execve
Chris Wright
chrisw at osdl.org
Tue Jun 7 19:35:12 UTC 2005
* Steve Grubb (sgrubb at redhat.com) wrote:
> On Tuesday 07 June 2005 14:38, Debora Velarde wrote:
> > find . -inum 770531
>
> Yes - thanks!
>
> /lib/ld-2.3.5.so
>
> So...wonder why that is in the record at all and why it didn't print its name?
Hmm, well, that's the elf loader, which gets mmap'd during exec for
dynamically linked elf executables (and opened with open_exec()).
That triggers audit_inode() in path_lookup(), which doesn't have the name.
It's assuming audit_getname() already gathered the name, but this name
is not one of the arguments (copied in with getname()), it's in the elf
header of the exectuable and hand copied into the kernel.
More information about the Linux-audit
mailing list