enterprise-support team mailing list archive

Thread
Date

[Bug 1952774] [NEW] vfs_full_audit stopped honoring filters

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Olivier Migeot <1952774@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Nov 2021 15:38:27 -0000
Reply-to: Bug 1952774 <1952774@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Ubuntu version:
    Description:    Ubuntu 20.04.3 LTS
    Release:        20.04

Package version:

    samba-vfs-modules:
      Installed: 2:4.13.14+dfsg-0ubuntu0.20.04.2
      Candidate: 2:4.13.14+dfsg-0ubuntu0.20.04.2
      Version table:
     *** 2:4.13.14+dfsg-0ubuntu0.20.04.2 500
            500 http://fr.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
            100 /var/lib/dpkg/status
         2:4.13.14+dfsg-0ubuntu0.20.04.1 500
            500 http://fr.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages
         2:4.11.6+dfsg-0ubuntu1 500
            500 http://fr.archive.ubuntu.com/ubuntu focal/main amd64 Packages

Expected:

Since last update on Ubuntu Focal, I'm using samba 4.13.14 (samba-vfs-
modules == 2:4.13.14+dfsg-0ubuntu0.20.04.2). On one of my shares, I
enabled vfs_full_audit, like :

    vfs objects = full_audit
    full_audit:prefix = %u|%I
    full_audit:success = open opendir create_file unlink rename chmod chown
    full_audit:failure = all !open !readdir_attr !translate_name !get_dos_attributes !getxattr !durable_cookie !get_real_filename !stat
    full_audit:facility = LOCAL7
    full_audit:priority = ALERT

And until that upgrade (I was on 4.11 before, IIRC), it worked fine : I
had it only spit allowed ops (plus a few more, but the impact on logsize
was minimal).

What happened:

 Now, I'm catching MUCH more ops that I should, like for instance
(longer, more exhaustive log attached) :

   2129 chdir
    854 close
    204 closedir
      2 connect
   1062 connectpath
    820 create_file
      1 disconnect
   1098 fcntl
    204 fdopendir
  12262 file_id_create
      2 fs_capabilities
     72 fsctl
   4416 fs_file_id
   1062 fstat
   5328 get_alloc_size
   3799 get_dos_attributes
   5967 get_nt_acl_at
    109 getwd
   3799 getxattr
    348 kernel_flock
   3917 listxattr
   1062 openat
    802 pread_recv
    802 pread_send
   5743 readdir
   1066 realpath
      3 seekdir
  19024 stat
      2 statvfs
     18 streaminfo
    802 strict_lock_check
   8281 sys_acl_get_file
   5301 telldir

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "samba_audit.log"
   https://bugs.launchpad.net/bugs/1952774/+attachment/5544382/+files/samba_audit.log

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1952774

Title:
  vfs_full_audit stopped honoring filters

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1952774/+subscriptions

Follow ups

[Bug 1952774] Re: vfs_full_audit stopped honoring filters
From: Launchpad Bug Tracker, 2022-03-09