open record looks like openat
Steve Grubb
sgrubb at redhat.com
Fri Jul 27 14:59:12 UTC 2007
On Friday 27 July 2007 10:10:17 John D. Ramsdell wrote:
> Notice this event has two PATH records, whereas all of the many other
> open events I studied in my logs have one PATH record. It's as if the
> open system call can behave as the openat system call. I changed my
> analysis program to use the last PATH record to find the file name, so
> that the same code can be used to analyze open and openat system
> calls.
But openat does give a different output:
type=PATH msg=audit(07/27/2007 10:42:17.954:153) : item=0 name=test inode=6131
dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00
obj=user_u:object_r:tmp_t:s0
type=CWD msg=audit(07/27/2007 10:42:17.954:153) : cwd=/root
type=SYSCALL msg=audit(07/27/2007 10:42:17.954:153) : arch=i386 syscall=openat
success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=1 ppid=6310
pid=6312 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts0 comm=test
exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0
key=(null)
Now, the out put changes if I do not include <sys/stat.h> and do not define
__USE_ATFILE ! When I compile the test program I get a warning: implicit
declaration of function ‘openat’. Low and behold the record changes to this:
type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=1 name=test inode=6131
dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00
obj=user_u:object_r:tmp_t:s0
type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=0 name=/root inode=2
dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(07/27/2007 10:33:59.030:81) : cwd=/root
type=SYSCALL msg=audit(07/27/2007 10:33:59.030:81) : arch=i386 syscall=openat
success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=2 ppid=4148
pid=4150 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts0 comm=test
exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0
key=(null)
The call in both cases was this:
int main(void)
{
int dir_fd, fd;
DIR *d = opendir("/tmp");
dir_fd = dirfd(d);
fd = openat(dir_fd, "test", O_CREAT|O_RDWR);
close (fd);
closedir(d);
return 0;
}
In neither record for openat did I get the "/tmp" directory which I thought I
should get. I don't understand why it mutates between the two forms, nor do I
get what I think I should. I suspect the *at functions should have the
referenced directory recorded just as open records the cwd so paths can be
reassembled. It seems like we need a AUDIT_DIR aux record for path recreation
when something relative is used as in the example program.
Any kernel people want to chime in?
-Steve
More information about the Linux-audit
mailing list