On Wed, Nov 5, 2014 at 5:58 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 14/11/04, Miklos Szeredi wrote:
> From: Miklos Szeredi <mszeredi(a)suse.cz>
Hi Miklos,
> Audit rules disappear when an inode they watch is evicted from the cache.
> This is likely not what we want.
>
> The guilty commit is "fsnotify: allow marks to not pin inodes in core",
> which didn't take into account that audit_tree adds watches with a zero
> mask.
>
> Adding any mask should fix this.
Nice find! Do you have a quick reproducer to detect this?
- reboot
- add tree rule
- echo 2 > /proc/sys/vm/drop_caches
drop_caches doesn't guarantee dropping the inode from the cache, but
after a reboot it usually does.
Thanks,
Miklos