[PATCH 2/2] filesystem auditing: augment audit_inode

Fri Oct 21 12:35:51 UTC 2005

On Thu, Oct 20, 2005 at 10:04:09AM -0500, Timothy R. Chavez wrote:
> > Not too many comments on my first cursory glance.

Thanks for taking a look.

> > diff --git a/fs/open.c b/fs/open.c
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -25,6 +25,7 @@
> >  #include <linux/pagemap.h>
> >  #include <linux/syscalls.h>
> >  #include <linux/rcupdate.h>
> > +#include <linux/audit.h>
> >  
> >  #include <asm/unistd.h>
> >  
> > @@ -609,6 +610,8 @@ asmlinkage long sys_fchmod(unsigned int 
> >  	dentry = file->f_dentry;
> >  	inode = dentry->d_inode;
> >  
> > +	audit_inode(NULL, inode, 0);
> > +
> >  	err = -EROFS;
> >  	if (IS_RDONLY(inode))
> >  		goto out_putf;
> > @@ -732,7 +735,10 @@ asmlinkage long sys_fchown(unsigned int 
> >  
> >  	file = fget(fd);
> >  	if (file) {
> > -		error = chown_common(file->f_dentry, user, group);
> > +		struct dentry * dentry;
> 
> I guess for consistency's sake this should be declared at the top?
> 
> > +		dentry = file->f_dentry;
> > +		audit_inode(NULL, dentry->d_inode, 0);
> > +		error = chown_common(dentry, user, group);
> >  		fput(file);
> >  	}
> >  	return error;

Well, these two functions aren't really consistent between themselves
as is.  sys_fchmod checks for !file and jumps out early.  sys_fchown
encloses the code in a conditional block.  I'd prefer to keep the
declaration local to the block since it should give the compiler
better opportunities for optimization.  I don't think it's any less
readable either.

> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
<snip>
> > @@ -1202,13 +1217,93 @@ void audit_inode(const char *name, const
> >  		++context->ino_count;
> >  #endif
> >  	}
> > -	context->names[idx].flags = flags;
> > -	context->names[idx].ino   = inode->i_ino;
> >  	context->names[idx].dev	  = inode->i_sb->s_dev;
> >  	context->names[idx].mode  = inode->i_mode;
> >  	context->names[idx].uid   = inode->i_uid;
> >  	context->names[idx].gid   = inode->i_gid;
> >  	context->names[idx].rdev  = inode->i_rdev;
> > +	if ((flags & LOOKUP_PARENT) && (strcmp(name, "/") != 0) && 
> > +	    (strcmp(name, ".") != 0)) {
> > +		context->names[idx].ino   = (unsigned long)-1;
> > +		context->names[idx].pino  = inode->i_ino;
> > +	} else {
> > +		context->names[idx].ino   = inode->i_ino;
> > +		context->names[idx].pino  = (unsigned long)-1;
> > +	}
> > +}
> > +
> > +/**
> > + * audit_inode_child - collect inode info for created/removed objects
> > + * @dname: inode's dentry name
> > + * @inode: inode being audited
> > + * @pino: inode number of dentry parent
> > + *
> > + * For syscalls that create or remove filesystem objects, audit_inode
> > + * can only collect information for the filesystem object's parent.
> > + * This call updates the audit context with the child's information.
> > + * Syscalls that create a new filesystem object must be hooked after
> > + * the object is created.  Syscalls that remove a filesystem object
> > + * must be hooked prior, in order to capture the target inode during
> > + * unsuccessful attempts.
> > + */
> > +void __audit_inode_child(const char *dname, const struct inode *inode,
> > +			 unsigned long pino)
> > +{
> > +	int idx;
> > +	struct audit_context *context = current->audit_context;
> 
> Does this process even if !audit_enabled?

Nope.  The audit_inode_child wrapper in audit.h checks for
current->audit_context before calling __audit_inode_child.  You
won't have an audit_context when syscall auditing is disabled.

> 
> > +
> > +	if (!context->in_syscall)
> > +		return;
> > +