On 2026-07-03 09:25, Ricardo Robaina wrote:
> Modern mount tools (util-linux >= 2.39.1) use the new mount API
> (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
> syscall. The generic SYSCALL audit record logs the fsopen syscall but
> does not capture the filesystem name string, creating an audit gap for
> filesystem mount operations.
> 
> Add an FSOPEN auxiliary record that logs the dereferenced filesystem
> name string passed to fsopen(2).
> 
>   type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
>   type=FSOPEN  ... : fs_name="tmpfs"
> 
> Link: https://github.com/linux-audit/audit-kernel/issues/152
> Signed-off-by: Ricardo Robaina <[email protected]>

Reviewed-by: Richard Guy Briggs <[email protected]>

> ---
> Changes in v2:
> - Better placement of audit_log_fsopen() call to avoid UAF.
> 
>  fs/fsopen.c                |  3 +++
>  include/linux/audit.h      | 10 ++++++++++
>  include/uapi/linux/audit.h |  1 +
>  kernel/auditsc.c           | 13 +++++++++++++
>  4 files changed, 27 insertions(+)
> 
> diff --git a/fs/fsopen.c b/fs/fsopen.c
> index ae19e5136598..70024870fefa 100644
> --- a/fs/fsopen.c
> +++ b/fs/fsopen.c
> @@ -15,6 +15,7 @@
>  #include <linux/namei.h>
>  #include <linux/file.h>
>  #include <uapi/linux/mount.h>
> +#include <linux/audit.h>
>  #include "internal.h"
>  #include "mount.h"
>  
> @@ -134,6 +135,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, 
> unsigned int, flags)
>       if (IS_ERR(fs_name))
>               return PTR_ERR(fs_name);
>  
> +     audit_log_fsopen(fs_name);
> +
>       fs_type = get_fs_type(fs_name);
>       kfree(fs_name);
>       if (!fs_type)
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 45abb3722d30..077b2667180d 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 
> offset);
>  extern void __audit_ntp_log(const struct audit_ntp_data *ad);
>  extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
>                             enum audit_nfcfgop op, gfp_t gfp);
> +extern void __audit_log_fsopen(const char *fs_name);
>  
>  static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>  {
> @@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 
> af,
>               __audit_log_nfcfg(name, af, nentries, op, gfp);
>  }
>  
> +static inline void audit_log_fsopen(const char *fs_name)
> +{
> +     if (!audit_dummy_context())
> +             __audit_log_fsopen(fs_name);
> +}
> +
>  extern int audit_n_rules;
>  extern int audit_signals;
>  #else /* CONFIG_AUDITSYSCALL */
> @@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 
> af,
>                                  enum audit_nfcfgop op, gfp_t gfp)
>  { }
>  
> +static inline void audit_log_fsopen(const char *fs_name)
> +{ }
> +
>  #define audit_n_rules 0
>  #define audit_signals 0
>  #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e8f5ce677df7..abae0524746e 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -122,6 +122,7 @@
>  #define AUDIT_OPENAT2                1337    /* Record showing openat2 how 
> args */
>  #define AUDIT_DM_CTRL                1338    /* Device Mapper target control 
> */
>  #define AUDIT_DM_EVENT               1339    /* Device Mapper events */
> +#define AUDIT_FSOPEN         1340    /* Record showing fsopen fs_name arg */
>  
>  #define AUDIT_AVC            1400    /* SE Linux avc denial or grant */
>  #define AUDIT_SELINUX_ERR    1401    /* Internal SE Linux Errors */
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6610e667c728..c82fd5606de5 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, 
> unsigned int nentries,
>  }
>  EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
>  
> +void __audit_log_fsopen(const char *fs_name)
> +{
> +     struct audit_buffer *ab;
> +
> +     ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN);
> +     if (!ab)
> +             return;
> +
> +     audit_log_format(ab, "fs_name=");
> +     audit_log_untrustedstring(ab, fs_name);
> +     audit_log_end(ab);
> +}
> +
>  static void audit_log_task(struct audit_buffer *ab)
>  {
>       kuid_t auid, uid;
> -- 
> 2.53.0
> 
> 

- RGB

--
Richard Guy Briggs <[email protected]>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570


Reply via email to