Re: [RFC][PATCH] audit: get inode pathname patch

[Mimi Zohar]

On Tue, 2008-08-12 at 19:47 -0400, Steve Grubb wrote:
 On Wednesday 06 August 2008 10:36:46 Mimi Zohar wrote:
  We are interested in using auditing's context pathname information.  
  Is this the best way of accessing it?
 
  Add support for accessing auditing's inode full pathname.
 
 What would this be used for? Al could you comment on this? Would there be 
 locking issues?

The IMA measurement hash list contains a file name hint. Using
a full pathname, when available, would be nice.

Mimi

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC][PATCH] audit: get inode pathname patch

[Steve Grubb]

On Wednesday 06 August 2008 10:36:46 Mimi Zohar wrote:
 We are interested in using auditing's context pathname information.  
 Is this the best way of accessing it?

 Add support for accessing auditing's inode full pathname.

What would this be used for? Al could you comment on this? Would there be 
locking issues?

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: [RFC][PATCH] audit: get inode pathname patch

[Serge E. Hallyn]

Quoting Mimi Zohar ([EMAIL PROTECTED]):
 We are interested in using auditing's context pathname information.  
 Is this the best way of accessing it?
 
 Add support for accessing auditing's inode full pathname.

Interesting idea.  It does seem to do what you need.

-serge

 Signed-off-by: Mimi Zohar [EMAIL PROTECTED]
 
 Index: security-testing-2.6/include/linux/audit.h
 ===
 --- security-testing-2.6.orig/include/linux/audit.h
 +++ security-testing-2.6/include/linux/audit.h
 @@ -403,6 +403,8 @@ extern void audit_syscall_entry(int arch
   unsigned long a2, unsigned long a3);
  extern void audit_syscall_exit(int failed, long return_code);
  extern void __audit_getname(const char *name);
 +extern const char *audit_get_inode_pathname(struct task_struct *tsk,
 + struct inode *inode);
  extern void audit_putname(const char *name);
  extern void __audit_inode(const char *name, const struct dentry *dentry);
  extern void __audit_inode_child(const char *dname, const struct dentry 
 *dentry,
 Index: security-testing-2.6/kernel/auditsc.c
 ===
 --- security-testing-2.6.orig/kernel/auditsc.c
 +++ security-testing-2.6/kernel/auditsc.c
 @@ -1677,6 +1677,28 @@ retry:
  #endif
  }
 
 +const char *audit_get_inode_pathname(struct task_struct *tsk,
 +  struct inode *inode)
 +{
 + struct audit_context *context;
 + int idx;
 +
 + context = tsk-audit_context;
 + if (!context)
 + return NULL;
 + for (idx = 0; idx  context-name_count; idx++) {
 + struct audit_names *n = context-names[idx];
 +
 + if (!n-name)
 + continue;
 +
 + if (n-ino == inode-i_ino)
 + return n-name;
 + }
 + return NULL;
 +}
 +EXPORT_SYMBOL_GPL(audit_get_inode_pathname);
 +
  /**
   * audit_getname - add a name to the list
   * @name: name to add
 
 
 --
 Linux-audit mailing list
 Linux-audit@redhat.com
 https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit