diff options
| -rw-r--r-- | fs/namei.c | 2 | ||||
| -rw-r--r-- | include/linux/audit.h | 4 | ||||
| -rw-r--r-- | kernel/audit.c | 21 |
3 files changed, 27 insertions, 0 deletions
diff --git a/fs/namei.c b/fs/namei.c index 3861d85f8488..618d3531cf9f 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
| @@ -692,6 +692,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd) | |||
| 692 | 692 | ||
| 693 | path_put_conditional(link, nd); | 693 | path_put_conditional(link, nd); |
| 694 | path_put(&nd->path); | 694 | path_put(&nd->path); |
| 695 | audit_log_link_denied("follow_link", link); | ||
| 695 | return -EACCES; | 696 | return -EACCES; |
| 696 | } | 697 | } |
| 697 | 698 | ||
| @@ -760,6 +761,7 @@ static int may_linkat(struct path *link) | |||
| 760 | capable(CAP_FOWNER)) | 761 | capable(CAP_FOWNER)) |
| 761 | return 0; | 762 | return 0; |
| 762 | 763 | ||
| 764 | audit_log_link_denied("linkat", link); | ||
| 763 | return -EPERM; | 765 | return -EPERM; |
| 764 | } | 766 | } |
| 765 | 767 | ||
diff --git a/include/linux/audit.h b/include/linux/audit.h index 22f292a917a3..36abf2aa7e68 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -130,6 +130,7 @@ | |||
| 130 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 | 130 | #define AUDIT_LAST_KERN_ANOM_MSG 1799 |
| 131 | #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ | 131 | #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ |
| 132 | #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ | 132 | #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ |
| 133 | #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ | ||
| 133 | #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ | 134 | #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ |
| 134 | #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ | 135 | #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ |
| 135 | #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ | 136 | #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ |
| @@ -687,6 +688,8 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
| 687 | const struct path *path); | 688 | const struct path *path); |
| 688 | extern void audit_log_key(struct audit_buffer *ab, | 689 | extern void audit_log_key(struct audit_buffer *ab, |
| 689 | char *key); | 690 | char *key); |
| 691 | extern void audit_log_link_denied(const char *operation, | ||
| 692 | struct path *link); | ||
| 690 | extern void audit_log_lost(const char *message); | 693 | extern void audit_log_lost(const char *message); |
| 691 | #ifdef CONFIG_SECURITY | 694 | #ifdef CONFIG_SECURITY |
| 692 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); | 695 | extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); |
| @@ -716,6 +719,7 @@ extern int audit_enabled; | |||
| 716 | #define audit_log_untrustedstring(a,s) do { ; } while (0) | 719 | #define audit_log_untrustedstring(a,s) do { ; } while (0) |
| 717 | #define audit_log_d_path(b, p, d) do { ; } while (0) | 720 | #define audit_log_d_path(b, p, d) do { ; } while (0) |
| 718 | #define audit_log_key(b, k) do { ; } while (0) | 721 | #define audit_log_key(b, k) do { ; } while (0) |
| 722 | #define audit_log_link_denied(o, l) do { ; } while (0) | ||
| 719 | #define audit_log_secctx(b,s) do { ; } while (0) | 723 | #define audit_log_secctx(b,s) do { ; } while (0) |
| 720 | #define audit_enabled 0 | 724 | #define audit_enabled 0 |
| 721 | #endif | 725 | #endif |
diff --git a/kernel/audit.c b/kernel/audit.c index 1c7f2c61416b..fda8bd9e1d3a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c | |||
| @@ -1450,6 +1450,27 @@ void audit_log_key(struct audit_buffer *ab, char *key) | |||
| 1450 | } | 1450 | } |
| 1451 | 1451 | ||
| 1452 | /** | 1452 | /** |
| 1453 | * audit_log_link_denied - report a link restriction denial | ||
| 1454 | * @operation: specific link opreation | ||
| 1455 | * @link: the path that triggered the restriction | ||
| 1456 | */ | ||
| 1457 | void audit_log_link_denied(const char *operation, struct path *link) | ||
| 1458 | { | ||
| 1459 | struct audit_buffer *ab; | ||
| 1460 | |||
| 1461 | ab = audit_log_start(current->audit_context, GFP_KERNEL, | ||
| 1462 | AUDIT_ANOM_LINK); | ||
| 1463 | audit_log_format(ab, "op=%s action=denied", operation); | ||
| 1464 | audit_log_format(ab, " pid=%d comm=", current->pid); | ||
| 1465 | audit_log_untrustedstring(ab, current->comm); | ||
| 1466 | audit_log_d_path(ab, " path=", link); | ||
| 1467 | audit_log_format(ab, " dev="); | ||
| 1468 | audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id); | ||
| 1469 | audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino); | ||
| 1470 | audit_log_end(ab); | ||
| 1471 | } | ||
| 1472 | |||
| 1473 | /** | ||
| 1453 | * audit_log_end - end one audit record | 1474 | * audit_log_end - end one audit record |
| 1454 | * @ab: the audit_buffer | 1475 | * @ab: the audit_buffer |
| 1455 | * | 1476 | * |