[PATCH] get dev value for inode audit records - take 3

Chris Wright chrisw at osdl.org
Wed Mar 2 01:36:22 UTC 2005 

* Chris Wright (chrisw at osdl.org) wrote:
> This one does mode (including upper bits), uid, gid, dev, ino, rdev
> (do we want to keep that?).  Erich, does this let you filter on dev/ino
> pair as expected?

I tested filtering, works as expected.  This generates something like:

type=KERNEL msg=audit(1109726066.172:15813214): item=0 name=/etc/passwd inode=8916426 dev=fd:00 mode=0100644 uid=0 gid=0 rdev=00:00

Any issues before pushing it upstream?

thanks,
-chris
-- 

Inode audit records are currently only showing name, inode, and dev.
The device is calculated incorrectly, and similarly dev based filtering
is broken.  Fix device node problems and add some more useful data to
inode audit record -- mode, uid, gid of inode.

Signed-off-by: Chris Wright <chrisw at osdl.org>

--- linus-2.6/kernel/auditsc.c~audit-inode-dev	2005-02-25 18:28:12.000000000 -0800
+++ linus-2.6/kernel/auditsc.c	2005-03-01 14:38:36.000000000 -0800
@@ -89,6 +89,10 @@ enum audit_state {
 struct audit_names {
 	const char	*name;
 	unsigned long	ino;
+	dev_t		dev;
+	umode_t		mode;
+	uid_t		uid;
+	gid_t		gid;
 	dev_t		rdev;
 };
 
@@ -338,7 +342,7 @@ static int audit_filter_rules(struct tas
 		case AUDIT_DEVMAJOR:
 			if (ctx) {
 				for (j = 0; j < ctx->name_count; j++) {
-					if (MAJOR(ctx->names[j].rdev)==value) {
+					if (MAJOR(ctx->names[j].dev)==value) {
 						++result;
 						break;
 					}
@@ -348,7 +352,7 @@ static int audit_filter_rules(struct tas
 		case AUDIT_DEVMINOR:
 			if (ctx) {
 				for (j = 0; j < ctx->name_count; j++) {
-					if (MINOR(ctx->names[j].rdev)==value) {
+					if (MINOR(ctx->names[j].dev)==value) {
 						++result;
 						break;
 					}
@@ -616,12 +620,14 @@ static void audit_log_exit(struct audit_
 			audit_log_format(ab, " name=%s",
 					 context->names[i].name);
 		if (context->names[i].ino != (unsigned long)-1)
-			audit_log_format(ab, " inode=%lu",
-					 context->names[i].ino);
-		/* FIXME: should use format_dev_t, but ab structure is
-		 * opaque. */
-		if (context->names[i].rdev != -1)
-			audit_log_format(ab, " dev=%02x:%02x",
+			audit_log_format(ab, " inode=%lu dev=%02x:%02x mode=%#o"
+					     " uid=%d gid=%d rdev=%02x:%02x",
+					 context->names[i].ino,
+					 MAJOR(context->names[i].dev),
+					 MINOR(context->names[i].dev),
+					 context->names[i].mode,
+					 context->names[i].uid,
+					 context->names[i].gid,
 					 MAJOR(context->names[i].rdev),
 					 MINOR(context->names[i].rdev));
 		audit_log_end(ab);
@@ -814,7 +820,6 @@ void audit_getname(const char *name)
 	BUG_ON(context->name_count >= AUDIT_NAMES);
 	context->names[context->name_count].name = name;
 	context->names[context->name_count].ino  = (unsigned long)-1;
-	context->names[context->name_count].rdev = -1;
 	++context->name_count;
 }
 
@@ -860,7 +865,7 @@ void audit_putname(const char *name)
 
 /* Store the inode and device from a lookup.  Called from
  * fs/namei.c:path_lookup(). */
-void audit_inode(const char *name, unsigned long ino, dev_t rdev)
+void audit_inode(const char *name, const struct inode *inode)
 {
 	int idx;
 	struct audit_context *context = current->audit_context;
@@ -886,8 +891,12 @@ void audit_inode(const char *name, unsig
 		++context->ino_count;
 #endif
 	}
-	context->names[idx].ino  = ino;
-	context->names[idx].rdev = rdev;
+	context->names[idx].ino  = inode->i_ino;
+	context->names[idx].dev	 = inode->i_sb->s_dev;
+	context->names[idx].mode = inode->i_mode;
+	context->names[idx].uid  = inode->i_uid;
+	context->names[idx].gid  = inode->i_gid;
+	context->names[idx].rdev = inode->i_rdev;
 }
 
 void audit_get_stamp(struct audit_context *ctx,
--- linus-2.6/include/linux/audit.h~audit-inode-dev	2005-02-24 16:28:23.000000000 -0800
+++ linus-2.6/include/linux/audit.h	2005-02-25 18:39:26.000000000 -0800
@@ -131,6 +131,9 @@ struct audit_context;
 #endif
 
 #ifdef CONFIG_AUDITSYSCALL
+/* forward decl for audit_inode */
+struct inode;
+
 /* These are defined in auditsc.c */
 				/* Public API */
 extern int  audit_alloc(struct task_struct *task);
@@ -141,7 +144,7 @@ extern void audit_syscall_entry(struct t
 extern void audit_syscall_exit(struct task_struct *task, int return_code);
 extern void audit_getname(const char *name);
 extern void audit_putname(const char *name);
-extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+extern void audit_inode(const char *name, const struct inode *inode);
 
 				/* Private API (for audit.c only) */
 extern int  audit_receive_filter(int type, int pid, int uid, int seq,
@@ -157,7 +160,7 @@ extern uid_t audit_get_loginuid(struct a
 #define audit_syscall_exit(t,r) do { ; } while (0)
 #define audit_getname(n) do { ; } while (0)
 #define audit_putname(n) do { ; } while (0)
-#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_inode(n,i) do { ; } while (0)
 #define audit_get_loginuid(c) ({ -1; })
 #endif
 
--- linus-2.6/fs/namei.c~audit-inode-dev	2005-02-24 16:55:32.000000000 -0800
+++ linus-2.6/fs/namei.c	2005-02-25 18:39:26.000000000 -0800
@@ -992,9 +992,7 @@ int fastcall path_lookup(const char *nam
 	retval = link_path_walk(name, nd);
 	if (unlikely(current->audit_context
 		     && nd && nd->dentry && nd->dentry->d_inode))
-		audit_inode(name,
-			    nd->dentry->d_inode->i_ino,
-			    nd->dentry->d_inode->i_rdev);
+		audit_inode(name, nd->dentry->d_inode);
 	return retval;
 }

More information about the Linux-audit mailing list