On Friday 27 July 2007 10:10:17 John D. Ramsdell wrote: > Notice this event has two PATH records, whereas all of the many other > open events I studied in my logs have one PATH record. It's as if the > open system call can behave as the openat system call. I changed my > analysis program to use the last PATH record to find the file name, so > that the same code can be used to analyze open and openat system > calls.
But openat does give a different output: type=PATH msg=audit(07/27/2007 10:42:17.954:153) : item=0 name=test inode=6131 dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00 obj=user_u:object_r:tmp_t:s0 type=CWD msg=audit(07/27/2007 10:42:17.954:153) : cwd=/root type=SYSCALL msg=audit(07/27/2007 10:42:17.954:153) : arch=i386 syscall=openat success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=1 ppid=6310 pid=6312 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=test exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0 key=(null) Now, the out put changes if I do not include <sys/stat.h> and do not define __USE_ATFILE ! When I compile the test program I get a warning: implicit declaration of function ‘openat’. Low and behold the record changes to this: type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=1 name=test inode=6131 dev=08:06 mode=file,sgid,451 ouid=root ogid=root rdev=00:00 obj=user_u:object_r:tmp_t:s0 type=PATH msg=audit(07/27/2007 10:33:59.030:81) : item=0 name=/root inode=2 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 type=CWD msg=audit(07/27/2007 10:33:59.030:81) : cwd=/root type=SYSCALL msg=audit(07/27/2007 10:33:59.030:81) : arch=i386 syscall=openat success=yes exit=4 a0=3 a1=80485d5 a2=42 a3=8048529 items=2 ppid=4148 pid=4150 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=test exe=/home/sgrubb/test/openat/test subj=user_u:system_r:unconfined_t:s0 key=(null) The call in both cases was this: int main(void) { int dir_fd, fd; DIR *d = opendir("/tmp"); dir_fd = dirfd(d); fd = openat(dir_fd, "test", O_CREAT|O_RDWR); close (fd); closedir(d); return 0; } In neither record for openat did I get the "/tmp" directory which I thought I should get. I don't understand why it mutates between the two forms, nor do I get what I think I should. I suspect the *at functions should have the referenced directory recorded just as open records the cwd so paths can be reassembled. It seems like we need a AUDIT_DIR aux record for path recreation when something relative is used as in the example program. Any kernel people want to chime in? -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit