From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: Re: open record looks like openat
Date: 27 Jul 2007 11:15:59 -0400
Message-ID: <ogtir85zxlc.fsf@oolong.mitre.org>
References: <ogtps2eym2e.fsf@oolong.mitre.org>
	<200707271059.12571.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6RFG2Is030624
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:16:02 -0400
Received: from smtp-mclean.mitre.org (smtpproxy2.mitre.org [192.80.55.71])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l6RFG0s9013806
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:16:00 -0400
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id
	l6RFFxt5029010
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:15:59 -0400
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-mclean.mitre.org (Postfix) with ESMTP id 83FD94F8D8
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:15:59 -0400 (EDT)
Received: from linus.mitre.org (rcf-smtp.mitre.org [129.83.10.1])
	by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id
	l6RFFxOw028979
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:15:59 -0400
Received: from oolong.mitre.org (oolong.mitre.org [129.83.162.84])
	by linus.mitre.org (8.12.11/8.12.10) with ESMTP id l6RFFxpW011582
	for <linux-audit@redhat.com>; Fri, 27 Jul 2007 11:15:59 -0400 (EDT)
In-Reply-To: <200707271059.12571.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I notice that /bin/rm no longer uses the unlink system call, but
instead uses unlinkat.

Steve Grubb <sgrubb@redhat.com> writes:

> But openat does give a different output:

...

> Low and behold the record changes to this:

Note that my trick of looking at the last path record for the file
name works for both forms of openat events.  It also works with unlink
and unlinkat.

I guess I had better add programs that use openat to my test suite, so
as to ensure the trick works.

John