From: Steve Grubb <sgrubb@redhat.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls
Date: Wed, 25 Jul 2018 08:48:22 -0400 [thread overview]
Message-ID: <5402595.goYXf9ZsuL@x2> (raw)
In-Reply-To: <CAFqZXNvaFvr-oiytR6-aHh_urjTd1ama1krQeJp29=uKtQD4zA@mail.gmail.com>
On Wednesday, July 25, 2018 3:44:07 AM EDT Ondrej Mosnacek wrote:
> On Wed, Jul 25, 2018 at 3:11 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, July 24, 2018 6:15:54 PM EDT Paul Moore wrote:
> > > On Tue, Jul 24, 2018 at 10:12 AM Ondrej Mosnacek <omosnace@redhat.com>
> > >
> > > > Beyond that, there is really no information in the records that would
> > > > allow reconstructing which PARENT path belongs to which CREATE/DELETE
> > > > path... (Intuitively you can guess that src will come before dst, but
> > > > that is not very reliable.) I think a "parent inode" field in the
> > > > PATH
> > > > records could fix this, but maybe there is a better solution...
> > >
> > > I have my suspicions, but I would be curious to hear from Steve how
> > > the reconstruction is typically handled.
> >
> > For any *at function when the dirfd is not AT_FDCWD, it goes badly. If
> > its a old style syscall without the dirfd, then if the first character
> > is '/' use that. Otherwise concatonate cwd and path and pass it to
> > realpath to sort out.
>
> In that case it seems the best fix for openat() et al. would be to
> somehow always force outputting the full path when dirfd != AT_FDCWD.
> Hopefully that won't require too much hacking around...
What is asked for is the full path that dirfd was opened with. I can take
care of everything else.
-Steve
next prev parent reply other threads:[~2018-07-25 12:48 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-12 11:36 [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type Ondrej Mosnacek
2018-07-13 14:51 ` Richard Guy Briggs
2018-07-16 8:19 ` Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 2/3] audit: Add a function to log the path of an fd Ondrej Mosnacek
2018-07-13 15:15 ` Richard Guy Briggs
2018-07-16 8:29 ` Ondrej Mosnacek
2018-07-16 17:30 ` Richard Guy Briggs
2018-07-14 16:26 ` Steve Grubb
2018-07-16 8:31 ` Ondrej Mosnacek
2018-07-12 11:36 ` [RFC PATCH ghak9 3/3] [WIP] fs: Add audit_fd_path() calls to syscall handlers Ondrej Mosnacek
2018-07-13 15:20 ` Richard Guy Briggs
2018-07-18 20:41 ` [RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls Paul Moore
2018-07-20 10:11 ` Ondrej Mosnacek
2018-07-23 20:49 ` Paul Moore
2018-07-24 14:12 ` Ondrej Mosnacek
2018-07-24 22:15 ` Paul Moore
2018-07-25 1:11 ` Steve Grubb
2018-07-25 7:44 ` Ondrej Mosnacek
2018-07-25 12:48 ` Steve Grubb [this message]
2018-07-25 13:02 ` Ondrej Mosnacek
2018-07-25 13:11 ` Steve Grubb
2018-07-26 8:12 ` Ondrej Mosnacek
2018-07-26 9:12 ` Ondrej Mosnacek
2018-08-02 23:58 ` Paul Moore
2018-08-03 9:19 ` Ondrej Mosnacek
2018-08-02 23:16 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5402595.goYXf9ZsuL@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.