On Tuesday, November 20, 2018 10:48:20 AM EST Richard Guy Briggs wrote: > On 2018-11-20 09:17, Miklos Szeredi wrote: > > On Mon, Nov 19, 2018 at 11:59 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > The simple answer is that the audit PATH record format expects the four > > > cap_f* fields to be there and a best effort is being attempted to fill > > > in that information in an expected way with meaningful values. Perhaps > > > better to accept that it is unreasonable to expect any fcaps on any > > > umount operation and simply ignore those fields in the PATH record for > > > umount syscall events. > > > > When there's a mount there are in fact two objects belonging to the > > exact same path, each having completely independent metadata: the > > mount point and the root of the mount. For example: > > > > stat /mnt > > umount /mnt > > stat /mnt > > > > The first stat will show the root of the mount, the second one will > > show the mount point. > > Which one is the relevant for audit? > > It would be the root of the mount, the one that is visible to processes > in that mount namespace. > > Obviously, once that mount has been unmounted, it would be the mount > point (no longer in use as such at that point) that is of interest. > > On mounting, I'm guessing both would be of interest if the fcaps changed > for that process-visible path in that mount namespace, so this provides > an additional operation that would need recording aside from the case > of a simple attribute change. fcaps are on files. Mountpoints are directories. Would fcaps changes be possible? -Steve > > Not saying audit should be doing getxattr on any of them, just trying > > to see more clearly. > > > > Thanks, > > Miklos > > - RGB > > -- > Richard Guy Briggs <rgb@xxxxxxxxxx> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635
