From: John Feuerstein <john@feurix.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
Subject: Re: linux-audit: reconstruct path names from syscall events?
Date: Wed, 5 Oct 2011 00:09:50 +0200 [thread overview]
Message-ID: <20111004220855.GA18718@zombie.hq.fstein.net> (raw)
In-Reply-To: <4E8A1021.7090602@schaufler-ca.com>
Casey,
thanks for your explanation.
On Mon, 03 Oct 2011 12:42:25 -0700, Casey Schaufler wrote:
> The Linux filesystem semantics, inherited in all their
> glory from UNIX, permit multiple directory entries to
> refer to the same inode. That means that there can be
> multiple names for the same object in the filesystem
> name space. These names are all peers. None is the "real"
> name of the object. The only possible real name for the
> object is the inode number (combined with an identification
> of the containing filesystem). This identifies the object
> even when all entries in the filesystem namespace are
> gone but the file is open. Auditible event can occur on
> files that are open but have not filesystem entries.
Linux does not support multiple hardlinks to a directory[1] though?
Since the first argument to *at(2) syscalls is a dirfd, would it not be
possible to do something similar to getcwd(2)?
1. identify the root directory -> root
2. identify the given directory using the dirfd -> dir
3. until we reach root:
- open ".." -> parent
- scan for a dentry that matches dir
- dir = parent
4. reconstruct path from dentry components
d_path() in fs/dcache.c[2] seems to implement that.
I understand that this is ambiguous because of directory symlinks, but
it's better than the current situation. It would work out fine on
filesystems without symlinks (AFAIK this is only possible using FUSE on
Linux as of now, FreeBSD has had mount -o nosymlink for ages).
However, I'm not sure if it's worth the performance penalty. What about
making this configurable with sysctl? If enabled, PATH records for
syscall arguments consisting of a directory file descriptor will get
their name field reconstructed (best-effort/ambiguous). If disabled, the
name field will simply remain empty, instead of falling back to the cwd.
[1] http://lwn.net/Articles/249607/
[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=fs/dcache.c;hb=v3.0#l2610
next prev parent reply other threads:[~2011-10-04 22:09 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-17 0:12 linux-audit: reconstruct path names from syscall events? John Feuerstein
2011-10-01 12:31 ` Steve Grubb
2011-10-03 19:42 ` Casey Schaufler
2011-10-04 17:02 ` Steve Grubb
2011-10-04 22:09 ` John Feuerstein [this message]
2011-10-07 13:50 ` Eric Paris
2011-10-07 14:04 ` Steve Grubb
2011-10-07 17:20 ` Casey Schaufler
2011-10-07 18:02 ` Steve Grubb
2011-10-07 18:27 ` Eric Paris
2011-10-07 21:38 ` Casey Schaufler
2011-10-10 12:54 ` Steve Grubb
2012-10-09 23:09 ` Mark Moseley
2012-10-09 23:29 ` Al Viro
2012-10-09 23:39 ` Al Viro
2012-10-09 23:47 ` Mark Moseley
2012-10-09 23:54 ` Al Viro
2012-10-10 22:45 ` Mark Moseley
2012-10-10 23:00 ` Steve Grubb
2012-10-10 23:07 ` Mark Moseley
2012-10-11 17:27 ` Mark Moseley
2012-10-30 1:12 ` Mark Moseley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111004220855.GA18718@zombie.hq.fstein.net \
--to=john@feurix.com \
--cc=casey@schaufler-ca.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox