> Modern mount tools (util-linux >= 2.39.1) use the new mount API
> (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
> syscall. The generic SYSCALL audit record logs the fsopen syscall but
> does not capture the filesystem name string, creating an audit gap for
> filesystem mount operations.
>
> Add an FSOPEN auxiliary record that logs the dereferenced filesystem
> name string passed to fsopen(2).
>
> type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
> type=FSOPEN ... : fs_name="tmpfs"
>
> Link: https://github.com/linux-audit/audit-kernel/issues/152
> Signed-off-by: Ricardo Robaina <[email protected]>
>
> diff --git a/fs/fsopen.c b/fs/fsopen.c
> index ae19e5136598..8b07f9d42be2 100644
> --- a/fs/fsopen.c
> +++ b/fs/fsopen.c
> @@ -15,6 +15,7 @@
> #include <linux/namei.h>
> #include <linux/file.h>
> #include <uapi/linux/mount.h>
> +#include <linux/audit.h>
> #include "internal.h"
> #include "mount.h"
>
> @@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name,
> unsigned int, flags)
> if (ret < 0)
> goto err_fc;
>
> + audit_log_fsopen(fs_name);
Right above:
fs_type = get_fs_type(fs_name);
kfree(fs_name);
if (!fs_type)
return -ENODEV;
So that's a UAF.
--
Christian Brauner <[email protected]>