All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Dilin Mao <dilin.mao@gmail.com>
Subject: Re: How to reconstruct file path from PATH records?
Date: Wed, 8 Dec 2010 12:42:17 -0500	[thread overview]
Message-ID: <201012081242.18183.sgrubb@redhat.com> (raw)
In-Reply-To: <AANLkTimc63ORSFBJy_Zj9YfW6-PM2WwVOuFFo3ureRSj@mail.gmail.com>

On Tuesday, December 07, 2010 01:21:27 am Dilin Mao wrote:
>    We are developing a system to monitor file operations, the difficulties
> is how to reconstruct file path from audit records. we have written some
> testcases for system calls of file/dir operation, and found that the
> numbers of path records differs when we try different combinations of
> absolute or relative pathname.  For rename/renameat function, we have seen
> four or five path records per system call, for link/linkat function, the
> number of path records is two or three. Is there any rule for how the path
> records is generated?
 
I was hoping one of the kernel developers was going to answer this. 
 

>    We have also found that the file path can't be reconstruct correctly
> sometimes.  Taken linkat function as  example:

By any chance, can you share the testcase source code? I'm sure I could write it from 
scratch, but it might help expedite the discussion if you could share that.

Thanks,
-Steve

      reply	other threads:[~2010-12-08 17:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-07  6:21 How to reconstruct file path from PATH records? Dilin Mao
2010-12-08 17:42 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201012081242.18183.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=dilin.mao@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.