This is a note to let you know that I've just added the patch titled
audit: add child record before the create to handle case where create fails
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 14e972b4517128ac8e30e3de2ee4fbd995084223 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@xxxxxxxxxx>
Date: Wed, 8 May 2013 10:25:58 -0400
Subject: audit: add child record before the create to handle case where create fails
From: Jeff Layton <jlayton@xxxxxxxxxx>
commit 14e972b4517128ac8e30e3de2ee4fbd995084223 upstream.
Historically, when a syscall that creates a dentry fails, you get an audit
record that looks something like this (when trying to create a file named
"new" in "/tmp/tmp.SxiLnCcv63"):
type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
This record makes no sense since it's associating the inode information for
"/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent
patch I posted to fix the audit_inode call in do_last fixes this, by making it
look more like this:
type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
While this is more correct, if the creation of the file fails, then we
have no record of the filename that the user tried to create.
This patch adds a call to audit_inode_child to may_create. This creates
an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the
create succeeds. When and if the create does succeed, then this record
will be updated with the correct inode info from the create.
This fixes what was broken in commit bfcec708.
Commit 79f6530c should also be backported to stable v3.7+.
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/namei.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2263,6 +2263,7 @@ static int may_delete(struct inode *dir,
*/
static inline int may_create(struct inode *dir, struct dentry *child)
{
+ audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
if (child->d_inode)
return -EEXIST;
if (IS_DEADDIR(dir))
Patches currently in stable-queue which might be from jlayton@xxxxxxxxxx are
queue-3.10/audit-log-the-audit_names-record-type.patch
queue-3.10/audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch
queue-3.10/audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html