From: Ricardo Robaina <rrobaina@redhat.com>
To: audit@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: paul@paul-moore.com, eparis@redhat.com, viro@zeniv.linux.org.uk,
brauner@kernel.org, jack@suse.cz,
Ricardo Robaina <rrobaina@redhat.com>
Subject: [PATCH v2] audit: add FSOPEN record to log filesystem name
Date: Fri, 3 Jul 2026 09:25:49 -0300 [thread overview]
Message-ID: <20260703122548.1623981-2-rrobaina@redhat.com> (raw)
Modern mount tools (util-linux >= 2.39.1) use the new mount API
(fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
syscall. The generic SYSCALL audit record logs the fsopen syscall but
does not capture the filesystem name string, creating an audit gap for
filesystem mount operations.
Add an FSOPEN auxiliary record that logs the dereferenced filesystem
name string passed to fsopen(2).
type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
type=FSOPEN ... : fs_name="tmpfs"
Link: https://github.com/linux-audit/audit-kernel/issues/152
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
Changes in v2:
- Better placement of audit_log_fsopen() call to avoid UAF.
fs/fsopen.c | 3 +++
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 1 +
kernel/auditsc.c | 13 +++++++++++++
4 files changed, 27 insertions(+)
diff --git a/fs/fsopen.c b/fs/fsopen.c
index ae19e5136598..70024870fefa 100644
--- a/fs/fsopen.c
+++ b/fs/fsopen.c
@@ -15,6 +15,7 @@
#include <linux/namei.h>
#include <linux/file.h>
#include <uapi/linux/mount.h>
+#include <linux/audit.h>
#include "internal.h"
#include "mount.h"
@@ -134,6 +135,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags)
if (IS_ERR(fs_name))
return PTR_ERR(fs_name);
+ audit_log_fsopen(fs_name);
+
fs_type = get_fs_type(fs_name);
kfree(fs_name);
if (!fs_type)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 45abb3722d30..077b2667180d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 offset);
extern void __audit_ntp_log(const struct audit_ntp_data *ad);
extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
enum audit_nfcfgop op, gfp_t gfp);
+extern void __audit_log_fsopen(const char *fs_name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
__audit_log_nfcfg(name, af, nentries, op, gfp);
}
+static inline void audit_log_fsopen(const char *fs_name)
+{
+ if (!audit_dummy_context())
+ __audit_log_fsopen(fs_name);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
enum audit_nfcfgop op, gfp_t gfp)
{ }
+static inline void audit_log_fsopen(const char *fs_name)
+{ }
+
#define audit_n_rules 0
#define audit_signals 0
#endif /* CONFIG_AUDITSYSCALL */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index e8f5ce677df7..abae0524746e 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -122,6 +122,7 @@
#define AUDIT_OPENAT2 1337 /* Record showing openat2 how args */
#define AUDIT_DM_CTRL 1338 /* Device Mapper target control */
#define AUDIT_DM_EVENT 1339 /* Device Mapper events */
+#define AUDIT_FSOPEN 1340 /* Record showing fsopen fs_name arg */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6610e667c728..c82fd5606de5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
}
EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
+void __audit_log_fsopen(const char *fs_name)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN);
+ if (!ab)
+ return;
+
+ audit_log_format(ab, "fs_name=");
+ audit_log_untrustedstring(ab, fs_name);
+ audit_log_end(ab);
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
--
2.53.0
next reply other threads:[~2026-07-03 12:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 12:25 Ricardo Robaina [this message]
2026-07-07 11:23 ` Christian Brauner
2026-07-08 18:39 ` Paul Moore
2026-07-10 8:05 ` Christian Brauner
2026-07-14 19:33 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703122548.1623981-2-rrobaina@redhat.com \
--to=rrobaina@redhat.com \
--cc=audit@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=eparis@redhat.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox