audit: Receive unmount event
authorJan Kara <jack@suse.cz>
Tue, 15 Aug 2017 11:00:37 +0000 (13:00 +0200)
committerPaul Moore <paul@paul-moore.com>
Tue, 15 Aug 2017 20:03:00 +0000 (16:03 -0400)
Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
not part of AUDIT_FS_WATCH mask and thus such event never gets to
audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
subsystem on unmount without audit being notified about that which leads
to a strange state of existing audit rules with dead fsnotify marks.

Add FS_UNMOUNT to the mask of events to be received so that audit can
clean up its state accordingly.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Paul Moore <paul@paul-moore.com>
kernel/audit_watch.c

index 1c7ded42f82f0e8130b9cbf6b45b67648736a0f7..d1b5857b7e3302989c36bc2d8231c29bfdae3150 100644 (file)
@@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
 
 /* fsnotify events we care about. */
 #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
-                       FS_MOVE_SELF | FS_EVENT_ON_CHILD)
+                       FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
 
 static void audit_free_parent(struct audit_parent *parent)
 {