We are interested in using auditing's context pathname information.
Is this the best way of accessing it?
Add support for accessing auditing's inode full pathname.
Signed-off-by: Mimi Zohar <[EMAIL PROTECTED]>
Index: security-testing-2.6/include/linux/audit.h
===================================================================
--- security-testing-2.6.orig/include/linux/audit.h
+++ security-testing-2.6/include/linux/audit.h
@@ -403,6 +403,8 @@ extern void audit_syscall_entry(int arch
unsigned long a2, unsigned long a3);
extern void audit_syscall_exit(int failed, long return_code);
extern void __audit_getname(const char *name);
+extern const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode);
extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const char *dname, const struct dentry *dentry,
Index: security-testing-2.6/kernel/auditsc.c
===================================================================
--- security-testing-2.6.orig/kernel/auditsc.c
+++ security-testing-2.6/kernel/auditsc.c
@@ -1677,6 +1677,28 @@ retry:
#endif
}
+const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode)
+{
+ struct audit_context *context;
+ int idx;
+
+ context = tsk->audit_context;
+ if (!context)
+ return NULL;
+ for (idx = 0; idx < context->name_count; idx++) {
+ struct audit_names *n = &context->names[idx];
+
+ if (!n->name)
+ continue;
+
+ if (n->ino == inode->i_ino)
+ return n->name;
+ }
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(audit_get_inode_pathname);
+
/**
* audit_getname - add a name to the list
* @name: name to add
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
