audit: more filter PATH records keyed on filesystem magic
authorRichard Guy Briggs <rgb@redhat.com>
Wed, 23 Jan 2019 18:34:59 +0000 (13:34 -0500)
committerPaul Moore <paul@paul-moore.com>
Fri, 25 Jan 2019 21:12:55 +0000 (16:12 -0500)
Like commit 42d5e37654e4 ("audit: filter PATH records keyed on
filesystem magic") that addresses
https://github.com/linux-audit/audit-kernel/issues/8

Any user or remote filesystem could become unavailable and effectively
block on a forced unmount.

    -a always,exit -S umount2 -F key=umount2

Provide a method to ignore these user and remote filesystems to prevent
them from being impossible to unmount.

Extend the "AUDIT_FILTER_FS" filter that uses the field type
AUDIT_FSTYPE keying off the filesystem 4-octet hexadecimal magic
identifier to filter specific filesystems to cover audit_inode() to address
this blockage.

An example rule would look like:
    -a never,filesystem -F fstype=0x517B -F key=ignore_smb
    -a never,filesystem -F fstype=0x6969 -F key=ignore_nfs

Arguably the better way to address this issue is to disable auditing
processes that touch removable filesystems.

Note: refactor __audit_inode_child() to remove two levels of if
indentation.

Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
kernel/auditsc.c

index c16beb25fd0abbde3083997652c7e5ef63f9c392..a2696ce790f9f286935f4ab427381ecb156435e4 100644 (file)
@@ -1766,10 +1766,31 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
        struct inode *inode = d_backing_inode(dentry);
        struct audit_names *n;
        bool parent = flags & AUDIT_INODE_PARENT;
+       struct audit_entry *e;
+       struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
+       int i;
 
        if (!context->in_syscall)
                return;
 
+       rcu_read_lock();
+       if (!list_empty(list)) {
+               list_for_each_entry_rcu(e, list, list) {
+                       for (i = 0; i < e->rule.field_count; i++) {
+                               struct audit_field *f = &e->rule.fields[i];
+
+                               if (f->type == AUDIT_FSTYPE
+                                   && audit_comparator(inode->i_sb->s_magic,
+                                                       f->op, f->val)
+                                   && e->rule.action == AUDIT_NEVER) {
+                                       rcu_read_unlock();
+                                       return;
+                               }
+                       }
+               }
+       }
+       rcu_read_unlock();
+
        if (!name)
                goto out_alloc;
 
@@ -1878,14 +1899,12 @@ void __audit_inode_child(struct inode *parent,
                        for (i = 0; i < e->rule.field_count; i++) {
                                struct audit_field *f = &e->rule.fields[i];
 
-                               if (f->type == AUDIT_FSTYPE) {
-                                       if (audit_comparator(parent->i_sb->s_magic,
-                                           f->op, f->val)) {
-                                               if (e->rule.action == AUDIT_NEVER) {
-                                                       rcu_read_unlock();
-                                                       return;
-                                               }
-                                       }
+                               if (f->type == AUDIT_FSTYPE
+                                   && audit_comparator(parent->i_sb->s_magic,
+                                                       f->op, f->val)
+                                   && e->rule.action == AUDIT_NEVER) {
+                                       rcu_read_unlock();
+                                       return;
                                }
                        }
                }