On Mon, Nov 19, 2018 at 11:59 PM Richard Guy Briggs <r...@redhat.com> wrote:
> The simple answer is that the audit PATH record format expects the four > cap_f* fields to be there and a best effort is being attempted to fill > in that information in an expected way with meaningful values. Perhaps > better to accept that it is unreasonable to expect any fcaps on any > umount operation and simply ignore those fields in the PATH record for > umount syscall events. When there's a mount there are in fact two objects belonging to the exact same path, each having completely independent metadata: the mount point and the root of the mount. For example: stat /mnt umount /mnt stat /mnt The first stat will show the root of the mount, the second one will show the mount point. Which one is the relevant for audit? Not saying audit should be doing getxattr on any of them, just trying to see more clearly. Thanks, Miklos -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
