Open
Conversation
DO NOT SUBMIT UPSTREAM
fix:audit.log can't record correctly when rm the dir end with '/' step: 1. mkdir test 2. touch test/111.txt 3. rm -r test/ Log: type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a
Contributor
|
Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at audit@vger.kernel.org. Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help. |
pcmoore
force-pushed
the
main
branch
2 times, most recently
from
623d51c to
459d748
Compare
Contributor
|
Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR? |
Author
|
I'am sorry, I can't submit this pr, you can submit this pr instead, tks.
At 2024-02-15 00:05:48, "Paul Moore" ***@***.***> wrote:
Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @pcmoore , I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit. The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution. @hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible. And will also include @hqh2010 's name in the commit msg. Thanks for your time. Best regards, WangYuli. |
Contributor
|
That would be great, thank you @Avenger-285714 (and @hqh2010)! |
|
@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted? |
Contributor
|
Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream. However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub. |
pcmoore
force-pushed
the
main
branch
3 times, most recently
from
7bbb771 to
6484839
Compare
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Nov 5, 2024
When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by cleaning the input and passing the correct filename to audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ or rmdir /tmp/foo/ # ausearch -i | grep PATH | tail -3 This patch is based on a GitHub patch/PR by user @hqh2010. linux-audit/audit-kernel#148 Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
|
Just for the record, this issue/PR is been addressed upstream via [PATCH v2] audit: fix suffixed '/' filename matching in __audit_inode_child() |
intel-lab-lkp
pushed a commit
to intel-lab-lkp/linux
that referenced
this pull request
Nov 25, 2024
When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: linux-audit/audit-kernel#148 [1] Suggested-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Reviewed-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
pcmoore
pushed a commit
that referenced
this pull request
Dec 6, 2024
When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: #148 [1] Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> [PM: subject tweak, trim old metadata] Signed-off-by: Paul Moore <paul@paul-moore.com>
staging-kernelci-org
pushed a commit
to kernelci/linux
that referenced
this pull request
Dec 9, 2024
When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: linux-audit/audit-kernel#148 [1] Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> [PM: subject tweak, trim old metadata] Signed-off-by: Paul Moore <paul@paul-moore.com>
github-actions bot
pushed a commit
to ctrliq/kernel-src-tree
that referenced
this pull request
Jul 15, 2025
JIRA: https://issues.redhat.com/browse/RHEL-78967 JIRA: https://issues.redhat.com/browse/RHEL-90107 This patch is a backport of the following upstream commit: commit e92eebb Author: Ricardo Robaina <rrobaina@redhat.com> Date: Fri Nov 22 09:18:43 2024 -0300 audit: fix suffixed '/' filename matching When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: linux-audit/audit-kernel#148 [1] Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> [PM: subject tweak, trim old metadata] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
github-actions bot
pushed a commit
to ctrliq/kernel-src-tree
that referenced
this pull request
Aug 1, 2025
JIRA: https://issues.redhat.com/browse/RHEL-78968 JIRA: https://issues.redhat.com/browse/RHEL-90106 This patch is a backport of the following upstream commit: commit e92eebb Author: Ricardo Robaina <rrobaina@redhat.com> Date: Fri Nov 22 09:18:43 2024 -0300 audit: fix suffixed '/' filename matching When the user specifies a directory to delete with the suffix '/', the audit record fails to collect the filename, resulting in the following logs: type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null) type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null) It happens because the value of the variables dname, and n->name->name in __audit_inode_child() differ only by the suffix '/'. This commit treats this corner case by handling pathname's trailing slashes in audit_compare_dname_path(). Steps to reproduce the issue: # auditctl -w /tmp $ mkdir /tmp/foo $ rm -r /tmp/foo/ # ausearch -i | grep PATH | tail -3 The first version of this patch was based on a GitHub patch/PR by user @hqh2010 [1]. Link: linux-audit/audit-kernel#148 [1] Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> [PM: subject tweak, trim old metadata] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix:audit.log can't record correctly when rm the dir end with '/'
step:
mkdir test
touch test/111.txt
rm -r test/
Log:
type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0
type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0
Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a