21 || *p > 0x7f) {
@@ -1073,10 +1106,23 @@ const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *strin
                }
                p++;
        }
-        audit_log_format(ab, "\"%s\"", string);
+        audit_log_n_string(ab, len, string);
        return p + 1;
 }
+/**
+ * audit_log_unstrustedstring - log a string that may contain random characters
+ * @ab: audit_buffer
+ * @string: string to be logged
+ *
+ * Same as audit_log_n_unstrustedstring(), except that strlen is used to
+ * determine string length.
+ */
+const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
+{
+        return audit_log_n_untrustedstring(ab, strlen(string), string);
+}
 /* This is a helper-function to print the escaped d_path */
 void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
                      struct dentry *dentry, struct vfsmount *vfsmnt)
author	Amy Griffis <amy.griffis@hp.com>	2006-06-08 23:19:31 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2006-06-20 05:25:28 -0400
commit	9c937dcc71021f2dbf78f904f03d962dd9bcc130 (patch)
tree	6ab53c1cf1235515307d521cecc4f76afa34e137 /kernel/audit.c
parent	6a2bceec0ea7fdc47aef9a3f2f771c201eaabe5d (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 0fbf1c116363..7dfac7031bd7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1051,20 +1051,53 @@ void audit_log_hex(struct audit_buffer ab, const unsigned char buf,
1051	skb_put(skb, len << 1); /* new string is twice the old string */	1051	skb_put(skb, len << 1); /* new string is twice the old string */
1052	}	1052	}
1053		1053
		1054	/*
		1055	* Format a string of no more than slen characters into the audit buffer,
		1056	* enclosed in quote marks.
		1057	*/
		1058	static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
		1059	const char *string)
		1060	{
		1061	int avail, new_len;
		1062	unsigned char *ptr;
		1063	struct sk_buff *skb;
		1064
		1065	BUG_ON(!ab->skb);
		1066	skb = ab->skb;
		1067	avail = skb_tailroom(skb);
		1068	new_len = slen + 3; /* enclosing quotes + null terminator */
		1069	if (new_len > avail) {
		1070	avail = audit_expand(ab, new_len);
		1071	if (!avail)
		1072	return;
		1073	}
		1074	ptr = skb->tail;
		1075	*ptr++ = '"';
		1076	memcpy(ptr, string, slen);
		1077	ptr += slen;
		1078	*ptr++ = '"';
		1079	*ptr = 0;
		1080	skb_put(skb, slen + 2); /* don't include null terminator */
		1081	}
		1082
1054	/**	1083	/**
1055	* audit_log_unstrustedstring - log a string that may contain random characters	1084	* audit_log_n_unstrustedstring - log a string that may contain random characters
1056	* @ab: audit_buffer	1085	* @ab: audit_buffer
		1086	* @len: lenth of string (not including trailing null)
1057	* @string: string to be logged	1087	* @string: string to be logged
1058	*	1088	*
1059	* This code will escape a string that is passed to it if the string	1089	* This code will escape a string that is passed to it if the string
1060	* contains a control character, unprintable character, double quote mark,	1090	* contains a control character, unprintable character, double quote mark,
1061	* or a space. Unescaped strings will start and end with a double quote mark.	1091	* or a space. Unescaped strings will start and end with a double quote mark.
1062	* Strings that are escaped are printed in hex (2 digits per char).	1092	* Strings that are escaped are printed in hex (2 digits per char).
		1093	*
		1094	* The caller specifies the number of characters in the string to log, which may
		1095	* or may not be the entire string.
1063	*/	1096	*/
1064	const char audit_log_untrustedstring(struct audit_buffer ab, const char *string)	1097	const char audit_log_n_untrustedstring(struct audit_buffer ab, size_t len,
		1098	const char *string)
1065	{	1099	{
1066	const unsigned char *p = string;	1100	const unsigned char *p = string;
1067	size_t len = strlen(string);
1068		1101
1069	while (*p) {	1102	while (*p) {
1070	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7f) {	1103	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7f) {
@@ -1073,10 +1106,23 @@ const char audit_log_untrustedstring(struct audit_buffer ab, const char *strin
1073	}	1106	}
1074	p++;	1107	p++;
1075	}	1108	}
1076	audit_log_format(ab, "\"%s\"", string);	1109	audit_log_n_string(ab, len, string);
1077	return p + 1;	1110	return p + 1;
1078	}	1111	}
1079		1112
		1113	/**
		1114	* audit_log_unstrustedstring - log a string that may contain random characters
		1115	* @ab: audit_buffer
		1116	* @string: string to be logged
		1117	*
		1118	* Same as audit_log_n_unstrustedstring(), except that strlen is used to
		1119	* determine string length.
		1120	*/
		1121	const char audit_log_untrustedstring(struct audit_buffer ab, const char *string)
		1122	{
		1123	return audit_log_n_untrustedstring(ab, strlen(string), string);
		1124	}
		1125
1080	/* This is a helper-function to print the escaped d_path */	1126	/* This is a helper-function to print the escaped d_path */
1081	void audit_log_d_path(struct audit_buffer ab, const char prefix,	1127	void audit_log_d_path(struct audit_buffer ab, const char prefix,
1082	struct dentry dentry, struct vfsmount vfsmnt)	1128	struct dentry dentry, struct vfsmount vfsmnt)