On 2026-07-03 09:25, Ricardo Robaina wrote: > Modern mount tools (util-linux >= 2.39.1) use the new mount API > (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2) > syscall. The generic SYSCALL audit record logs the fsopen syscall but > does not capture the filesystem name string, creating an audit gap for > filesystem mount operations. > > Add an FSOPEN auxiliary record that logs the dereferenced filesystem > name string passed to fsopen(2). > > type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC > type=FSOPEN ... : fs_name="tmpfs" > > Link: https://github.com/linux-audit/audit-kernel/issues/152 > Signed-off-by: Ricardo Robaina <[email protected]>
Reviewed-by: Richard Guy Briggs <[email protected]> > --- > Changes in v2: > - Better placement of audit_log_fsopen() call to avoid UAF. > > fs/fsopen.c | 3 +++ > include/linux/audit.h | 10 ++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/auditsc.c | 13 +++++++++++++ > 4 files changed, 27 insertions(+) > > diff --git a/fs/fsopen.c b/fs/fsopen.c > index ae19e5136598..70024870fefa 100644 > --- a/fs/fsopen.c > +++ b/fs/fsopen.c > @@ -15,6 +15,7 @@ > #include <linux/namei.h> > #include <linux/file.h> > #include <uapi/linux/mount.h> > +#include <linux/audit.h> > #include "internal.h" > #include "mount.h" > > @@ -134,6 +135,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, > unsigned int, flags) > if (IS_ERR(fs_name)) > return PTR_ERR(fs_name); > > + audit_log_fsopen(fs_name); > + > fs_type = get_fs_type(fs_name); > kfree(fs_name); > if (!fs_type) > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 45abb3722d30..077b2667180d 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 > offset); > extern void __audit_ntp_log(const struct audit_ntp_data *ad); > extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, > enum audit_nfcfgop op, gfp_t gfp); > +extern void __audit_log_fsopen(const char *fs_name); > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) > { > @@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 > af, > __audit_log_nfcfg(name, af, nentries, op, gfp); > } > > +static inline void audit_log_fsopen(const char *fs_name) > +{ > + if (!audit_dummy_context()) > + __audit_log_fsopen(fs_name); > +} > + > extern int audit_n_rules; > extern int audit_signals; > #else /* CONFIG_AUDITSYSCALL */ > @@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 > af, > enum audit_nfcfgop op, gfp_t gfp) > { } > > +static inline void audit_log_fsopen(const char *fs_name) > +{ } > + > #define audit_n_rules 0 > #define audit_signals 0 > #endif /* CONFIG_AUDITSYSCALL */ > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index e8f5ce677df7..abae0524746e 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -122,6 +122,7 @@ > #define AUDIT_OPENAT2 1337 /* Record showing openat2 how > args */ > #define AUDIT_DM_CTRL 1338 /* Device Mapper target control > */ > #define AUDIT_DM_EVENT 1339 /* Device Mapper events */ > +#define AUDIT_FSOPEN 1340 /* Record showing fsopen fs_name arg */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 6610e667c728..c82fd5606de5 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, > unsigned int nentries, > } > EXPORT_SYMBOL_GPL(__audit_log_nfcfg); > > +void __audit_log_fsopen(const char *fs_name) > +{ > + struct audit_buffer *ab; > + > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN); > + if (!ab) > + return; > + > + audit_log_format(ab, "fs_name="); > + audit_log_untrustedstring(ab, fs_name); > + audit_log_end(ab); > +} > + > static void audit_log_task(struct audit_buffer *ab) > { > kuid_t auid, uid; > -- > 2.53.0 > > - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada Upstream IRC: SunRaycer Voice: +1.613.860 2354 SMS: +1.613.518.6570

