On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> Audit link denied events for symlinks were missing the parent PATH
> record. Add it. Since the full pathname may not be available,
> reconstruct it from the path in the nameidata supplied.
>
> See: https://github.com/linux-audit/audit-kernel/issues/21
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> ---
> fs/namei.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 0edf133..bf1c046b 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -923,6 +923,7 @@ static inline int may_follow_link(struct nameidata *nd)
> const struct inode *inode;
> const struct inode *parent;
> kuid_t puid;
> + char *pathname;
>
> if (!sysctl_protected_symlinks)
> return 0;
> @@ -945,6 +946,14 @@ static inline int may_follow_link(struct nameidata *nd)
> if (nd->flags & LOOKUP_RCU)
> return -ECHILD;
>
> + pathname = kmalloc(PATH_MAX + 1, GFP_KERNEL);
> + if (!pathname)
> + return -ENOMEM;
> + audit_inode(getname_kernel(d_absolute_path(&nd->stack[0].link,
> pathname,
> + PATH_MAX + 1)),
> + nd->stack[0].link.dentry, 0);
Hmm, it's been a while since I've looked at the audit vfs/inode code,
but isn't the audit_inode() call directly above effectively a
duplicate of the audit_inode(nd->name, nd->stack[0].link.dentry, 0)
call you added in patch 3/4?
> + audit_inode(nd->name, nd->stack[0].link.dentry->d_parent,
> LOOKUP_PARENT);
> +
> audit_inode(nd->name, nd->stack[0].link.dentry, 0);
> audit_log_link_denied("follow_link", &nd->stack[0].link);
> return -EACCES;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
