Modern mount tools (util-linux >= 2.39.1) use the new mount API
(fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
syscall. The generic SYSCALL audit record logs the fsopen syscall but
does not capture the filesystem name string, creating an audit gap for
filesystem mount operations.

Add an FSOPEN auxiliary record that logs the dereferenced filesystem
name string passed to fsopen(2).

  type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
  type=FSOPEN  ... : fs_name="tmpfs"

Link: https://github.com/linux-audit/audit-kernel/issues/152
Signed-off-by: Ricardo Robaina <[email protected]>
---
 fs/fsopen.c                |  3 +++
 include/linux/audit.h      | 10 ++++++++++
 include/uapi/linux/audit.h |  1 +
 kernel/auditsc.c           | 13 +++++++++++++
 4 files changed, 27 insertions(+)

diff --git a/fs/fsopen.c b/fs/fsopen.c
index ae19e5136598..8b07f9d42be2 100644
--- a/fs/fsopen.c
+++ b/fs/fsopen.c
@@ -15,6 +15,7 @@
 #include <linux/namei.h>
 #include <linux/file.h>
 #include <uapi/linux/mount.h>
+#include <linux/audit.h>
 #include "internal.h"
 #include "mount.h"
 
@@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, 
unsigned int, flags)
        if (ret < 0)
                goto err_fc;
 
+       audit_log_fsopen(fs_name);
+
        return fscontext_create_fd(fc, flags & FSOPEN_CLOEXEC ? O_CLOEXEC : 0);
 
 err_fc:
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 45abb3722d30..077b2667180d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 offset);
 extern void __audit_ntp_log(const struct audit_ntp_data *ad);
 extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
                              enum audit_nfcfgop op, gfp_t gfp);
+extern void __audit_log_fsopen(const char *fs_name);
 
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 {
@@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
                __audit_log_nfcfg(name, af, nentries, op, gfp);
 }
 
+static inline void audit_log_fsopen(const char *fs_name)
+{
+       if (!audit_dummy_context())
+               __audit_log_fsopen(fs_name);
+}
+
 extern int audit_n_rules;
 extern int audit_signals;
 #else /* CONFIG_AUDITSYSCALL */
@@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
                                   enum audit_nfcfgop op, gfp_t gfp)
 { }
 
+static inline void audit_log_fsopen(const char *fs_name)
+{ }
+
 #define audit_n_rules 0
 #define audit_signals 0
 #endif /* CONFIG_AUDITSYSCALL */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index e8f5ce677df7..abae0524746e 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -122,6 +122,7 @@
 #define AUDIT_OPENAT2          1337    /* Record showing openat2 how args */
 #define AUDIT_DM_CTRL          1338    /* Device Mapper target control */
 #define AUDIT_DM_EVENT         1339    /* Device Mapper events */
+#define AUDIT_FSOPEN           1340    /* Record showing fsopen fs_name arg */
 
 #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6610e667c728..c82fd5606de5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned 
int nentries,
 }
 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
 
+void __audit_log_fsopen(const char *fs_name)
+{
+       struct audit_buffer *ab;
+
+       ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN);
+       if (!ab)
+               return;
+
+       audit_log_format(ab, "fs_name=");
+       audit_log_untrustedstring(ab, fs_name);
+       audit_log_end(ab);
+}
+
 static void audit_log_task(struct audit_buffer *ab)
 {
        kuid_t auid, uid;
-- 
2.53.0


Reply via email to