audit: fix suffixed '/' filename matching in __audit_inode_child()

When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: linux-audit/audit-kernel#148 [1] Suggested-by: Paul Moore <[email protected]> Reviewed-by: Richard Guy Briggs <[email protected]> Reviewed-by: Al Viro <[email protected]> Signed-off-by: Ricardo Robaina <[email protected]>
intel-lab-lkp · Nov 25, 2024 · a27172d · a27172d
1 parent 89282be
commit a27172d
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
@@ -1319,13 +1319,20 @@ int audit_compare_dname_path(const struct qstr *dname, const char *path, int par
 	if (pathlen < dlen)
 		return 1;
 
-	parentlen = parentlen == AUDIT_NAME_FULL ? parent_len(path) : parentlen;
-	if (pathlen - parentlen != dlen)
-		return 1;
+	if (parentlen == AUDIT_NAME_FULL)
+		parentlen = parent_len(path);
 
 	p = path + parentlen;
 
-	return strncmp(p, dname->name, dlen);
+	/* handle trailing slashes */
+	pathlen -= parentlen;
+	while (p[pathlen - 1] == '/')
+		pathlen--;
+
+	if (pathlen != dlen)
+		return 1;
+
+	return memcmp(p, dname->name, dlen);
 }
 
 int audit_filter(int msgtype, unsigned int listtype)