Path record contains (null) name for file descriptor operation

[cgzones]

System: Debian sid
Kernel: Linux hostname 5.19.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux
Auditd: 3.0.9

Triggering a SELinux denial on a file descriptor operation (e.g. fchmod(2)) creates an audit record path field with a name of (null), which probably was formatted to a string from a NULL pointer by glibc.

1. If there is no path (its value is a NULL pointer) shouldn't the whole field be skipped?
2. Shouldn't it be possible to lookup the path for file descriptor operations within the kernel, since it is exported by reading the symlink target of /proc/<PID>/fd/<FD>?

time->Fri Sep  9 17:09:59 2022
type=PROCTITLE msg=audit(1662736199.136:580): proctitle=2F7573722F6C6F63616C2F62696E2F74657374002F6574632F706173737764
type=PATH msg=audit(1662736199.136:580): item=0 name=(null) inode=917101 dev=fe:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1662736199.136:580): cwd="/home/christian"
type=SYSCALL msg=audit(1662736199.136:580): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=1a0 a2=0 a3=70495e20e660 items=1 ppid=2340 pid=91666 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=3 comm="test" exe="/usr/local/bin/test" subj=xuser_u:xuser_r:xuser_t:s0 key=(null)
type=AVC msg=audit(1662736199.136:580): avc:  denied  { setattr } for  pid=91666 comm="test" name="passwd" dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0

type=PROCTITLE msg=audit(09/09/22 17:09:59.136:580) : proctitle=/usr/local/bin/test /etc/passwd 
type=PATH msg=audit(09/09/22 17:09:59.136:580) : item=0 name=(null) inode=917101 dev=fe:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/09/22 17:09:59.136:580) : cwd=/home/christian 
type=SYSCALL msg=audit(09/09/22 17:09:59.136:580) : arch=x86_64 syscall=fchmod success=no exit=EACCES(Permission denied) a0=0x3 a1=0640 a2=0x0 a3=0x70495e20e660 items=1 ppid=2340 pid=91666 auid=christian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=pts6 ses=3 comm=test exe=/usr/local/bin/test subj=xuser_u:xuser_r:xuser_t:s0 key=(null) 
type=AVC msg=audit(09/09/22 17:09:59.136:580) : avc:  denied  { setattr } for  pid=91666 comm=test name=passwd dev="dm-1" ino=917101 scontext=xuser_u:xuser_r:xuser_t:s0 tcontext=system_u:object_r:conf_t:s0 tclass=file permissive=0

[stevegrubb]

This would be a kernel issue and not userspace. I tried to transfer it, but I don't have write permission with audit-kernel.

[cgzones]

Closing in favor of linux-audit/audit-kernel#140.