Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: rename event has incorrect records #156

Open
naugustine98 opened this issue Feb 14, 2024 · 2 comments
Open

BUG: rename event has incorrect records #156

naugustine98 opened this issue Feb 14, 2024 · 2 comments
Labels
bug

Comments

@naugustine98
Copy link

naugustine98 commented Feb 14, 2024
edited
Loading

Old Behaviour

Environment

OS: Centos 7
Kernel: 3.10.0-1160.108.1.el7.x86_64
Coreutils: 8.22(24.el7_9.2)

Operation

mv nidhin2/somefile nidhin/

Audit Records

type=PROCTITLE msg=audit(02/14/2024 14:57:07.401:49382999) : proctitle=mv nidhin2/somefile nidhin/
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=3 name=nidhin/somefile inode=33755239 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=2 name=nidhin2/somefile inode=33755239 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=1 name=nidhin/ inode=16783749 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/14/2024 14:57:07.401:49382999) : item=0 name=nidhin2/ inode=33755238 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/14/2024 14:57:07.401:49382999) :  cwd=/home/nid
type=SYSCALL msg=audit(02/14/2024 14:57:07.401:49382999) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=0xffffff9c a1=0x7fffc5a765b5 a2=0xffffff9c a3=0x205a8f0 items=4 ppid=6632 pid=12712 auid=nid uid=nid gid=nid euid=nid suid=nid fsuid=nid egid=nid sgid=nid fsgid=nid tty=pts0 ses=307 comm=mv exe=/usr/bin/mv subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key={17032022-4b51-405d-87af-9eb3db337dfd}

New Behaviour

Environment

OS: Ubuntu 23.10 on AWS
Kernel: 6.5.0-1013-aws
Coretuils: 9.1-1ubuntu2.23.10.1

Operation

mv nidhin2/somefile nidhin/

Audit Records

type=PROCTITLE msg=audit(02/14/24 06:55:50.291:2869721) : proctitle=mv nidhin2/somefile nidhin/`
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=3 name=somefile inode=286616 dev=ca:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=2 name=nidhin2/somefile inode=286616 dev=ca:01 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=1 name=nidhin2/ inode=286614 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(02/14/24 06:55:50.291:2869721) : item=0 name=/home/ubuntu inode=286605 dev=ca:01 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/14/24 06:55:50.291:2869721) : cwd=/home/ubuntu
type=SYSCALL msg=audit(02/14/24 06:55:50.291:2869721) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=AT_FDCWD a1=0x7ffec9b43765 a2=0x3 a3=0x561d516fad67 items=4 ppid=2039987 pid=2039990 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts14 ses=346 comm=mv exe=/usr/bin/mv subj=unconfined key={17032022-4b51-405d-87af-9eb3db337dfd}

Issues in New Behaviour

  1. The source's parent is coming as second path item instead of coming as first
  2. Instead of the target's parent, we get the current directory

Maybe this issues are there because the new version of coreutils changed the way in which rename is performed (instead of the rename syscall being given the whole target path, the target's parent directory is opened and the fd is given to it)

Old coreutils:

 renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/", RENAME_NOREPLACE) = -1 EEXIST (File exists)
 newfstatat(AT_FDCWD, "nidhin/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
 renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/somefile", RENAME_NOREPLACE) = 0

New coreutils:

renameat2(AT_FDCWD, "nidhin2/somefile", AT_FDCWD, "nidhin/", RENAME_NOREPLACE) = -1 EEXIST (File exists)
openat(AT_FDCWD, "nidhin/", O_RDONLY|O_PATH|O_DIRECTORY) = 3
renameat2(AT_FDCWD, "nidhin2/somefile", 3, "somefile", RENAME_NOREPLACE) = 0
@naugustine98
Copy link
Author

Machine where old (correct) behavior was tested
OS: Centos 7
Kernel: 3.10.0-1160.108.1.el7.x86_64
Coreutils: 8.22(24.el7_9.2)

Machine where new(incorrect) behavior was tested
OS: Ubuntu 23.10 on AWS
Kernel: 6.5.0-1013-aws
Coretuils: 9.1-1ubuntu2.23.10.1

@pcmoore pcmoore changed the title Rename event has incorrect records BUG: rename event has incorrect records Feb 14, 2024
@pcmoore pcmoore added the bug label Feb 14, 2024
@naugustine98
Copy link
Author

naugustine98 commented Nov 13, 2024
edited
Loading

Another issue that maybe related:

Environment

OS: Ubuntu 22.04.2 LTS
Kernel: 6.8.0-40-generic
Audit: 3.0.7
Coreutils:  8.32-4.1ubuntu1

Operation

root@rdlab-virtual-machine:~/nid# pwd
/root/nid
root@rdlab-virtual-machine:~/nid# ls
dir1  dir2
root@rdlab-virtual-machine:~/nid# mv dir1/file1 dir2/file2

Audit Records

type=PROCTITLE msg=audit(11/13/2024 16:55:31.741:128733734) : proctitle=mv dir1/file1 dir2/file2
type=PATH msg=audit(11/13/2024 16:55:31.741:128733734) : item=3 name=dir2/file2 inode=1966570 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/13/2024 16:55:31.741:128733734) : item=2 name=dir1/file1 inode=1966570 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/13/2024 16:55:31.741:128733734) : item=1 name=dir1/ inode=1966568 dev=08:03 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/13/2024 16:55:31.741:128733734) : item=0 name=dir2/ inode=1966569 dev=08:03 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/13/2024 16:55:31.741:128733734) : cwd=/root/nid
type=SYSCALL msg=audit(11/13/2024 16:55:31.741:128733734) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=AT_FDCWD a1=0x7fff4e122745 a2=AT_FDCWD a3=0x7fff4e122750 items=4 ppid=2215877 pid=2294836 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=7335 comm=mv exe=/usr/bin/mv subj=unconfined key=nidhin

Issues

1.The source's parent is coming as second path item instead of coming as first
2.The target's parent is coming as first path item instead of coming as second

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pcmoore @naugustine98