[PATCH] fix missed create event for directory audit
When an object is created via a symlink into an audited directory, audit misses
the event due to not having collected the inode data for the directory. Modify
__audit_inode_child() to copy the parent inode data if a parent wasn't found in
audit_names[].
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/include/linux/audit.h b/include/linux/audit.h
index e7e5e53..bf196c0 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -327,7 +327,7 @@
extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct inode *inode);
extern void __audit_inode_child(const char *dname, const struct inode *inode,
- unsigned long pino);
+ const struct inode *parent);
extern void __audit_inode_update(const struct inode *inode);
static inline void audit_getname(const char *name)
{
@@ -339,10 +339,10 @@
__audit_inode(name, inode);
}
static inline void audit_inode_child(const char *dname,
- const struct inode *inode,
- unsigned long pino) {
+ const struct inode *inode,
+ const struct inode *parent) {
if (unlikely(current->audit_context))
- __audit_inode_child(dname, inode, pino);
+ __audit_inode_child(dname, inode, parent);
}
static inline void audit_inode_update(const struct inode *inode) {
if (unlikely(current->audit_context))