From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative
	paths
Date: Tue, 6 Nov 2018 15:19:03 -0500
Message-ID: <CAHC9VhRgBvc=Ec2ekT3mb8N4DcFV+xAPN_XDRmYGTmqCuK0ymw@mail.gmail.com>
References: <20180802114436.1209-1-omosnace@redhat.com>
	<CAHC9VhTGwwk7jC7dQ__c1zUeT68N+X7pe8+-nvUexT1FO4PFmg@mail.gmail.com>
	<CAFqZXNtQD4+PVzyWpbrs09ofDuNQPRrY9HirXk1u1GGKnpyoqQ@mail.gmail.com>
	<CAHC9VhT1tpaTMfDqavDqtE=Kbhh5h1Rs_QgW_1XyPimawKi7Pg@mail.gmail.com>
	<CAFqZXNsn-qgU93CHbrZ+Uk6HpcwnopEQHG+Amk=U=WCapZ5bCw@mail.gmail.com>
	<CAFqZXNsVomgWXsGa2EWqJmQpmjFKcZvz4nEd8zSfraMoYOv9Zg@mail.gmail.com>
	<CAHC9VhTbqySFegm_SdC7p5+r5-ct88BGYqWan0W=O+P4ydg2vg@mail.gmail.com>
	<CAHC9VhQuvqjErN42PiXzcwY=bYdeKTOaN65MrJ8Wx=+w-=KHAg@mail.gmail.com>
	<CAFqZXNtZ1=_2ZvKcc17ZK2swZQPdmwOpa=BR6Tz4FkM5o3bHUQ@mail.gmail.com>
	<CAHC9VhTWa+ZY=bGw5yKB=tk=0K6_oGVrC4Ke-vXn0hbw=J6n2g@mail.gmail.com>
	<CAFqZXNuNvWLDLN4FbuOsbjqWzF+q9O2neQE928T8y=ryZ5K=JQ@mail.gmail.com>
	<CAHC9VhT3VpndTQu=CiBVhy8VcCe_FpBdNzkRT2+pWPneL-MhLw@mail.gmail.com>
	<CAFqZXNtzJZksbbujeNkO1QfTqv2VqX4z4_iWA9YJokerYdfTsQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.43])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E99C01948B
	for <linux-audit@redhat.com>; Tue,  6 Nov 2018 20:19:18 +0000 (UTC)
Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com
	[209.85.167.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 48C0A308FB8C
	for <linux-audit@redhat.com>; Tue,  6 Nov 2018 20:19:17 +0000 (UTC)
Received: by mail-lf1-f66.google.com with SMTP id p6so2812668lfc.1
	for <linux-audit@redhat.com>; Tue, 06 Nov 2018 12:19:17 -0800 (PST)
In-Reply-To: <CAFqZXNtzJZksbbujeNkO1QfTqv2VqX4z4_iWA9YJokerYdfTsQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: omosnace@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Tue, Nov 6, 2018 at 12:30 AM Paul Moore <paul@paul-moore.com> wrote:
> > Let's reset this discussion a bit ... if we abolish relative paths and
> > make everything absolute, is there even a need to log PARENT?
>
> If there ever was such need, then this won't change when we switch to
> absolute paths. The PATH records contain some fields (inode, dev, obj,
> ...) that can be different for the child and parent and I would say
> these are the only new information that the PARENT records provide
> over the corresponding CREATE/DELETE records.

Sigh.  Of course the inode information is going to be different
between the object in question and the parent, they are different
filesystem objects.  Ask your self the bigger question: does the
PARENT record provide me any security relevant information related to
the filesystem object that is being accessed?

With the messed up state of path name auditing, the PARENT records are
useful when trying to recreate the full path used by the process to
access a given filesystem object (transient as it may be, the path
name can still be useful after the fact).  If we switch to always
recording absolute path names, why do we care about recording the
PARENT filesystem object at all (both the path and the inode
information)?

-- 
paul moore
www.paul-moore.com