From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 PATHC] BZ 229094 collect audit inode information for all f*xattr commands Date: Sun, 03 Jun 2007 17:37:33 -0400 Bugzilla: 229094 Message-Id: <1180906653.31147.11.camel@localhost.localdomain> Changelog: [audit] collect audit inode information for all f*xattr commands BZ 229094 Collect inode info for the remaining xattr syscalls that operate on a file descriptor. These don't call a path_lookup variant, so they aren't covered by the general audit hook. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=510f4006e7a82b37b53c17bbe64ec20f3a59302b In the LSPP kernel for quite some time and has tested just fine. -Eric --- linux-2.6.18.i686/fs/xattr.c.pre.2of4 2006-09-19 23:42:06.000000000 -0400 +++ linux-2.6.18.i686/fs/xattr.c 2007-02-15 17:23:48.000000000 -0500 @@ -319,11 +319,14 @@ asmlinkage ssize_t sys_fgetxattr(int fd, char __user *name, void __user *value, size_t size) { struct file *f; + struct dentry *dentry; ssize_t error = -EBADF; f = fget(fd); if (!f) return error; + dentry = f->f_dentry; + audit_inode(NULL, dentry->d_inode); error = getxattr(f->f_dentry, name, value, size); fput(f); return error; @@ -402,11 +405,14 @@ asmlinkage ssize_t sys_flistxattr(int fd, char __user *list, size_t size) { struct file *f; + struct dentry *dentry; ssize_t error = -EBADF; f = fget(fd); if (!f) return error; + dentry = f->f_dentry; + audit_inode(NULL, dentry->d_inode); error = listxattr(f->f_dentry, list, size); fput(f); return error;