> Op 17-06-2026 04:32 CEST schreef Paul Moore <[email protected]>:
>
>
> On Mon, Jun 15, 2026 at 5:43 PM Jori Koolstra <[email protected]> wrote:
> > > Op 14-06-2026 18:44 CEST schreef Jori Koolstra <[email protected]>:
> > >
> > > In the mknod(2) path of calling vfs_create() we call audit_inode_child()
> > > before permission checks in may_create_dentry() (but after path-based
> > > LSM check). Copy this behaviour to lookup_open() and move
> > > audit_inode_child() to may_o_create().
> > >
> > > Signed-off-by: Jori Koolstra <[email protected]>
> > > ---
> > > fs/namei.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
>
> ...
>
> > CC, [email protected]
> >
> > Went too quick with this one... audit_inode_child() probably shouldn't be
> > called
> > if we are in the lookup case. So there isn't really a way to do this exactly
> > symmetrical to the vfs_create()/vfs_mkdir() paths.
> >
> > But certainly the current implementation is also wrong. In the atomic_open
> > case
> > audit_inode_child() is called only once (in the final fsnotify call in
> > open_last_lookups()), but in the regular ->create case audit_inode_child()
> > is
> > called twice.
> >
> > What behavior is actually wanted here?
>
> I haven't looked at the VFS open/create code in a while, and I'm kinda
> swamped with other things at the moment so a few pointers would go a
> long way towards helping get the right context for your question.
>
You are right, I should have added some more context, sorry about that.
And thank-you for taking the time to look into this.
In the current mainline code, in lookup_open() in fs/namei.c (which is
the primary function that handles creates from open(O_CREAT)) on line
4502 we call
audit_inode_child(dir_inode, dentry, AUDIT_TYPE_CHILD_CREATE);
just before we delegate to i_op->create(). However, on return of lookup_open()
in open_last_lookups() on line 4610 we also have
if (!IS_ERR(dentry)) {
if (file->f_mode & FMODE_CREATED)
fsnotify_create(dir->d_inode, dentry);
So, if the create succeeded, fsnotify_create() is called on the same inode.
This function is given by:
static inline void fsnotify_create(struct inode *dir, struct dentry *dentry)
{
audit_inode_child(dir, dentry, AUDIT_TYPE_CHILD_CREATE);
fsnotify_dirent(dir, dentry, FS_CREATE);
}
Thus it appears that audit_inode_child() is called twice. This happens is
various forms for most other audit involved paths in vfs too (like mknod,
mkdir, etc.)
This is what is confusing me. What should be the correct order/number of calls
here?
> We shouldn't *need* multiple calls into audit_inode_child() for a
> given filesystem object as long as all of the information audit needs
> can be captured in the single call site.
>
> --
> paul-moore.com
