On Wed, Mar 14, 2018 at 1:43 AM, Richard Guy Briggs <r...@redhat.com> wrote: > Audit link denied events for symlinks had duplicate PATH records rather > than just updating the existing PATH record. Update the symlink's PATH > record with the current dentry and inode information. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > fs/namei.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/namei.c b/fs/namei.c > index 50d2533..00f5041 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -945,6 +945,7 @@ static inline int may_follow_link(struct nameidata *nd) > if (nd->flags & LOOKUP_RCU) > return -ECHILD; > > + audit_inode(nd->name, nd->stack[0].link.dentry, 0); > audit_log_link_denied("follow_link", &nd->stack[0].link);
That's the one, right above this comment ... Be honest, this never compiled did it? My confidence for these patches is really low right now, which is not good for something asking to go in at this stage in the -rcX development cycle. There have been some delays due to review, so I'm willing to be a little flexible on timelines and accept stuff this week, but for the v4 patchset please provide before and after audit logs for both hard and soft links both where CWD is the same as the parent as well as different (eight logs total if I did the math right). You can include them in the 0/2 patch as it's probably a bit much for the individual patches. > return -EACCES; > } > -- > 1.8.3.1 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit