On Fri, Aug 9, 2024 at 10:21 AM Jeff Layton <jlayton@xxxxxxxxxx> wrote: > On Thu, 2024-08-08 at 21:22 -0400, Paul Moore wrote: > > On Thu, Aug 8, 2024 at 8:33 PM Jeff Layton <jlayton@xxxxxxxxxx> > > wrote: ... > > > The question here is about the case where O_CREAT is set, but the > > > file > > > already exists. Nothing is being created in that case, so do we > > > need to > > > emit an audit record for the parent? > > > > As long as the full path information is present in the existing > > file's > > audit record it should be okay. > > O_CREAT is ignored when the dentry already exists, so doing the same > thing that we do when O_CREAT isn't set seems reasonable. > > We do call this in do_open, which would apply in this case: > > if (!(file->f_mode & FMODE_CREATED)) > audit_inode(nd->name, nd->path.dentry, 0); > > That should have the necessary path info. If that's the case, then I > think Christian's cleanup series on top of mine should be OK. I think > that the only thing that would be missing is the AUDIT_INODE_PARENT > record for the directory in the case where the dentry already exists, > which should be superfluous. > > ISTR that Red Hat has a pretty extensive testsuite for audit. We might > want to get them to run their tests on Christian's changes to be sure > there are no surprises, if they are amenable. I believe you are thinking of the audit-test project, which started as a community effort to develop a test suite suitable for the popular Common Criteria protection profiles of the time (of which auditing was an important requirement). Unfortunately, after a couple rounds of certifications I couldn't get the various companies involved to continue to maintain the public test suite anymore, so everyone went their own way with private forks. I have no idea if the community project still works, but someone at IBM/RH should have a recent~ish version that either runs on a modern system or is close to it. FWIW, the dead/dormant community project can be found at the link below (yes, that is a sf.net link): https://sourceforge.net/projects/audit-test It's been a while since I've been at RH, so I'm not sure if my test/QA contacts are still there, but if you don't have a contact at IBM/RH Jeff let me know and I can try to reach out. -- paul-moore.com
