On Mon, Sep 23, 2024 at 08:11:51PM -0400, Paul Moore wrote: > > * get rid of the "repeated getname() on the same address is going to > > give you the same object" - that can't be relied upon without audit, for one > > thing and for another... having a syscall that takes two pathnames that gives > > different audit log (if not predicate evaluation) in cases when those are > > identical pointers vs. strings with identical contenst is, IMO, somewhat > > undesirable. That kills filename->uaddr. > > /uaddr/uptr/ if I'm following you correctly, but yeah, that all seems good. BTW, what should we do when e.g. mkdir(2) manages to get to the parent, calls audit_inode() to memorize that one and then gets -ESTALE from nfs_mkdir()? We repeat the pathwalk, this time with LOOKUP_REVAL (i.e. make sure to ask the server about each NFS directory we are visiting, even if it had been seen recently) and arrive to a different directory, which is not stale and where subdirectory creation succeeds. The thing is, we call audit_inode(...., AUDIT_INODE_PARENT) twice. With the same name, but with different inodes. Should we log both, or should the latter call cannibalize the audit_names instance from the earlier?
