[PATCH ghak95] audit: Do not log full CWD path on empty relative paths

Steve Grubb sgrubb at redhat.com
Fri Aug 24 15:14:06 UTC 2018 

On Friday, August 24, 2018 11:00:35 AM EDT Paul Moore wrote:
> On Thu, Aug 2, 2018 at 8:03 PM Paul Moore <paul at paul-moore.com> wrote:
> > On Thu, Aug 2, 2018 at 7:45 AM Ondrej Mosnacek <omosnace at redhat.com> 
wrote:
> > > When a relative path has just a single component and we want to emit a
> > > nametype=PARENT record, the current implementation just reports the
> > > full CWD path (which is alrady available in the audit context).

It is supposed to report the parent directory of the object (file). Never 
mind about CWD. That tells us where the command was issued from. Sometimes 
that is important even if it is already in a PATH record. It is more forensic 
information.

> > > This is wrong for three reasons:
> > > 1. Wasting log space for redundant data (CWD path is already in the CWD
> > > record).

A CWD record is always expected for a file system operation. We are not 
missing any right now. Just don't want to lose them.

> > > 2. Inconsistency with other PATH records (if a relative PARENT
> > > directory path contains at least one component, only the verbatim
> > > relative path is logged).
> > > 3. In some syscalls (e.g. openat(2)) the relative path may not even be
> > > relative to the CWD, but to another directory specified as a file
> > > descriptor. In that case the logged path is simply plain wrong.

This can be fixed in the reporting tools. The biggest problem is when we have 
several PATH records figuring our how they are all related.

> > > This patch modifies this behavior to simply report "." in the
> > > aforementioned case, which is equivalent to an "empty" directory path
> > > and can be concatenated with the actual base directory path (CWD or
> > > dirfd from openat(2)-like syscall) once support for its logging is
> > > added later. In the meantime, defaulting to CWD as base directory on
> > > relative paths (as already done by the userspace tools) will be enough
> > > to achieve results equivalent to the current behavior.
> > 
> > I have to ask the obvious question, if we already have the necessary
> > parent path in the CWD record, why do we need a nametype=parent PATH
> > record anyway?

CWD is where the command was issued from. Sometimes it can be used as a 
PARENT PATH record. But what if name resolution fails at the parent 
directory? That record turns out to be all we get.

> > Can we safely remove it or will that cause problems for Steve's userspace
> > tools?

The PARENT records are used in figuring out what is really happening in 
certain cases.

-Steve

More information about the Linux-audit mailing list