From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: use openat  to create a file,
	then audit log can't show the full path name ?
Date: Mon, 03 Dec 2018 20:11:26 -0500
Message-ID: <2266965.DSjJAScMqE@x2>
References: <2018120409033724847711@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2018120409033724847711@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, December 3, 2018 8:06:17 PM EST litaibaichina@gmail.com wrote:
> Hi Guys,
> 
> I tried to use code like the following to create a file and I am wathcing
> /data/Documents: 
> 
> # auditctl -l
> -w /data/Documents -p rwa
> 
> my_open(const char *path, int flags, mode_t mode)
> {
> char *new = strdup(path);
> char *p;
> const char *last;
> int dirfd, lastfd;
> int fd = -1;
> 
> dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
> 
> for (last = new + 1; (p = strchr(last, '/')); last = p)
> {
> while (*p == '/')
> *p++ = '\0';
> dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
> close(lastfd);
> if (dirfd < 0)
> break;
> lastfd = dirfd;
> }
> if (dirfd >= 0)
> {
> fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
> close(dirfd);
> }
> 
> then get audit logs like: 
> ----
> type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) :
> proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6495)
> : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest
> ogid=guest rdev=00:00 nametype=NORMAL type=CWD msg=audit(12/04/2018
> 08:57:28.750:6495) :  cwd=/root
> type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64
> syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016
> a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
> exe=/root/test-sscanf key=(null) ----
> type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) :
> proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6496)
> : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664
> ouid=root ogid=root rdev=00:00 nametype=CREATE type=PATH
> msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256
> dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
> type=CWD msg=audit(12/04/2018 08:57:28.750:6496) :  cwd=/root
> type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64
> syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020
> a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411
> pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
> exe=/root/test-sscanf key=(null)
> 
> so looks like I can't get the full path /data/Documents/test-safeopen.txt,
>  audit can't remember the path in item 0 ?

This is :
https://github.com/linux-audit/audit-kernel/issues/9

We were just discussing something that is sort of related. So, maybe there 
will be some updates on this soonish.

-Steve