On 2017-08-15 15:55, Paul Moore wrote:
On Tue, Aug 15, 2017 at 7:00 AM, Jan Kara <jack(a)suse.cz>
wrote:
> Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
> not part of AUDIT_FS_WATCH mask and thus such event never gets to
> audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
> subsystem on unmount without audit being notified about that which leads
> to a strange state of existing audit rules with dead fsnotify marks.
>
> Add FS_UNMOUNT to the mask of events to be received so that audit can
> clean up its state accordingly.
>
> Signed-off-by: Jan Kara <jack(a)suse.cz>
Reviewed-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit_watch.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
It's funny how the rest of the audit code handles the FS_UNMOUNT
event, but it isn't in the mask. It looks like it was lost in the
inotify to fanotify conversion. Since I'm likely sending your other
patch up to Linus later this week, and I think this is a reasonable
bug-fix, I'm going to include this in the audit/stable-4.13 branch.
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index ed748ee40029..9eb8b3511636 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
>
> /* fsnotify events we care about. */
> #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
> - FS_MOVE_SELF | FS_EVENT_ON_CHILD)
> + FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
>
> static void audit_free_parent(struct audit_parent *parent)
> {
> --
> 2.12.3
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635