Re: [PATCH ghak95] audit: Do not log full CWD path on empty relative paths

On Thu, Sep 13, 2018 at 10:13 AM Paul Moore <paul(a)paul-moore.com&gt; wrote: I just went back over the original problem, your proposed fix, and all of the discussion in this thread. Sadly, I don't think the patch you have proposed is the right fix. As Steve has pointed out, the CWD path is the working directory from which the current process was executed. I believe we should log the full path, or as complete a path as possible, in the nametype=CWD PATH records. While the nametype=PARENT PATH records have a connection with some of the other PATH records (e.g. DELETE and CREATE), the nametype=PARENT PATH records are independent of the current working directory, although they sometimes may be the same; in the cases where they are the same, this is purely a coincidence and is due to operation being performed, not something that should be seen as a flaw. PATH records, especially when it comes to the *at() syscalls, but no issue where the nametype=CWD PATH records have been wrong, is that correct? -- paul moore www.paul-moore.com