BUG: incorrect PARENT path when removing a folder with files #133
Comments
pcmoore
changed the title
|
Thanks for the report @Davack. What kernel were you running when you observed this? This is just a guess, but it looks like it is using $CWD in place of the proper directory, "/tmp/test" in your example. Is this something you think you might be able to work on resolving, or are you simply reporting a problem? |
Actually, I will have some free time to submit a pull request next week, I will try to track down the relevant code path for this issue :) |
|
That's great, thanks @Davack! |
|
We've done some work to analyze the issue. The parent directory path is added to the audit context names_list in the context of Notice The function Inside n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;is resolved as folows: Then in /* name was specified as a relative path and the
* directory component is the cwd
*/
if (context->pwd.dentry && context->pwd.mnt)
audit_log_d_path(ab, " name=", &context->pwd);
else
audit_log_format(ab, " name=(null)");
break;And we get the It seems that auditd needs to make sure it resolves the full parent path either before, or inside I'm not proficient enough in the the kernel code, to make a PR independently, but I'm willing to do it if assisted. |
|
Hi @sirotnikov, thanks for taking the time to debug this and write up your findings! I'm still thinking a bit about the problem and what some of our options might be, but before I spend too much time on that I wanted to ask if you have a desire to work on a fix for this? You mentioned being willing, but I realize that sometimes there is an important difference between being willing to do something and wanting to do something ;) I'm very happy to get more people involved in kernel development, so if you want to work on a fix for this I'll do whatever I can to help, just let me know. However, if you would rather defer to someone else, that's fine too; you've already been a big help in finding the cause of the problem. |
|
Hey @pcmoore |
|
Hi @sirotnikov, no worries, I think we all understand what it is like to juggle multiple commitments. Why don't you go ahead and work on this, as you are comfortable, and let us know if you have any questions. If we run into a serious or immediate need to get this finished we can always be in touch and perhaps finish up the work collaboratively. How does that sound? I'd rather get more people involved in audit kernel development than a quick fix ;) |
|
So, let's discuss possible directions for solution. My feeling is that a correct resolution would be to fix I'm not familiar enough with the kernel methods, nor with the role of Also, if there are resources for setting up a dev environment / tests etc, I'd appreciate a reference |
Hi,
While I was working around AuditD, I encountered an interesting bug when removing a folder the files within the folder are reported with the incorrect
PARENTnameproperty.Repro:
Creating folder with five files inside
mkdir /tmp/testtouch /tmp/1touch /tmp/2touch /tmp/3touch /tmp/4touch /tmp/5Removing the folder
rm -rf /tmp/testAuditD log:
You can notice that AuditD reporting
unlinkatsyscall for each of the files but if you look at thePARENTrecord of each of those deletions you can see that thenameproperty is set to CWD (/home/davlevi) instead of the real parent folder (/tmp/test), you can even see that inode number of the parent (917526) is the correct inode of/tmp/testso onlynameproperty is incorrect.Thanks in advance,
David.
The text was updated successfully, but these errors were encountered: