Discussion:
use openat to create a file, then audit log can't show the full path name ?
Add Reply
l***@gmail.com
2018-12-04 01:06:17 UTC
Reply
Permalink
Hi Guys,

I tried to use code like the following to create a file and I am wathcing /data/Documents: 

# auditctl -l
-w /data/Documents -p rwa

my_open(const char *path, int flags, mode_t mode)
{
char *new = strdup(path);
char *p;
const char *last;
int dirfd, lastfd;
int fd = -1;

dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);

for (last = new + 1; (p = strchr(last, '/')); last = p)
{
while (*p == '/')
*p++ = '\0';
dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
close(lastfd);
if (dirfd < 0)
break;
lastfd = dirfd;
}
if (dirfd >= 0)
{
fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
close(dirfd);
}

then get audit logs like: 
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6495) : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/04/2018 08:57:28.750:6495) :  cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64 syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/04/2018 08:57:28.750:6496) :  cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64 syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020 a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)

so looks like I can't get the full path /data/Documents/test-safeopen.txt,  audit can't remember the path in item 0 ?

Thanks.
Steve Grubb
2018-12-04 01:11:26 UTC
Reply
Permalink
Post by l***@gmail.com
Hi Guys,
I tried to use code like the following to create a file and I am wathcing
# auditctl -l
-w /data/Documents -p rwa
my_open(const char *path, int flags, mode_t mode)
{
char *new = strdup(path);
char *p;
const char *last;
int dirfd, lastfd;
int fd = -1;
dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
for (last = new + 1; (p = strchr(last, '/')); last = p)
{
while (*p == '/')
*p++ = '\0';
dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
close(lastfd);
if (dirfd < 0)
break;
lastfd = dirfd;
}
if (dirfd >= 0)
{
fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
close(dirfd);
}
----
proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6495)
: item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest
ogid=guest rdev=00:00 nametype=NORMAL type=CWD msg=audit(12/04/2018
08:57:28.750:6495) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64
syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016
a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
exe=/root/test-sscanf key=(null) ----
proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6496)
: item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664
ouid=root ogid=root rdev=00:00 nametype=CREATE type=PATH
msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256
dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/04/2018 08:57:28.750:6496) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64
syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020
a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411
pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
exe=/root/test-sscanf key=(null)
so looks like I can't get the full path /data/Documents/test-safeopen.txt,
audit can't remember the path in item 0 ?
This is :
https://github.com/linux-audit/audit-kernel/issues/9

We were just discussing something that is sort of related. So, maybe there
will be some updates on this soonish.

-Steve

Loading...