<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"><span style="">Hi, <br></span></p><p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"><span style=""><br></span></p>
<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"><span style="">   </span>We are developing a system to monitor file
operations, the difficulties is how to reconstruct file path from audit
records. we have written some testcases for system calls of file/dir operation,
and found that the numbers of path records differs when we try different
combinations of absolute or relative pathname.<span style=""> 
</span>For rename/renameat function, we have seen four or five path records per
system call, for link/linkat function, the number of path records is two or
three. Is there any rule for how the path records is generated?<span style="">  </span></p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"> </p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"><span style="">   </span>We have also found that the file path can't
be reconstruct correctly sometimes.<span style=""> 
</span>Taken linkat function as<span style="">  </span>example:
</p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"> </p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;"><span lang="en-US">olddirfd
= open("</span><span lang="zh-CN">/home/dlmao/test-syscall/tests/</span><span lang="en-US">tmpdir",</span><span lang="zh-CN">O_RDONLY)</span><span lang="en-US">; </span></p>



<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;"><span lang="en-US">newdirfd
= open("</span><span lang="zh-CN">/home/dlmao/test-syscall/tests/</span><span lang="en-US">tmpdir",</span><span lang="zh-CN">O_RDONLY)</span><span lang="en-US">; </span></p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;"><span lang="zh-CN">linkat(old</span><span lang="en-US">dir</span><span lang="zh-CN">fd,</span><span lang="en-US">"</span><span lang="zh-CN">tmp.f1C3HgoJ1K</span><span lang="en-US">"</span><span lang="zh-CN">,new</span><span lang="en-US">dir</span><span lang="zh-CN">fd,</span><span lang="en-US">"tmpfile4"</span><span lang="zh-CN">,0)</span></p>


<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"> </p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US">but the
audit record outputted is: </p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;" lang="en-US"><span style="">  </span></p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;">type=SYSCALL
msg=audit(1291697940.405:66): arch=40000003 syscall=303 success=yes exit=0 a0=3
a1=bfe7ff2c a2=4 a3=bfe7feac items=3 ppid=3573 pid=3609 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="test-linkat"
exe="/home/dlmao/test-syscall/tests/test-linkat" key=(null)</p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;">type=CWD
msg=audit(1291697940.405:66):<span style=""> 
</span>cwd="/home/dlmao/test-syscall/tests"</p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;">type=PATH
msg=audit(1291697940.405:66): item=0 name="tmp.f1C3HgoJ1K"
inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00</p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;">type=PATH
msg=audit(1291697940.405:66): item=1
name="/home/dlmao/test-syscall/tests" inode=287306 dev=08:01
mode=040755 ouid=0 ogid=0 rdev=00:00</p>

<p style="margin: 0in; font-family: Calibri; font-size: 10.5pt;">type=PATH
msg=audit(1291697940.405:66): item=2 name="tmpfile4" inode=284275
dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00</p>

<br clear="all"><br>Thanks, <br><br>Mao <br><br><br><br><br>