Append a new fstype field that gives the filesystem type magic value in hexadecimal to help identify previously null PATH records produced by audit_inode_child logging requests on inodes with anonymous parents.
Sample output: type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634 type=PATH msg=audit(1488317694.446:143): item=797 name=events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=PATH msg=audit(1488317694.446:143): item=796 name=events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 ... type=PATH msg=audit(1488317694.446:143): item=1 name=events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=PATH msg=audit(1488317694.446:143): item=0 name=events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 fstype=74726163 type=KERN_MODULE msg=audit(1488317694.446:143): name="nfsv4" type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load" See: https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs <r...@redhat.com> --- kernel/audit.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 0c8d5a8..1c9d0a4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2076,6 +2076,8 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, const struct path *path, int record_num, int *call_panic) { struct audit_buffer *ab; + unsigned long fstype; + ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH); if (!ab) return; @@ -2120,6 +2122,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } audit_log_format(ab, " name="); audit_log_untrustedstring(ab, fullpathp ?: "?"); + fstype = n->dentry->d_sb->s_magic; if (fullpath) kfree(fullpath); } else { @@ -2173,6 +2176,10 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } audit_log_fcaps(ab, n); + if (fstype) + audit_log_format(ab, " fstype=0x%lx", fstype); + else + audit_log_format(ab, " fstype=?"); audit_log_end(ab); } -- 1.8.3.1
