open record looks like openat

Steve Grubb sgrubb at redhat.com
Fri Jul 27 14:59:12 UTC 2007 

On Friday 27 July 2007 10:10:17 John D. Ramsdell wrote:
> Notice this event has two PATH records, whereas all of the many other
> open events I studied in my logs have one PATH record.  It's as if the
> open system call can behave as the openat system call.  I changed my
> analysis program to use the last PATH record to find the file name, so
> that the same code can be used to analyze open and openat system
> calls.

But openat does give a different output:

type=PATH msg=audit(07/27/2007 10:42:17.954:153) : item=0 name=test inode=6131 
dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00 
obj=user_u:object_r:tmp_t:s0 
type=CWD msg=audit(07/27/2007 10:42:17.954:153) :  cwd=/root 
type=SYSCALL msg=audit(07/27/2007 10:42:17.954:153) : arch=i386 syscall=openat 
success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=1 ppid=6310 
pid=6312 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts0 comm=test 
exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0 
key=(null)

Now, the out put changes if I do not include <sys/stat.h> and do not define  
__USE_ATFILE !  When I compile the test program I get a warning: implicit 
declaration of function ‘openat’. Low and behold the record changes to this:

type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=1 name=test inode=6131 
dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00 
obj=user_u:object_r:tmp_t:s0 
type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=0  name=/root inode=2 
dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:tmp_t:s0 
type=CWD msg=audit(07/27/2007 10:33:59.030:81) :  cwd=/root 
type=SYSCALL msg=audit(07/27/2007 10:33:59.030:81) : arch=i386 syscall=openat 
success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=2 ppid=4148 
pid=4150 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root 
egid=root sgid=root fsgid=root tty=pts0 comm=test 
exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0 
key=(null) 

The call in both cases was this:

int main(void)
{
        int dir_fd, fd;
        DIR *d = opendir("/tmp");
        dir_fd = dirfd(d);
        fd = openat(dir_fd, "test", O_CREAT|O_RDWR);
        close (fd);
        closedir(d);

        return 0;
}

In neither record for openat did I get the "/tmp" directory which I thought I 
should get. I don't understand why it mutates between the two forms, nor do I 
get what I think I should. I suspect the *at functions should have the 
referenced directory recorded just as open records the cwd so paths can be 
reassembled. It seems like we need a AUDIT_DIR aux record for path recreation 
when something relative is used as in the example program.

Any kernel people want to chime in?

-Steve

More information about the Linux-audit mailing list