[PATCH 2/2] audit: Receive unmount event

Richard Guy Briggs rgb at redhat.com
Fri Aug 18 05:12:06 UTC 2017 

On 2017-08-15 15:55, Paul Moore wrote:
> On Tue, Aug 15, 2017 at 7:00 AM, Jan Kara <jack at suse.cz> wrote:
> > Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
> > not part of AUDIT_FS_WATCH mask and thus such event never gets to
> > audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
> > subsystem on unmount without audit being notified about that which leads
> > to a strange state of existing audit rules with dead fsnotify marks.
> >
> > Add FS_UNMOUNT to the mask of events to be received so that audit can
> > clean up its state accordingly.
> >
> > Signed-off-by: Jan Kara <jack at suse.cz>

Reviewed-by: Richard Guy Briggs <rgb at redhat.com>

> > ---
> >  kernel/audit_watch.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> It's funny how the rest of the audit code handles the FS_UNMOUNT
> event, but it isn't in the mask.  It looks like it was lost in the
> inotify to fanotify conversion.  Since I'm likely sending your other
> patch up to Linus later this week, and I think this is a reasonable
> bug-fix, I'm going to include this in the audit/stable-4.13 branch.
> 
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index ed748ee40029..9eb8b3511636 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
> >
> >  /* fsnotify events we care about. */
> >  #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
> > -                       FS_MOVE_SELF | FS_EVENT_ON_CHILD)
> > +                       FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
> >
> >  static void audit_free_parent(struct audit_parent *parent)
> >  {
> > --
> > 2.12.3
> 
> -- 
> paul moore
> www.paul-moore.com
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list