On 2018-11-20 09:17, Miklos Szeredi wrote: > On Mon, Nov 19, 2018 at 11:59 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > The simple answer is that the audit PATH record format expects the four > > cap_f* fields to be there and a best effort is being attempted to fill > > in that information in an expected way with meaningful values. Perhaps > > better to accept that it is unreasonable to expect any fcaps on any > > umount operation and simply ignore those fields in the PATH record for > > umount syscall events. > > When there's a mount there are in fact two objects belonging to the > exact same path, each having completely independent metadata: the > mount point and the root of the mount. For example: > > stat /mnt > umount /mnt > stat /mnt > > The first stat will show the root of the mount, the second one will > show the mount point. > Which one is the relevant for audit? It would be the root of the mount, the one that is visible to processes in that mount namespace. Obviously, once that mount has been unmounted, it would be the mount point (no longer in use as such at that point) that is of interest. On mounting, I'm guessing both would be of interest if the fcaps changed for that process-visible path in that mount namespace, so this provides an additional operation that would need recording aside from the case of a simple attribute change. > Not saying audit should be doing getxattr on any of them, just trying > to see more clearly. > > Thanks, > Miklos - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
