* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Tuesday 07 June 2005 14:38, Debora Velarde wrote:
> find . -inum 770531
Yes - thanks!
/lib/ld-2.3.5.so
So...wonder why that is in the record at all and why it didn't print its name?
Hmm, well, that's the elf loader, which gets mmap'd during exec for
dynamically linked elf executables (and opened with open_exec()).
That triggers audit_inode() in path_lookup(), which doesn't have the name.
It's assuming audit_getname() already gathered the name, but this name
is not one of the arguments (copied in with getname()), it's in the elf
header of the exectuable and hand copied into the kernel.