Re: linux-audit: reconstruct path names from syscall events?

On Tue, Oct 09, 2012 at 04:09:18PM -0700, Mark Moseley wrote: > If you see my recent linux-audit posting, another related thing (at > least as far as missing relevant information in the logs) is that the > audit logs are logging pathnames relative to the chroot, instead of > the pathnames relative to the root of the OS itself. You'd expect a > process chroot'd to /chroot, accessing (from the perspective of the > OS) /chroot/etc/password would get logged as /chroot/etc/password but > is rather logged as /etc/password. > > I don't have a working LXC install handy, but I'd imagine the audit > subsystem would log relative to the container's / instead of the > host's / too. BTW, what makes you think that container's root is even reachable from "the host's /"? There is no such thing as "root of the OS itself"; different processes can (and in case of containers definitely do) run in different namespaces. With entirely different filesystems mounted in those, and no promise whatsoever that any specific namespace happens to have all filesystems mounted somewhere in it...