1296660 – RFE: audit of *at syscalls

Bug 1296660 - RFE: audit of *at syscalls

Summary: RFE: audit of *at syscalls

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Paul Moore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1296661 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-07 19:07 UTC by Steve Grubb
Modified:	2016-06-02 19:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-02 19:41:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve Grubb 2016-01-07 19:07:16 UTC

Description of problem:
For the *at syscalls, can we get the path from the FD being passed as an argument to be able to reconstruct what is being accessed? (Readlink in /proc/<pid>/fds/# shows the path, why can't this go into the record? We may need a new auxiliary record type since this is neither the cwd or path.

This would be a big help since openat is used a lot.

Comment 1 Paul Moore 2016-01-12 16:57:30 UTC

*** Bug 1296661 has been marked as a duplicate of this bug. ***

Comment 2 Paul Moore 2016-04-06 23:52:25 UTC

Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/9

Comment 3 Paul Moore 2016-06-02 19:41:47 UTC

Closing this as we are tracking upstream RFEs on GitHub now, see the link in comment #2.

Note You need to log in before you can comment on or make changes to this bug.