• Jeff Layton's avatar
    audit: add child record before the create to handle case where create fails · 14e972b4
    Jeff Layton authored
    Historically, when a syscall that creates a dentry fails, you get an audit
    record that looks something like this (when trying to create a file named
    "new" in "/tmp/tmp.SxiLnCcv63"):
    
        type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
    
    This record makes no sense since it's associating the inode information for
    "/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent
    patch I posted to fix the audit_inode call in do_last fixes this, by making it
    look more like this:
    
        type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
    
    While this is more correct, if the creation of the file fails, then we
    have no record of the filename that the user tried to create.
    
    This patch adds a call to audit_inode_child to may_create. This creates
    an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the
    create succeeds. When and if the create does succeed, then this record
    will be updated with the correct inode info from the create.
    
    This fixes what was broken in commit bfcec708.
    Commit 79f6530c should also be backported to stable v3.7+.
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    14e972b4
namei.c 101 KB