Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records

On 2020-04-02 12:31, Vladis Dronov wrote: > Hello, Casey, all, > > ----- Original Message ----- > > From: "Casey Schaufler" <casey(a)schaufler-ca.com&gt; > > Subject: Re: [PATCH ghak96] audit: set cwd in audit context for file-related LSM audit records > > > > On 4/2/2020 7:13 AM, Vladis Dronov wrote: > > > Set a current working directory in an audit context for the following > > > record > > > types in dump_common_audit_data(): LSM_AUDIT_DATA_PATH, > > > LSM_AUDIT_DATA_FILE, > > > LSM_AUDIT_DATA_IOCTL_OP, LSM_AUDIT_DATA_DENTRY, LSM_AUDIT_DATA_INODE so a > > > separate CWD record is emitted later. > > > > > > Link: https://github.com/linux-audit/audit-kernel/issues/96 > > > > I don't have a problem with the patch, but it sure would be nice > > if you explained why these events "could use a CWD record". > > (adding Richard Guy Briggs <rgb(a)redhat.com&gt; which I should have been done earlier) > > I would agree, adding "cwd=" field in the LSM record itself is simpler to me. We already have a CWD record to record this information. It usually accompanies an AUDIT_PATH record, but the intent is that it accompanies any event that has filesystem pathnames in path= or name= fields in records to help understand the command's context relative to the filesystem.