[PATCH ghak8 ALT4 V4 3/3] audit: add new filetypes CREATE_ANON and PARENT_ANON

Mon Feb 12 05:02:23 UTC 2018

Use new filetypes PARENT_ANON and CREATE_ANON to indicate the pathname
supplied is incomplete and relative to the anonymous parent mountpoint
of type filesystem noted in the fstype field.

Sample output:
type=PATH msg=audit(1514350593.987:136): item=808 name="events/nfs4/nfs4_setclientid" inode=16778 dev=00:0b mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT_ANON cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=0x74726163
type=PATH msg=audit(1514350593.987:136): item=809 name="events/nfs4/nfs4_setclientid/format" inode=16783 dev=00:0b mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE_ANON cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=0x74726163

See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
 include/linux/audit.h | 2 ++
 kernel/audit.c        | 6 ++++++
 kernel/auditsc.c      | 6 ++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2020f1d..828e451 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -105,6 +105,8 @@ struct audit_field {
 #define	AUDIT_TYPE_PARENT	2	/* a parent audit record */
 #define	AUDIT_TYPE_CHILD_DELETE 3	/* a child being deleted */
 #define	AUDIT_TYPE_CHILD_CREATE 4	/* a child being created */
+#define	AUDIT_TYPE_PARENT_ANON	5	/* an anonymous parent audit record */
+#define	AUDIT_TYPE_CHILD_ANON	6	/* an anonymous child being created */
 
 /* maximized args number that audit_socketcall can process */
 #define AUDITSC_ARGS		6
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c9d0a4..64f0025 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2170,6 +2170,12 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
 	case AUDIT_TYPE_CHILD_CREATE:
 		audit_log_format(ab, "CREATE");
 		break;
+	case AUDIT_TYPE_CHILD_ANON:
+		audit_log_format(ab, "CREATE_ANON");
+		break;
+	case AUDIT_TYPE_PARENT_ANON:
+		audit_log_format(ab, "PARENT_ANON");
+		break;
 	default:
 		audit_log_format(ab, "UNKNOWN");
 		break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b73ede0..903595ec 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1940,7 +1940,7 @@ void __audit_inode_child(struct inode *parent,
 
 	if (!found_parent) {
 		/* create a new, "anonymous" parent record */
-		n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
+		n = audit_alloc_name(context, AUDIT_TYPE_PARENT_ANON);
 		if (!n)
 			return;
 		audit_copy_inode(n, NULL, parent);
@@ -1966,8 +1966,10 @@ void __audit_inode_child(struct inode *parent,
 		audit_copy_inode(found_child, dentry, inode);
 	else
 		found_child->ino = AUDIT_INO_UNSET;
-	if (!found_parent)
+	if (!found_parent) {
 		found_child->dentry = dget(dentry);
+		found_child->type = AUDIT_TYPE_CHILD_ANON;
+	}
 }
 EXPORT_SYMBOL_GPL(__audit_inode_child);
 
-- 
1.8.3.1


