On 7/22/20 9:47 PM, Richard Guy Briggs wrote:
> On 2020-07-18 20:56, Dominick Grift wrote:
>> On 7/18/20 8:40 PM, bauen1 wrote:
>>> Hi,
>>> After upgrading from linux 5.6 to 5.7 on my debian machines with selinux
>>> I've started seeing this null pointer dereference in the audit system. I've
>>> included shortened logs for 5.6 without the error and from 5.7 with the
>>> error from my laptop. I've also seen it happen in a VM and a server, but
>>> don't have the logs anymore. Grift was able to reproduced (presumably) the
>>> same issue on fedora with 5.8-rc4.
>>>
>>> Steps to reproduce:
>>> Write an selinux policy with a domain for systemd-user-runtime-dir and
>>> audit all permissions of the dir class. E.g. `(auditallow
>>> systemd_user_runtime_dir_t all_types (dir (all)))`
>>> Switch to permissive mode.
>>> Create a new user and login, log out and wait a few seconds for systemd to
>>> stop user-runtime-dir@<uid>.service
>>
>> This should be a reproducer:
>>
>> echo "(auditallow systemd_logind_t file_type (dir (all)))" > mytest.cil
>> && sudo semodule -i mytest.cil
>> reboot
>
> Is this recipe complete? Is permissive mode needed? Is the user
> create/login/logout needed?
Are you saying you can't reproduce it?
It *should* be complete yes. with kernel 5.7/5.8 it should oops when you
reboot.
I will admit though that I adjusted the reproducer a little bit in an
attempt to make it fit fedora.
So if it doesnt oops for you and if you use 5.7/5.8 then maybe the
reproducer got mangled in the conversion.
>
>>> I believe this issue was made visible by
>>> 1320a4052ea11eb2879eb7361da15a106a780972.
>>> Now a AUDIT_PATH event is also generated by default and
>>> systemd-user-runtime-dir is making syscalls that audit_log_name can't
>>> handle.
>>>
>>> I hope this is enough info to find the root cause.
>>> - bauen1
>>>
>>> Log without crash (5.6):
>>>
>>> Jul 18 14:26:36 jh-mba kernel: Linux version 5.6.0-2-amd64
>>> (debian-ker...@lists.debian.org) (gcc version 9.3.0 (Debian 9.3.0-13)) #1
>>> SMP Debian 5.6.14-2 (2020-06-09)
>>> Jul 18 14:27:53 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1001
>>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>>> res=success'
>>> Jul 18 14:27:53 jh-mba systemd[1]: Stopping User Runtime Directory
>>> /run/user/1001...
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for
>>> pid=3178 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/dconf" dev="tmpfs"
>>> ino=41325 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/dconf" dev="tmpfs"
>>> ino=41325 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for
>>> pid=3178 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for
>>> pid=3178 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
>>> pid=3178 comm="systemd-user-ru" name="user" dev="tmpfs" ino=41326
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="user" dev="tmpfs" ino=41326
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=file permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for
>>> pid=3178 comm="systemd-user-ru" name="gvfs" dev="tmpfs" ino=42315
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/gvfs" dev="tmpfs"
>>> ino=42315 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/gvfs" dev="tmpfs"
>>> ino=42315 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="gvfs" dev="tmpfs" ino=42315
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for
>>> pid=3178 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/dbus-1" dev="tmpfs"
>>> ino=39557 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/dbus-1" dev="tmpfs"
>>> ino=39557 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for
>>> pid=3178 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for
>>> pid=3178 comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
>>> pid=3178 comm="systemd-user-ru" name="services" dev="tmpfs" ino=39558
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="services" dev="tmpfs" ino=39558
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/pulse" dev="tmpfs"
>>> ino=41258 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/pulse" dev="tmpfs"
>>> ino=41258 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for
>>> pid=3178 comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for
>>> pid=3178 comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
>>> pid=3178 comm="systemd-user-ru" name="native" dev="tmpfs" ino=41259
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="native" dev="tmpfs" ino=41259
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=sock_file permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="bus" dev="tmpfs" ino=41239
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file
>>> permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for
>>> pid=3178 comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/gnupg" dev="tmpfs"
>>> ino=42225 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/gnupg" dev="tmpfs"
>>> ino=42225 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for
>>> pid=3178 comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for
>>> pid=3178 comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
>>> pid=3178 comm="systemd-user-ru" name="S.gpg-agent" dev="tmpfs" ino=41252
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="S.gpg-agent" dev="tmpfs" ino=41252
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=sock_file permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/systemd" dev="tmpfs"
>>> ino=39472 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for
>>> pid=3178 comm="systemd-user-ru" path="/run/user/1001/systemd" dev="tmpfs"
>>> ino=39472 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for
>>> pid=3178 comm="systemd-user-ru" name="systemd" dev="tmpfs" ino=39472
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for
>>> pid=3178 comm="systemd-user-ru" name="systemd" dev="tmpfs" ino=39472
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
>>> pid=3178 comm="systemd-user-ru" name="private" dev="tmpfs" ino=41230
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="private" dev="tmpfs" ino=41230
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file
>>> permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for
>>> pid=3178 comm="systemd-user-ru" name="notify" dev="tmpfs" ino=41226
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file
>>> permissive=1
>>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for
>>> pid=3178 comm="systemd-user-ru" name="units" dev="tmpfs" ino=39473
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>>> Jul 18 14:27:53 jh-mba systemd[2501]: run-user-1001.mount: Succeeded.
>>> Jul 18 14:27:53 jh-mba systemd[1]: run-user-1001.mount: Succeeded.
>>> Jul 18 14:27:53 jh-mba systemd[2839]: run-user-1001.mount: Succeeded.
>>> Jul 18 14:27:53 jh-mba systemd[1]: user-runtime-dir@1001.service: Succeeded.
>>> Jul 18 14:27:53 jh-mba systemd[1]: Stopped User Runtime Directory
>>> /run/user/1001.
>>>
>>>
>>> Log with crash (5.7):
>>>
>>> Jul 18 14:30:09 jh-mba kernel: Linux version 5.7.0-1-amd64
>>> (debian-ker...@lists.debian.org) (gcc version 9.3.0 (Debian 9.3.0-14), GNU
>>> ld (GNU Binutils for Debian) 2.34) #1 SMP Debian 5.7.6-1 (2020-06-24)
>>> Jul 18 14:35:10 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1001
>>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>>> res=success'
>>> Jul 18 14:35:10 jh-mba systemd[1]: Stopping User Runtime Directory
>>> /run/user/1001...
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { read } for
>>> pid=3163 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { open } for
>>> pid=3163 comm="systemd-user-ru" path="/run/user/1001/dconf" dev="tmpfs"
>>> ino=39541 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=257
>>> success=yes exit=4 a0=3 a1=55edb4e41073 a2=f0800 a3=0 items=0 ppid=1
>>> pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru"
>>> exe="/usr/lib/systemd/systemd-user-runtime-dir"
>>> subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>>> Jul 18 14:35:10 jh-mba audit: PROCTITLE
>>> proctitle=2F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303031
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { getattr } for
>>> pid=3163 comm="systemd-user-ru" path="/run/user/1001/dconf" dev="tmpfs"
>>> ino=39541 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=5
>>> success=yes exit=0 a0=4 a1=7fff95e523b0 a2=7fff95e523b0 a3=7fff95e52414
>>> items=0 ppid=1 pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-user-ru"
>>> exe="/usr/lib/systemd/systemd-user-runtime-dir"
>>> subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>>> Jul 18 14:35:10 jh-mba audit: PROCTITLE
>>> proctitle=2F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303031
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { search } for
>>> pid=3163 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { write } for
>>> pid=3163 comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { remove_name } for
>>> pid=3163 comm="systemd-user-ru" name="user" dev="tmpfs" ino=39542
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { unlink } for
>>> pid=3163 comm="systemd-user-ru" name="user" dev="tmpfs" ino=39542
>>> scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
>>> tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=file permissive=1
>>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=263
>>> success=yes exit=0 a0=4 a1=55edb4e490b3 a2=0 a3=4 items=2 ppid=1 pid=3163
>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>> tty=(none) ses=4294967295 comm="systemd-user-ru"
>>> exe="/usr/lib/systemd/systemd-user-runtime-dir"
>>> subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>>> Jul 18 14:35:10 jh-mba kernel: BUG: kernel NULL pointer dereference,
>>> address: 0000000000000060
>>> Jul 18 14:35:10 jh-mba kernel: #PF: supervisor read access in kernel mode
>>> Jul 18 14:35:10 jh-mba kernel: #PF: error_code(0x0000) - not-present page
>>> Jul 18 14:35:11 jh-mba kernel: PGD 0 P4D 0
>>> Jul 18 14:35:11 jh-mba kernel: Oops: 0000 [#1] SMP PTI
>>> Jul 18 14:35:11 jh-mba kernel: CPU: 1 PID: 3163 Comm: systemd-user-ru
>>> Tainted: P OE 5.7.0-1-amd64 #1 Debian 5.7.6-1
>>> Jul 18 14:35:11 jh-mba kernel: Hardware name: Apple Inc.
>>> MacBookAir6,2/Mac-7DF21CB3ED6977E5, BIOS 110.0.0.0.0 09/17/2018
>>> Jul 18 14:35:11 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>>> Jul 18 14:35:11 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54
>>> 24 04 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48
>>> 89 44 24 08 <48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b
>>> 7f 18
>>> Jul 18 14:35:11 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>>> Jul 18 14:35:11 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060
>>> RCX: 00000000000004dd
>>> Jul 18 14:35:11 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000
>>> RDI: 0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060
>>> R09: 0000000000000006
>>> Jul 18 14:35:11 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030
>>> R12: ffff9a524fc522b0
>>> Jul 18 14:35:11 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000
>>> R15: 0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: FS: 00007ff68934e980(0000)
>>> GS:ffff9a5267280000(0000) knlGS:0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
>>> 0000000080050033
>>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002
>>> CR4: 00000000001606e0
>>> Jul 18 14:35:11 jh-mba kernel: Call Trace:
>>> Jul 18 14:35:11 jh-mba kernel: audit_log_d_path+0x75/0xd0
>>> Jul 18 14:35:11 jh-mba kernel: audit_log_exit+0x63d/0xcf0
>>> Jul 18 14:35:11 jh-mba kernel: ? audit_filter_inodes+0x2e/0x100
>>> Jul 18 14:35:11 jh-mba kernel: __audit_syscall_exit+0x23b/0x2a0
>>> Jul 18 14:35:11 jh-mba kernel: syscall_slow_exit_work+0x117/0x140
>>> Jul 18 14:35:11 jh-mba kernel: do_syscall_64+0x10e/0x180
>>> Jul 18 14:35:11 jh-mba kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>> Jul 18 14:35:11 jh-mba kernel: RIP: 0033:0x7ff689f8eb67
>>> Jul 18 14:35:11 jh-mba kernel: Code: 73 01 c3 48 8b 0d 29 d3 0c 00 f7 d8 64
>>> 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01
>>> 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 d2 0c 00 f7 d8 64 89
>>> 01 48
>>> Jul 18 14:35:11 jh-mba kernel: RSP: 002b:00007fff95e52468 EFLAGS: 00000246
>>> ORIG_RAX: 0000000000000107
>>> Jul 18 14:35:11 jh-mba kernel: RAX: 0000000000000000 RBX: 00007ff68934e830
>>> RCX: 00007ff689f8eb67
>>> Jul 18 14:35:11 jh-mba kernel: RDX: 0000000000000000 RSI: 000055edb4e490b3
>>> RDI: 0000000000000004
>>> Jul 18 14:35:11 jh-mba kernel: RBP: 0000000000000004 R08: 000055edb4e490a0
>>> R09: 00007ff68a05cbe0
>>> Jul 18 14:35:11 jh-mba kernel: R10: 0000000000000004 R11: 0000000000000246
>>> R12: 000055edb4e49040
>>> Jul 18 14:35:11 jh-mba kernel: R13: 0000000000000000 R14: 000055edb4e490a0
>>> R15: 000055edb4e490b3
>>> Jul 18 14:35:11 jh-mba kernel: Modules linked in: rfcomm bnep xt_CHECKSUM
>>> cpufreq_powersave xt_MASQUERADE cpufreq_conservative cpufreq_userspace
>>> xt_tcpudp nft_compat bridge stp llc overlay fuse nft_chain_nat nf_nat
>>> nf_log_ipv6 nf_log_ipv4 nf_log_common nft_log veth intel_rapl_msr btusb
>>> btrtl btbcm joydev binfmt_misc btintel nls_ascii nls_cp437 vfat fat
>>> bluetooth nft_counter drbg intel_rapl_common asix ansi_cprng ecdh_generic
>>> usbnet ecc mii vrf libphy x86_pkg_temp_thermal intel_powerclamp applesmc
>>> snd_hda_codec_hdmi snd_hda_codec_cirrus snd_hda_codec_generic coretemp
>>> ledtrig_audio evdev wireguard kvm_intel curve25519_x86_64
>>> libcurve25519_generic libchacha20poly1305 snd_hda_intel kvm bcm5974 wl(POE)
>>> snd_intel_dspcfg chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel efi_pstore
>>> udp_tunnel irqbypass snd_hda_codec libblake2s cfg80211 intel_cstate
>>> snd_hda_core blake2s_x86_64 libblake2s_generic libchacha snd_hwdep
>>> intel_uncore iTCO_wdt i915 iTCO_vendor_support intel_rapl_perf snd_pcm
>>> nft_ct s
g
>> efivars pcspkr nf_conntrack
>>> Jul 18 14:35:11 jh-mba kernel: watchdog rfkill snd_timer nf_defrag_ipv6
>>> nf_defrag_ipv4 drm_kms_helper mei_me snd mei cec soundcore i2c_algo_bit sbs
>>> sbshc acpi_als kfifo_buf industrialio apple_bl ac button bonding nf_tables
>>> parport_pc(E) nfnetlink ppdev(E) lp(E) drm parport(E) sunrpc efivarfs
>>> ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic
>>> zstd_decompress zstd_compress hid_apple hid_generic usbhid hid dm_crypt
>>> dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
>>> async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear
>>> md_mod uas usb_storage sd_mod t10_pi crc_t10dif crct10dif_generic
>>> crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel
>>> ghash_clmulni_intel ahci libahci xhci_pci aesni_intel xhci_hcd libaes
>>> crypto_simd libata cryptd glue_helper usbcore scsi_mod i2c_i801 thunderbolt
>>> lpc_ich mfd_core usb_common spi_pxa2xx_platform dw_dmac video dw_dmac_core
>>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060
>>> Jul 18 14:35:11 jh-mba kernel: ---[ end trace 01b46d19ab2d30bf ]---
>>> Jul 18 14:35:11 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>>> Jul 18 14:35:11 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54
>>> 24 04 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48
>>> 89 44 24 08 <48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b
>>> 7f 18
>>> Jul 18 14:35:11 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>>> Jul 18 14:35:11 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060
>>> RCX: 00000000000004dd
>>> Jul 18 14:35:11 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000
>>> RDI: 0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060
>>> R09: 0000000000000006
>>> Jul 18 14:35:11 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030
>>> R12: ffff9a524fc522b0
>>> Jul 18 14:35:11 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000
>>> R15: 0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: FS: 00007ff68934e980(0000)
>>> GS:ffff9a5267280000(0000) knlGS:0000000000000000
>>> Jul 18 14:35:11 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
>>> 0000000080050033
>>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002
>>> CR4: 00000000001606e0
>>> Jul 18 14:35:11 jh-mba kernel: BUG: kernel NULL pointer dereference,
>>> address: 0000000000000060
>>> Jul 18 14:35:11 jh-mba kernel: #PF: supervisor read access in kernel mode
>>> Jul 18 14:35:12 jh-mba kernel: #PF: error_code(0x0000) - not-present page
>>> Jul 18 14:35:13 jh-mba kernel: PGD 0 P4D 0
>>> Jul 18 14:35:13 jh-mba kernel: Oops: 0000 [#2] SMP PTI
>>> Jul 18 14:35:13 jh-mba kernel: CPU: 1 PID: 3163 Comm: systemd-user-ru
>>> Tainted: P D OE 5.7.0-1-amd64 #1 Debian 5.7.6-1
>>> Jul 18 14:35:13 jh-mba kernel: Hardware name: Apple Inc.
>>> MacBookAir6,2/Mac-7DF21CB3ED6977E5, BIOS 110.0.0.0.0 09/17/2018
>>> Jul 18 14:35:13 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>>> Jul 18 14:35:13 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54
>>> 24 04 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48
>>> 89 44 24 08 <48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b
>>> 7f 18
>>> Jul 18 14:35:13 jh-mba kernel: RSP: 0018:ffffb71e411cfde0 EFLAGS: 00010282
>>> Jul 18 14:35:13 jh-mba kernel: RAX: ffff9a525f18500b RBX: ffff9a524fc52060
>>> RCX: 00000000000004e0
>>> Jul 18 14:35:13 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f184000
>>> RDI: 0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: RBP: ffffb71e411cfe10 R08: ffff9a52672b0060
>>> R09: 0000000000000006
>>> Jul 18 14:35:13 jh-mba kernel: R10: ffff9a522c99cec0 R11: ffff9a532c99c830
>>> R12: ffff9a524fc522b0
>>> Jul 18 14:35:13 jh-mba kernel: R13: ffff9a52658d35e8 R14: ffff9a524fc52000
>>> R15: 0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: FS: 00007ff68934e980(0000)
>>> GS:ffff9a5267280000(0000) knlGS:0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
>>> 0000000080050033
>>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002
>>> CR4: 00000000001606e0
>>> Jul 18 14:35:13 jh-mba kernel: Call Trace:
>>> Jul 18 14:35:13 jh-mba kernel: audit_log_d_path+0x75/0xd0
>>> Jul 18 14:35:13 jh-mba kernel: audit_log_exit+0x63d/0xcf0
>>> Jul 18 14:35:13 jh-mba kernel: ? audit_log_d_path+0x75/0xd0
>>> Jul 18 14:35:13 jh-mba kernel: ? audit_filter_inodes+0x2e/0x100
>>> Jul 18 14:35:13 jh-mba kernel: __audit_free+0x233/0x260
>>> Jul 18 14:35:13 jh-mba kernel: do_exit+0x8d3/0xb50
>>> Jul 18 14:35:13 jh-mba kernel: ? syscall_slow_exit_work+0x117/0x140
>>> Jul 18 14:35:13 jh-mba kernel: rewind_stack_do_exit+0x17/0x20
>>> Jul 18 14:35:13 jh-mba kernel: RIP: 0033:0x7ff689f8eb67
>>> Jul 18 14:35:13 jh-mba kernel: Code: 73 01 c3 48 8b 0d 29 d3 0c 00 f7 d8 64
>>> 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01
>>> 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 d2 0c 00 f7 d8 64 89
>>> 01 48
>>> Jul 18 14:35:13 jh-mba kernel: RSP: 002b:00007fff95e52468 EFLAGS: 00000246
>>> ORIG_RAX: 0000000000000107
>>> Jul 18 14:35:13 jh-mba kernel: RAX: 0000000000000000 RBX: 00007ff68934e830
>>> RCX: 00007ff689f8eb67
>>> Jul 18 14:35:13 jh-mba kernel: RDX: 0000000000000000 RSI: 000055edb4e490b3
>>> RDI: 0000000000000004
>>> Jul 18 14:35:13 jh-mba kernel: RBP: 0000000000000004 R08: 000055edb4e490a0
>>> R09: 00007ff68a05cbe0
>>> Jul 18 14:35:13 jh-mba kernel: R10: 0000000000000004 R11: 0000000000000246
>>> R12: 000055edb4e49040
>>> Jul 18 14:35:13 jh-mba kernel: R13: 0000000000000000 R14: 000055edb4e490a0
>>> R15: 000055edb4e490b3
>>> Jul 18 14:35:13 jh-mba kernel: Modules linked in: rfcomm bnep xt_CHECKSUM
>>> cpufreq_powersave xt_MASQUERADE cpufreq_conservative cpufreq_userspace
>>> xt_tcpudp nft_compat bridge stp llc overlay fuse nft_chain_nat nf_nat
>>> nf_log_ipv6 nf_log_ipv4 nf_log_common nft_log veth intel_rapl_msr btusb
>>> btrtl btbcm joydev binfmt_misc btintel nls_ascii nls_cp437 vfat fat
>>> bluetooth nft_counter drbg intel_rapl_common asix ansi_cprng ecdh_generic
>>> usbnet ecc mii vrf libphy x86_pkg_temp_thermal intel_powerclamp applesmc
>>> snd_hda_codec_hdmi snd_hda_codec_cirrus snd_hda_codec_generic coretemp
>>> ledtrig_audio evdev wireguard kvm_intel curve25519_x86_64
>>> libcurve25519_generic libchacha20poly1305 snd_hda_intel kvm bcm5974 wl(POE)
>>> snd_intel_dspcfg chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel efi_pstore
>>> udp_tunnel irqbypass snd_hda_codec libblake2s cfg80211 intel_cstate
>>> snd_hda_core blake2s_x86_64 libblake2s_generic libchacha snd_hwdep
>>> intel_uncore iTCO_wdt i915 iTCO_vendor_support intel_rapl_perf snd_pcm
>>> nft_ct s
g
>> efivars pcspkr nf_conntrack
>>> Jul 18 14:35:13 jh-mba kernel: watchdog rfkill snd_timer nf_defrag_ipv6
>>> nf_defrag_ipv4 drm_kms_helper mei_me snd mei cec soundcore i2c_algo_bit sbs
>>> sbshc acpi_als kfifo_buf industrialio apple_bl ac button bonding nf_tables
>>> parport_pc(E) nfnetlink ppdev(E) lp(E) drm parport(E) sunrpc efivarfs
>>> ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic
>>> zstd_decompress zstd_compress hid_apple hid_generic usbhid hid dm_crypt
>>> dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
>>> async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear
>>> md_mod uas usb_storage sd_mod t10_pi crc_t10dif crct10dif_generic
>>> crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel
>>> ghash_clmulni_intel ahci libahci xhci_pci aesni_intel xhci_hcd libaes
>>> crypto_simd libata cryptd glue_helper usbcore scsi_mod i2c_i801 thunderbolt
>>> lpc_ich mfd_core usb_common spi_pxa2xx_platform dw_dmac video dw_dmac_core
>>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060
>>> Jul 18 14:35:13 jh-mba kernel: ---[ end trace 01b46d19ab2d30c0 ]---
>>> Jul 18 14:35:13 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>>> Jul 18 14:35:13 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54
>>> 24 04 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48
>>> 89 44 24 08 <48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b
>>> 7f 18
>>> Jul 18 14:35:13 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>>> Jul 18 14:35:13 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060
>>> RCX: 00000000000004dd
>>> Jul 18 14:35:13 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000
>>> RDI: 0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060
>>> R09: 0000000000000006
>>> Jul 18 14:35:13 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030
>>> R12: ffff9a524fc522b0
>>> Jul 18 14:35:13 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000
>>> R15: 0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: FS: 00007ff68934e980(0000)
>>> GS:ffff9a5267280000(0000) knlGS:0000000000000000
>>> Jul 18 14:35:13 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
>>> 0000000080050033
>>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002
>>> CR4: 00000000001606e0
>>> Jul 18 14:35:13 jh-mba kernel: Fixing recursive fault but reboot is needed!
>>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=263 a0=4
>>> a1=55edb4e490b3 a2=0 a3=4 items=2 ppid=1 pid=3163 auid=4294967295 uid=0
>>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>> comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir"
>>> subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>>> Jul 18 14:35:14 jh-mba systemd[1]: systemd-hostnamed.service: Succeeded.
>>> Jul 18 14:35:14 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed
>>> comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>>> res=success'
>>>
>>> Line information from the debian linux-image-5.7.0-1-amd64 (version
>>> 5.7.6-1) package, duplicates ommitted:
>>>
>>> Reading symbols from /usr/lib/debug/boot/vmlinux-5.7.0-1-amd64...
>>> (gdb) l *d_path+0x35
>>> 0xffffffff812dcee5 is in d_path (fs/d_path.c:275).
>>> 270 *
>>> 271 * Some pseudo inodes are mountable. When they are mounted
>>> 272 * path->dentry == path->mnt->mnt_root. In that case don't
>>> call d_dname
>>> 273 * and instead have d_path return the mounted path.
>>> 274 */
>>> 275 if (path->dentry->d_op && path->dentry->d_op->d_dname &&
>>> 276 (!IS_ROOT(path->dentry) || path->dentry !=
>>> path->mnt->mnt_root))
>>> 277 return path->dentry->d_op->d_dname(path->dentry,
>>> buf, buflen);
>>> 278
>>> 279 rcu_read_lock();
>>> (gdb) l *audit_log_d_path+0x75
>>> 0xffffffff8114f175 is in audit_log_d_path (kernel/audit.c:2046).
>>> 2041 pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
>>> 2042 if (!pathname) {
>>> 2043 audit_log_string(ab, "<no_memory>");
>>> 2044 return;
>>> 2045 }
>>> 2046 p = d_path(path, pathname, PATH_MAX+11);
>>> 2047 if (IS_ERR(p)) { /* Should never happen since we send
>>> PATH_MAX */
>>> 2048 /* FIXME: can we save some information here? */
>>> 2049 audit_log_string(ab, "<too_long>");
>>> 2050 } else
>>> (gdb) l *audit_log_exit+0x63d
>>> 0xffffffff8115445d is in audit_log_exit (kernel/auditsc.c:1342).
>>> 1337 case 0:
>>> 1338 /* name was specified as a relative path
>>> and the
>>> 1339 * directory component is the cwd
>>> 1340 */
>>> 1341 audit_log_d_path(ab, " name=",
>>> &context->pwd);
>>> 1342 break;
>>> 1343 default:
>>> 1344 /* log the name's directory component */
>>> 1345 audit_log_format(ab, " name=");
>>> 1346 audit_log_n_untrustedstring(ab,
>>> n->name->name,
>>> (gdb) l *audit_filter_inodes+0x2e
>>> 0xffffffff81155e2e is in audit_filter_inodes (kernel/auditsc.c:835).
>>> 830 */
>>> 831 void audit_filter_inodes(struct task_struct *tsk, struct
>>> audit_context *ctx)
>>> 832 {
>>> 833 struct audit_names *n;
>>> 834
>>> 835 if (auditd_test_task(tsk))
>>> 836 return;
>>> 837
>>> 838 rcu_read_lock();
>>> 839
>>> (gdb) l *__audit_syscall_exit+0x23b
>>> 0xffffffff8115661b is in __audit_syscall_exit (kernel/auditsc.c:1710).
>>> 1705
>>> 1706 audit_filter_syscall(current, context,
>>> 1707
>>> &audit_filter_list[AUDIT_FILTER_EXIT]);
>>> 1708 audit_filter_inodes(current, context);
>>> 1709 if (context->current_state == AUDIT_RECORD_CONTEXT)
>>> 1710 audit_log_exit();
>>> 1711 }
>>> 1712
>>> 1713 context->in_syscall = 0;
>>> 1714 context->prio = context->state == AUDIT_RECORD_CONTEXT ?
>>> ~0ULL : 0;
>>> (gdb) l *syscall_slow_exit_work+0x117
>>> 0xffffffff81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
>>> 311 {
>>> 312 if (unlikely(audit_context())) {
>>> 313 int success = is_syscall_success(pt_regs);
>>> 314 long return_code = regs_return_value(pt_regs);
>>> 315
>>> 316 __audit_syscall_exit(success, return_code);
>>> 317 }
>>> 318 }
>>> 319 static inline struct filename *audit_reusename(const __user char
>>> *name)
>>> 320 {
>>> (gdb) l *do_syscall_64+0x10e
>>> 0xffffffff8100543e is in do_syscall_64 (arch/x86/entry/common.c:276).
>>> warning: Source file is more recent than executable.
>>> 271 /*
>>> 272 * First do one-time work. If these work items are
>>> enabled, we
>>> 273 * want to run them exactly once per syscall exit with IRQs
>>> on.
>>> 274 */
>>> 275 if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS))
>>> 276 syscall_slow_exit_work(regs, cached_flags);
>>> 277
>>> 278 local_irq_disable();
>>> 279 prepare_exit_to_usermode(regs);
>>> 280 }
>>> (gdb) l *entry_SYSCALL_64_after_hwframe+0x44
>>> 0xffffffff8180008c is at
>>> /build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S:184.
>>> 179 /build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S: No such
>>> file or directory.
>>> (gdb) l *__audit_free+0x233
>>> 0xffffffff81156283 is in __audit_free (kernel/auditsc.c:1602).
>>> 1597
>>> 1598 audit_filter_syscall(tsk, context,
>>> 1599
>>> &audit_filter_list[AUDIT_FILTER_EXIT]);
>>> 1600 audit_filter_inodes(tsk, context);
>>> 1601 if (context->current_state == AUDIT_RECORD_CONTEXT)
>>> 1602 audit_log_exit();
>>> 1603 }
>>> 1604
>>> 1605 audit_set_context(tsk, NULL);
>>> 1606 audit_free_context(context);
>>> (gdb) l *do_exit+0x8d3
>>> 0xffffffff81088ce3 is in do_exit (include/linux/audit.h:301).
>>> 296 return !p || *(int *)p;
>>> 297 }
>>> 298 static inline void audit_free(struct task_struct *task)
>>> 299 {
>>> 300 if (unlikely(task->audit_context))
>>> 301 __audit_free(task);
>>> 302 }
>>> 303 static inline void audit_syscall_entry(int major, unsigned long a0,
>>> 304 unsigned long a1, unsigned
>>> long a2,
>>> 305 unsigned long a3)
>>> (gdb) l *syscall_slow_exit_work+0x117
>>> 0xffffffff81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
>>> 311 {
>>> 312 if (unlikely(audit_context())) {
>>> 313 int success = is_syscall_success(pt_regs);
>>> 314 long return_code = regs_return_value(pt_regs);
>>> 315
>>> 316 __audit_syscall_exit(success, return_code);
>>> 317 }
>>> 318 }
>>> 319 static inline struct filename *audit_reusename(const __user char
>>> *name)
>>> 320 {
>>> (gdb) l *rewind_stack_do_exit+0x17
>>> (gdb)
>>>
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
> - RGB
>
> --
> Richard Guy Briggs <r...@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit