On Thu, Sep 13, 2018 at 10:13 AM Paul Moore <[email protected]> wrote: > On Thu, Sep 13, 2018 at 9:58 AM Ondrej Mosnacek <[email protected]> wrote: > > Paul, could you please answer this question so I can move forward? :) > > Yep, sorry for the delay ...
I just went back over the original problem, your proposed fix, and all of the discussion in this thread. Sadly, I don't think the patch you have proposed is the right fix. As Steve has pointed out, the CWD path is the working directory from which the current process was executed. I believe we should log the full path, or as complete a path as possible, in the nametype=CWD PATH records. While the nametype=PARENT PATH records have a connection with some of the other PATH records (e.g. DELETE and CREATE), the nametype=PARENT PATH records are independent of the current working directory, although they sometimes may be the same; in the cases where they are the same, this is purely a coincidence and is due to operation being performed, not something that should be seen as a flaw. >From what I can tell, there are issues involving the nametype=PARENT PATH records, especially when it comes to the *at() syscalls, but no issue where the nametype=CWD PATH records have been wrong, is that correct? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
