l***@gmail.com
2018-12-04 01:06:17 UTC
Hi Guys,
I tried to use code like the following to create a file and I am wathcing /data/Documents:
# auditctl -l
-w /data/Documents -p rwa
my_open(const char *path, int flags, mode_t mode)
{
char *new = strdup(path);
char *p;
const char *last;
int dirfd, lastfd;
int fd = -1;
dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
for (last = new + 1; (p = strchr(last, '/')); last = p)
{
while (*p == '/')
*p++ = '\0';
dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
close(lastfd);
if (dirfd < 0)
break;
lastfd = dirfd;
}
if (dirfd >= 0)
{
fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
close(dirfd);
}
then get audit logs like:
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6495) : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/04/2018 08:57:28.750:6495) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64 syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/04/2018 08:57:28.750:6496) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64 syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020 a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
so looks like I can't get the full path /data/Documents/test-safeopen.txt, audit can't remember the path in item 0 ?
Thanks.
I tried to use code like the following to create a file and I am wathcing /data/Documents:
# auditctl -l
-w /data/Documents -p rwa
my_open(const char *path, int flags, mode_t mode)
{
char *new = strdup(path);
char *p;
const char *last;
int dirfd, lastfd;
int fd = -1;
dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
for (last = new + 1; (p = strchr(last, '/')); last = p)
{
while (*p == '/')
*p++ = '\0';
dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
close(lastfd);
if (dirfd < 0)
break;
lastfd = dirfd;
}
if (dirfd >= 0)
{
fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
close(dirfd);
}
then get audit logs like:
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6495) : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/04/2018 08:57:28.750:6495) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64 syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/04/2018 08:57:28.750:6496) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64 syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020 a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
so looks like I can't get the full path /data/Documents/test-safeopen.txt, audit can't remember the path in item 0 ?
Thanks.