audit_update_watch() invalidates rule data early, before we hit the
syscall exit filter. This means audit fails to emit records when
watched files or directories are removed. Fix by calling
audit_filter_inodes() right before the update.
Al, please fold this one in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.
Signed-off-by: Amy Griffis <[EMAIL PROTECTED]>
diff --git a/kernel/audit.h b/kernel/audit.h
index 125aebe..f337845 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,6 +126,9 @@ extern void audit_free_parent(struct ino
extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
const char *, struct inode *);
extern int selinux_audit_rule_update(void);
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+ struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
#ifdef CONFIG_AUDITSYSCALL
extern void __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7609694..ff85fee 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -26,6 +26,7 @@ #include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/netlink.h>
+#include <linux/sched.h>
#include <linux/inotify.h>
#include <linux/selinux.h>
#include "audit.h"
@@ -736,7 +737,7 @@ static struct audit_entry *audit_dupe_ru
/* Update inode info in audit rules based on filesystem event. */
static inline void audit_update_watch(struct audit_parent *parent,
const char *dname, dev_t dev,
- unsigned long ino)
+ unsigned long ino, unsigned invalidating)
{
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
@@ -748,6 +749,12 @@ static inline void audit_update_watch(st
if (audit_compare_dname_path(dname, owatch->path))
continue;
+ /* If the update involves invalidating rules, do the inode-based
+ * filtering now, so we don't omit records. */
+ if (invalidating &&
+ audit_filter_inodes(current, current->audit_context) ==
AUDIT_RECORD_CONTEXT)
+ audit_set_auditable(current->audit_context);
+
nwatch = audit_dupe_watch(owatch);
if (unlikely(IS_ERR(nwatch))) {
mutex_unlock(&audit_filter_mutex);
@@ -1523,9 +1530,9 @@ void audit_handle_ievent(struct inotify_
if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
audit_update_watch(parent, dname, inode->i_sb->s_dev,
- inode->i_ino);
+ inode->i_ino, 0);
else if (mask & (IN_DELETE|IN_MOVED_FROM))
- audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1);
+ audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1,
1);
/* inotify automatically removes the watch and sends IN_IGNORED */
else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
audit_remove_parent_watches(parent);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f4b09a3..4858bdd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -417,8 +417,8 @@ static enum audit_state audit_filter_sys
* buckets applicable to the inode numbers in audit_names[].
* Regarding audit_state, same rules apply as for audit_filter_syscall().
*/
-static enum audit_state audit_filter_inodes(struct task_struct *tsk,
- struct audit_context *ctx)
+enum audit_state audit_filter_inodes(struct task_struct *tsk,
+ struct audit_context *ctx)
{
int i;
struct audit_entry *e;
@@ -450,6 +450,11 @@ static enum audit_state audit_filter_ino
return AUDIT_BUILD_CONTEXT;
}
+void audit_set_auditable(struct audit_context *ctx)
+{
+ ctx->auditable = 1;
+}
+
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
int return_code)
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
