From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ondrej Mosnacek Subject: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths Date: Thu, 2 Aug 2018 13:44:36 +0200 Message-ID: <20180802114436.1209-1-omosnace@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.43]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 443B91001F3E for ; Thu, 2 Aug 2018 11:45:10 +0000 (UTC) Received: from mail-wm0-f70.google.com (mail-wm0-f70.google.com [74.125.82.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1E720308FBAA for ; Thu, 2 Aug 2018 11:45:10 +0000 (UTC) Received: by mail-wm0-f70.google.com with SMTP id r13-v6so1335675wmc.8 for ; Thu, 02 Aug 2018 04:45:10 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com When a relative path has just a single component and we want to emit a nametype=PARENT record, the current implementation just reports the full CWD path (which is alrady available in the audit context). This is wrong for three reasons: 1. Wasting log space for redundant data (CWD path is already in the CWD record). 2. Inconsistency with other PATH records (if a relative PARENT directory path contains at least one component, only the verbatim relative path is logged). 3. In some syscalls (e.g. openat(2)) the relative path may not even be relative to the CWD, but to another directory specified as a file descriptor. In that case the logged path is simply plain wrong. This patch modifies this behavior to simply report "." in the aforementioned case, which is equivalent to an "empty" directory path and can be concatenated with the actual base directory path (CWD or dirfd from openat(2)-like syscall) once support for its logging is added later. In the meantime, defaulting to CWD as base directory on relative paths (as already done by the userspace tools) will be enough to achieve results equivalent to the current behavior. See: https://github.com/linux-audit/audit-kernel/issues/95 Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change events") Signed-off-by: Ondrej Mosnacek --- kernel/audit.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 2a8058764aa6..4f18bd48eb4b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2127,28 +2127,27 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, audit_log_format(ab, "item=%d", record_num); + audit_log_format(ab, " name="); if (path) - audit_log_d_path(ab, " name=", path); + audit_log_d_path(ab, NULL, path); else if (n->name) { switch (n->name_len) { case AUDIT_NAME_FULL: /* log the full path */ - audit_log_format(ab, " name="); audit_log_untrustedstring(ab, n->name->name); break; case 0: /* name was specified as a relative path and the * directory component is the cwd */ - audit_log_d_path(ab, " name=", &context->pwd); + audit_log_untrustedstring(ab, "."); break; default: /* log the name's directory component */ - audit_log_format(ab, " name="); audit_log_n_untrustedstring(ab, n->name->name, n->name_len); } } else - audit_log_format(ab, " name=(null)"); + audit_log_format(ab, "(null)"); if (n->ino != AUDIT_INO_UNSET) audit_log_format(ab, " inode=%lu" -- 2.17.1