releases/3.9.3/audit-vfs-fix-audit_inode-call-in-o_creat-case-of-do_last.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 33e2208acfc15ce00d3dd13e839bf6434faa2b04 Mon Sep 17 00:00:00 2001
 From: Jeff Layton <jlayton@redhat.com>
 Date: Fri, 12 Apr 2013 15:16:32 -0400
 Subject: audit: vfs: fix audit_inode call in O_CREAT case of do_last

 From: Jeff Layton <jlayton@redhat.com>

 commit 33e2208acfc15ce00d3dd13e839bf6434faa2b04 upstream.

 Jiri reported a regression in auditing of open(..., O_CREAT) syscalls.
 In older kernels, creating a file with open(..., O_CREAT) created
 audit_name records that looked like this:

 type=PATH msg=audit(1360255720.628:64): item=1 name="/abc/foo" inode=138810 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
 type=PATH msg=audit(1360255720.628:64): item=0 name="/abc/" inode=138635 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0

 ...in recent kernels though, they look like this:

 type=PATH msg=audit(1360255402.886:12574): item=2 name=(null) inode=264599 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
 type=PATH msg=audit(1360255402.886:12574): item=1 name=(null) inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
 type=PATH msg=audit(1360255402.886:12574): item=0 name="/abc/foo" inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0

 Richard bisected to determine that the problems started with commit
 bfcec708, but the log messages have changed with some later
 audit-related patches.

 The problem is that this audit_inode call is passing in the parent of
 the dentry being opened, but audit_inode is being called with the parent
 flag false. This causes later audit_inode and audit_inode_child calls to
 match the wrong entry in the audit_names list.

 This patch simply sets the flag to properly indicate that this inode
 represents the parent. With this, the audit_names entries are back to
 looking like they did before.

 Reported-by: Jiri Jaburek <jjaburek@redhat.com>
 Signed-off-by: Jeff Layton <jlayton@redhat.com>
 Test By: Richard Guy Briggs <rbriggs@redhat.com>
 Signed-off-by: Eric Paris <eparis@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/namei.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -2740,7 +2740,7 @@ static int do_last(struct nameidata *nd,
  		if (error)
  			return error;

 -		audit_inode(name, dir, 0);
 +		audit_inode(name, dir, LOOKUP_PARENT);
  		error = -EISDIR;
  		/* trailing slashes? */
  		if (nd->last.name[nd->last.len])
	From 33e2208acfc15ce00d3dd13e839bf6434faa2b04 Mon Sep 17 00:00:00 2001
	From: Jeff Layton <jlayton@redhat.com>
	Date: Fri, 12 Apr 2013 15:16:32 -0400
	Subject: audit: vfs: fix audit_inode call in O_CREAT case of do_last

	From: Jeff Layton <jlayton@redhat.com>

	commit 33e2208acfc15ce00d3dd13e839bf6434faa2b04 upstream.

	Jiri reported a regression in auditing of open(..., O_CREAT) syscalls.
	In older kernels, creating a file with open(..., O_CREAT) created
	audit_name records that looked like this:

	type=PATH msg=audit(1360255720.628:64): item=1 name="/abc/foo" inode=138810 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
	type=PATH msg=audit(1360255720.628:64): item=0 name="/abc/" inode=138635 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0

	...in recent kernels though, they look like this:

	type=PATH msg=audit(1360255402.886:12574): item=2 name=(null) inode=264599 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
	type=PATH msg=audit(1360255402.886:12574): item=1 name=(null) inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
	type=PATH msg=audit(1360255402.886:12574): item=0 name="/abc/foo" inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0

	Richard bisected to determine that the problems started with commit
	bfcec708, but the log messages have changed with some later
	audit-related patches.

	The problem is that this audit_inode call is passing in the parent of
	the dentry being opened, but audit_inode is being called with the parent
	flag false. This causes later audit_inode and audit_inode_child calls to
	match the wrong entry in the audit_names list.

	This patch simply sets the flag to properly indicate that this inode
	represents the parent. With this, the audit_names entries are back to
	looking like they did before.

	Reported-by: Jiri Jaburek <jjaburek@redhat.com>
	Signed-off-by: Jeff Layton <jlayton@redhat.com>
	Test By: Richard Guy Briggs <rbriggs@redhat.com>
	Signed-off-by: Eric Paris <eparis@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/namei.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/fs/namei.c
	+++ b/fs/namei.c
	@@ -2740,7 +2740,7 @@ static int do_last(struct nameidata *nd,
	if (error)
	return error;

	- audit_inode(name, dir, 0);
	+ audit_inode(name, dir, LOOKUP_PARENT);
	error = -EISDIR;
	/* trailing slashes? */
	if (nd->last.name[nd->last.len])