From: Richard Guy Briggs <rgb@redhat.com>
To: Ricardo Robaina <rrobaina@redhat.com>
Cc: audit@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
eparis@redhat.com, viro@zeniv.linux.org.uk, brauner@kernel.org,
jack@suse.cz
Subject: Re: [PATCH v2] audit: add FSOPEN record to log filesystem name
Date: Tue, 14 Jul 2026 15:33:12 -0400 [thread overview]
Message-ID: <alaO+HZ7qJ1Iv9SP@madcap2.tricolour.ca> (raw)
In-Reply-To: <20260703122548.1623981-2-rrobaina@redhat.com>
On 2026-07-03 09:25, Ricardo Robaina wrote:
> Modern mount tools (util-linux >= 2.39.1) use the new mount API
> (fsopen, fsconfig, fsmount, move_mount) instead of the legacy mount(2)
> syscall. The generic SYSCALL audit record logs the fsopen syscall but
> does not capture the filesystem name string, creating an audit gap for
> filesystem mount operations.
>
> Add an FSOPEN auxiliary record that logs the dereferenced filesystem
> name string passed to fsopen(2).
>
> type=SYSCALL ... : arch=x86_64 syscall=fsopen ... a1=FSOPEN_CLOEXEC
> type=FSOPEN ... : fs_name="tmpfs"
>
> Link: https://github.com/linux-audit/audit-kernel/issues/152
> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Changes in v2:
> - Better placement of audit_log_fsopen() call to avoid UAF.
>
> fs/fsopen.c | 3 +++
> include/linux/audit.h | 10 ++++++++++
> include/uapi/linux/audit.h | 1 +
> kernel/auditsc.c | 13 +++++++++++++
> 4 files changed, 27 insertions(+)
>
> diff --git a/fs/fsopen.c b/fs/fsopen.c
> index ae19e5136598..70024870fefa 100644
> --- a/fs/fsopen.c
> +++ b/fs/fsopen.c
> @@ -15,6 +15,7 @@
> #include <linux/namei.h>
> #include <linux/file.h>
> #include <uapi/linux/mount.h>
> +#include <linux/audit.h>
> #include "internal.h"
> #include "mount.h"
>
> @@ -134,6 +135,8 @@ SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags)
> if (IS_ERR(fs_name))
> return PTR_ERR(fs_name);
>
> + audit_log_fsopen(fs_name);
> +
> fs_type = get_fs_type(fs_name);
> kfree(fs_name);
> if (!fs_type)
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 45abb3722d30..077b2667180d 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -449,6 +449,7 @@ extern void __audit_tk_injoffset(struct timespec64 offset);
> extern void __audit_ntp_log(const struct audit_ntp_data *ad);
> extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
> enum audit_nfcfgop op, gfp_t gfp);
> +extern void __audit_log_fsopen(const char *fs_name);
>
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> {
> @@ -598,6 +599,12 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
> __audit_log_nfcfg(name, af, nentries, op, gfp);
> }
>
> +static inline void audit_log_fsopen(const char *fs_name)
> +{
> + if (!audit_dummy_context())
> + __audit_log_fsopen(fs_name);
> +}
> +
> extern int audit_n_rules;
> extern int audit_signals;
> #else /* CONFIG_AUDITSYSCALL */
> @@ -730,6 +737,9 @@ static inline void audit_log_nfcfg(const char *name, u8 af,
> enum audit_nfcfgop op, gfp_t gfp)
> { }
>
> +static inline void audit_log_fsopen(const char *fs_name)
> +{ }
> +
> #define audit_n_rules 0
> #define audit_signals 0
> #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index e8f5ce677df7..abae0524746e 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -122,6 +122,7 @@
> #define AUDIT_OPENAT2 1337 /* Record showing openat2 how args */
> #define AUDIT_DM_CTRL 1338 /* Device Mapper target control */
> #define AUDIT_DM_EVENT 1339 /* Device Mapper events */
> +#define AUDIT_FSOPEN 1340 /* Record showing fsopen fs_name arg */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6610e667c728..c82fd5606de5 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2882,6 +2882,19 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
> }
> EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
>
> +void __audit_log_fsopen(const char *fs_name)
> +{
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FSOPEN);
> + if (!ab)
> + return;
> +
> + audit_log_format(ab, "fs_name=");
> + audit_log_untrustedstring(ab, fs_name);
> + audit_log_end(ab);
> +}
> +
> static void audit_log_task(struct audit_buffer *ab)
> {
> kuid_t auid, uid;
> --
> 2.53.0
>
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570
prev parent reply other threads:[~2026-07-14 19:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 12:25 Ricardo Robaina
2026-07-07 11:23 ` Christian Brauner
2026-07-08 18:39 ` Paul Moore
2026-07-10 8:05 ` Christian Brauner
2026-07-14 19:33 ` Richard Guy Briggs [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alaO+HZ7qJ1Iv9SP@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=audit@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=eparis@redhat.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rrobaina@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox