fs: add link restriction audit reporting

Adds audit messages for unexpected link restriction violations so that
system owners will have some sort of potentially actionable information
about misbehaving processes.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/namei.c b/fs/namei.c
index 3861d85f848807dc2a7c97b58920c1fb3969e176..618d3531cf9f7a9221e56e7fa9b6a27556c7d893 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -692,6 +692,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
 
        path_put_conditional(link, nd);
        path_put(&nd->path);
+       audit_log_link_denied("follow_link", link);
        return -EACCES;
 }
 
@@ -760,6 +761,7 @@ static int may_linkat(struct path *link)
            capable(CAP_FOWNER))
                return 0;
 
+       audit_log_link_denied("linkat", link);
        return -EPERM;
 }
 

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 22f292a917a3f6c13eb4353c50ec9cf95acffa3f..36abf2aa7e680e24afe8c52b87ccf8f88707ee17 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -130,6 +130,7 @@
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
 #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
 #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
+#define AUDIT_ANOM_LINK                    1702 /* Suspicious use of file links */
 #define AUDIT_INTEGRITY_DATA       1800 /* Data integrity verification */
 #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
 #define AUDIT_INTEGRITY_STATUS     1802 /* Integrity enable status */
@@ -687,6 +688,8 @@ extern void             audit_log_d_path(struct audit_buffer *ab,
                                             const struct path *path);
 extern void                audit_log_key(struct audit_buffer *ab,
                                          char *key);
+extern void                audit_log_link_denied(const char *operation,
+                                                 struct path *link);
 extern void                audit_log_lost(const char *message);
 #ifdef CONFIG_SECURITY
 extern void                audit_log_secctx(struct audit_buffer *ab, u32 secid);
@@ -716,6 +719,7 @@ extern int audit_enabled;
 #define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b, p, d) do { ; } while (0)
 #define audit_log_key(b, k) do { ; } while (0)
+#define audit_log_link_denied(o, l) do { ; } while (0)
 #define audit_log_secctx(b,s) do { ; } while (0)
 #define audit_enabled 0
 #endif

diff --git a/kernel/audit.c b/kernel/audit.c
index 1c7f2c61416b6b379c07c3af8ec225163670ed1f..fda8bd9e1d3a41b03f67374c75038eba264e0c1d 100644 (file)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1449,6 +1449,27 @@ void audit_log_key(struct audit_buffer *ab, char *key)
                audit_log_format(ab, "(null)");
 }
 
+/**
+ * audit_log_link_denied - report a link restriction denial
+ * @operation: specific link opreation
+ * @link: the path that triggered the restriction
+ */
+void audit_log_link_denied(const char *operation, struct path *link)
+{
+       struct audit_buffer *ab;
+
+       ab = audit_log_start(current->audit_context, GFP_KERNEL,
+                            AUDIT_ANOM_LINK);
+       audit_log_format(ab, "op=%s action=denied", operation);
+       audit_log_format(ab, " pid=%d comm=", current->pid);
+       audit_log_untrustedstring(ab, current->comm);
+       audit_log_d_path(ab, " path=", link);
+       audit_log_format(ab, " dev=");
+       audit_log_untrustedstring(ab, link->dentry->d_inode->i_sb->s_id);
+       audit_log_format(ab, " ino=%lu", link->dentry->d_inode->i_ino);
+       audit_log_end(ab);
+}
+
 /**
  * audit_log_end - end one audit record
  * @ab: the audit_buffer