From: Paul Moore <paul@paul-moore.com>
To: omosnace@redhat.com
Cc: rgb@redhat.com, linux-audit@redhat.com
Subject: Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths
Date: Tue, 18 Sep 2018 21:35:25 -0400 [thread overview]
Message-ID: <CAHC9VhQuvqjErN42PiXzcwY=bYdeKTOaN65MrJ8Wx=+w-=KHAg@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhTbqySFegm_SdC7p5+r5-ct88BGYqWan0W=O+P4ydg2vg@mail.gmail.com>
On Thu, Sep 13, 2018 at 10:13 AM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Sep 13, 2018 at 9:58 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > Paul, could you please answer this question so I can move forward? :)
>
> Yep, sorry for the delay ...
I just went back over the original problem, your proposed fix, and all
of the discussion in this thread.
Sadly, I don't think the patch you have proposed is the right fix.
As Steve has pointed out, the CWD path is the working directory from
which the current process was executed. I believe we should log the
full path, or as complete a path as possible, in the nametype=CWD PATH
records. While the nametype=PARENT PATH records have a connection
with some of the other PATH records (e.g. DELETE and CREATE), the
nametype=PARENT PATH records are independent of the current working
directory, although they sometimes may be the same; in the cases where
they are the same, this is purely a coincidence and is due to
operation being performed, not something that should be seen as a
flaw.
>From what I can tell, there are issues involving the nametype=PARENT
PATH records, especially when it comes to the *at() syscalls, but no
issue where the nametype=CWD PATH records have been wrong, is that
correct?
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2018-09-19 1:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 11:44 [PATCH ghak95] audit: Do not log full CWD path on empty relative paths Ondrej Mosnacek
2018-08-02 13:29 ` Richard Guy Briggs
2018-08-02 22:24 ` Paul Moore
2018-08-03 7:08 ` Ondrej Mosnacek
2018-08-24 14:09 ` Paul Moore
2018-08-27 13:00 ` Ondrej Mosnacek
2018-09-13 13:57 ` Ondrej Mosnacek
2018-09-13 14:13 ` Paul Moore
2018-09-19 1:35 ` Paul Moore [this message]
2018-09-19 11:01 ` Ondrej Mosnacek
2018-09-19 15:44 ` Paul Moore
2018-10-31 8:54 ` Ondrej Mosnacek
2018-11-05 23:30 ` Paul Moore
2018-11-06 8:08 ` Ondrej Mosnacek
2018-11-06 20:19 ` Paul Moore
2018-11-13 15:25 ` Ondrej Mosnacek
2018-11-13 16:30 ` Paul Moore
2018-12-01 16:50 ` Steve Grubb
2018-12-04 0:17 ` Paul Moore
2018-12-04 8:07 ` Ondrej Mosnacek
2018-12-04 22:19 ` Paul Moore
2018-08-03 0:03 ` Paul Moore
2018-08-24 15:00 ` Paul Moore
2018-08-24 15:14 ` Steve Grubb
2018-08-27 12:42 ` Ondrej Mosnacek
2018-08-24 12:59 ` Ondrej Mosnacek
2018-08-24 14:28 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQuvqjErN42PiXzcwY=bYdeKTOaN65MrJ8Wx=+w-=KHAg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=linux-audit@redhat.com \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.