[PATCH 2/2] audit: Receive unmount event
Richard Guy Briggs
rgb at redhat.com
Fri Aug 18 05:12:06 UTC 2017
On 2017-08-15 15:55, Paul Moore wrote:
> On Tue, Aug 15, 2017 at 7:00 AM, Jan Kara <jack at suse.cz> wrote:
> > Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
> > not part of AUDIT_FS_WATCH mask and thus such event never gets to
> > audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
> > subsystem on unmount without audit being notified about that which leads
> > to a strange state of existing audit rules with dead fsnotify marks.
> >
> > Add FS_UNMOUNT to the mask of events to be received so that audit can
> > clean up its state accordingly.
> >
> > Signed-off-by: Jan Kara <jack at suse.cz>
Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> > kernel/audit_watch.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> It's funny how the rest of the audit code handles the FS_UNMOUNT
> event, but it isn't in the mask. It looks like it was lost in the
> inotify to fanotify conversion. Since I'm likely sending your other
> patch up to Linus later this week, and I think this is a reasonable
> bug-fix, I'm going to include this in the audit/stable-4.13 branch.
>
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index ed748ee40029..9eb8b3511636 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
> >
> > /* fsnotify events we care about. */
> > #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
> > - FS_MOVE_SELF | FS_EVENT_ON_CHILD)
> > + FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
> >
> > static void audit_free_parent(struct audit_parent *parent)
> > {
> > --
> > 2.12.3
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list