On Thu, Jul 2, 2026 at 3:59 AM Christian Brauner <[email protected]> wrote: > > > Modern mount tools (util-linux >= 2.39.1) use the new mount API > > (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2) > > syscall. The generic SYSCALL audit record logs the fsopen syscall but > > does not capture the filesystem name string, creating an audit gap for > > filesystem mount operations. > > > > Add an FSOPEN auxiliary record that logs the dereferenced filesystem > > name string passed to fsopen(2). > > > > type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC > > type=FSOPEN ... : fs_name="tmpfs" > > > > Link: https://github.com/linux-audit/audit-kernel/issues/152 > > Signed-off-by: Ricardo Robaina <[email protected]> > > > > diff --git a/fs/fsopen.c b/fs/fsopen.c > > index ae19e5136598..8b07f9d42be2 100644 > > --- a/fs/fsopen.c > > +++ b/fs/fsopen.c > > @@ -15,6 +15,7 @@ > > #include <linux/namei.h> > > #include <linux/file.h> > > #include <uapi/linux/mount.h> > > +#include <linux/audit.h> > > #include "internal.h" > > #include "mount.h" > > > > @@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, > > unsigned int, flags) > > if (ret < 0) > > goto err_fc; > > > > + audit_log_fsopen(fs_name); > > Right above: > > fs_type = get_fs_type(fs_name); > kfree(fs_name); > if (!fs_type) > return -ENODEV; > > So that's a UAF. > > -- > Christian Brauner <[email protected]> >
Thanks for reviewing this patch, Christian! You're right, I missed that. I'll be sending a v2 shortly. -Ricardo

