On Thu, Jul 2, 2026 at 3:59 AM Christian Brauner <[email protected]> wrote:
>
> > Modern mount tools (util-linux >= 2.39.1) use the new mount API
> > (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
> > syscall. The generic SYSCALL audit record logs the fsopen syscall but
> > does not capture the filesystem name string, creating an audit gap for
> > filesystem mount operations.
> >
> > Add an FSOPEN auxiliary record that logs the dereferenced filesystem
> > name string passed to fsopen(2).
> >
> >   type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
> >   type=FSOPEN  ... : fs_name="tmpfs"
> >
> > Link: https://github.com/linux-audit/audit-kernel/issues/152
> > Signed-off-by: Ricardo Robaina <[email protected]>
> >
> > diff --git a/fs/fsopen.c b/fs/fsopen.c
> > index ae19e5136598..8b07f9d42be2 100644
> > --- a/fs/fsopen.c
> > +++ b/fs/fsopen.c
> > @@ -15,6 +15,7 @@
> >  #include <linux/namei.h>
> >  #include <linux/file.h>
> >  #include <uapi/linux/mount.h>
> > +#include <linux/audit.h>
> >  #include "internal.h"
> >  #include "mount.h"
> >
> > @@ -150,6 +151,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, 
> > unsigned int, flags)
> >       if (ret < 0)
> >               goto err_fc;
> >
> > +     audit_log_fsopen(fs_name);
>
> Right above:
>
>         fs_type = get_fs_type(fs_name);
>         kfree(fs_name);
>         if (!fs_type)
>                 return -ENODEV;
>
> So that's a UAF.
>
> --
> Christian Brauner <[email protected]>
>

Thanks for reviewing this patch, Christian!

You're right, I missed that. I'll be sending a v2 shortly.

-Ricardo


Reply via email to