Modern mount tools (util-linux >= 2.39.1) use the new mount API (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2) syscall. The generic SYSCALL audit record logs the fsopen syscall but does not capture the filesystem name string, creating an audit gap for filesystem mount operations. Add an FSOPEN auxiliary record that logs the dereferenced filesystem name string passed to fsopen(2). type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC type=FSOPEN ... : fs_name="tmpfs" Link: https://github.com/linux-audit/audit-kernel/issues/152 Signed-off-by: Ricardo Robaina --- fs/fsopen.c | 3 +++ include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/auditsc.c | 13 +++++++++++++ 4 files changed, 27 insertions(+) diff --git a/fs/fsopen.c b/fs/fsopen.c index ae19e5136598..8b07f9d42be2 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -15,6 +15,7 @@ #include #include #include +#include #include "internal.h" #include "mount.h" @@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags) if (ret < 0) goto err_fc; + audit_log_fsopen(fs_name); + return fscontext_create_fd(fc, flags & FSOPEN_CLOEXEC ? O_CLOEXEC : 0); err_fc: diff --git a/include/linux/audit.h b/include/linux/audit.h index 45abb3722d30..077b2667180d 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 offset); extern void __audit_ntp_log(const struct audit_ntp_data *ad); extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, enum audit_nfcfgop op, gfp_t gfp); +extern void __audit_log_fsopen(const char *fs_name); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af, __audit_log_nfcfg(name, af, nentries, op, gfp); } +static inline void audit_log_fsopen(const char *fs_name) +{ + if (!audit_dummy_context()) + __audit_log_fsopen(fs_name); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 af, enum audit_nfcfgop op, gfp_t gfp) { } +static inline void audit_log_fsopen(const char *fs_name) +{ } + #define audit_n_rules 0 #define audit_signals 0 #endif /* CONFIG_AUDITSYSCALL */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index e8f5ce677df7..abae0524746e 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -122,6 +122,7 @@ #define AUDIT_OPENAT2 1337 /* Record showing openat2 how args */ #define AUDIT_DM_CTRL 1338 /* Device Mapper target control */ #define AUDIT_DM_EVENT 1339 /* Device Mapper events */ +#define AUDIT_FSOPEN 1340 /* Record showing fsopen fs_name arg */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6610e667c728..c82fd5606de5 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, } EXPORT_SYMBOL_GPL(__audit_log_nfcfg); +void __audit_log_fsopen(const char *fs_name) +{ + struct audit_buffer *ab; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN); + if (!ab) + return; + + audit_log_format(ab, "fs_name="); + audit_log_untrustedstring(ab, fs_name); + audit_log_end(ab); +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid; -- 2.53.0