search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

BUG: rename event has incorrect records #156

Open naugustine98 opened 6 months ago

naugustine98 commented 6 months ago

Old Behaviour

Environment

OS: Centos 7
Kernel: 3.10.0-1160.108.1.el7.x86_64
Coreutils: 8.22(24.el7_9.2)

Operation

mv nidhin2/somefile nidhin/

Audit Records

type=PROCTITLE msg=audit(02/14/2024 14:57:07.401:49382999) : proctitle=mv nidhin2/somefile nidhin/
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=3 name=nidhin/somefile inode=33755239 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=2 name=nidhin2/somefile inode=33755239 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=1 name=nidhin/ inode=16783749 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=0 name=nidhin2/ inode=33755238 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/14/2024 14:57:07.401:49382999) :  cwd=/home/nid
type=SYSCALL msg=audit(02/14/2024 14:57:07.401:49382999) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=0xffffff9c a1=0x7fffc5a765b5 a2=0xffffff9c a3=0x205a8f0 items=4 ppid=6632 pid=12712 auid=nid uid=nid gid=nid euid=nid suid=nid fsuid=nid egid=nid sgid=nid fsgid=nid tty=pts0 ses=307 comm=mv exe=/usr/bin/mv subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key={17032022-4b51-405d-87af-9eb3db337dfd}

New Behaviour

Environment

OS: Ubuntu 23.10 on AWS
Kernel: 6.5.0-1013-aws
Coretuils: 9.1-1ubuntu2.23.10.1

Operation

mv nidhin2/somefile nidhin/

Audit Records

type=PROCTITLE msg=audit(02/14/24 06:55:50.291:2869721) : proctitle=mv nidhin2/somefile nidhin/`
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=3 name=somefile inode=286616 dev=ca:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=2 name=nidhin2/somefile inode=286616 dev=ca:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=1 name=nidhin2/ inode=286614 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=0 name=/home/ubuntu inode=286605 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/14/24 06:55:50.291:2869721) : cwd=/home/ubuntu
type=SYSCALL msg=audit(02/14/24 06:55:50.291:2869721) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=AT_FDCWD a1=0x7ffec9b43765 a2=0x3 a3=0x561d516fad67 items=4 ppid=2039987 pid=2039990 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts14 ses=346 comm=mv exe=/usr/bin/mv subj=unconfined key={17032022-4b51-405d-87af-9eb3db337dfd}

Issues in New Behaviour

  1. The source's parent is coming as second path item instead of coming as first
  2. Instead of the target's parent, we get the current directory

Maybe this issues are there because the new version of coreutils changed the way in which rename is performed (instead of the rename syscall being given the whole target path, the target's parent directory is opened and the fd is given to it)

Old coreutils:

 renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/", RENAME_NOREPLACE) = -1 EEXIST (File exists)
 newfstatat(AT_FDCWD, "nidhin/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
 renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/somefile", RENAME_NOREPLACE) = 0

New coreutils:

renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/", RENAME_NOREPLACE) = -1 EEXIST (File exists)
openat(AT_FDCWD, "nidhin/", O_RDONLY|O_PATH|O_DIRECTORY) = 3
renameat2(AT_FDCWD, "nidhin2/somefile", 3, "somefile", RENAME_NOREPLACE) = 0
naugustine98 commented 6 months ago

Machine where old (correct) behavior was tested OS: Centos 7 Kernel: 3.10.0-1160.108.1.el7.x86_64 Coreutils: 8.22(24.el7_9.2)

Machine where new(incorrect) behavior was tested OS: Ubuntu 23.10 on AWS Kernel: 6.5.0-1013-aws Coretuils: 9.1-1ubuntu2.23.10.1