From: Paul Moore <paul@paul-moore.com>
To: Ricardo Robaina <rrobaina@redhat.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: eparis@redhat.com, rgb@redhat.com, longman@redhat.com,
Ricardo Robaina <rrobaina@redhat.com>
Subject: Re: [PATCH 2/2] audit: fix removal of dangling executable rules
Date: Tue, 12 May 2026 15:12:34 -0400 [thread overview]
Message-ID: <402f11211fcab76b6410f3f57372c58f@paul-moore.com> (raw)
In-Reply-To: <c5fd6163fd285fca25460ce821f95b15383f920a.1776176104.git.rrobaina@redhat.com>
On Apr 14, 2026 Ricardo Robaina <rrobaina@redhat.com> wrote:
>
> When an audited executable is deleted from the disk, its dentry
> becomes negative. Any later attempt to delete the associated audit
> rule will lead to audit_alloc_mark() encountering this negative
> dentry and immediately aborting, returning -ENOENT.
>
> This early abort prevents the subsystem from allocating the temporary
> fsnotify mark needed to construct the search key, meaning the kernel
> cannot find the existing rule in its own lists to delete it. This
> leaves a dangling rule in memory, resulting in the following error
> while attempting to delete the rule:
>
> # ./audit-dupe-exe-deadlock.sh
> No rules
> Error deleting rule (No such file or directory)
> There was an error while processing parameters
>
> # auditctl -l
> -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
>
> # auditctl -D
> Error deleting rule (No such file or directory)
> There was an error while processing parameters
>
> This patch fixes this issue by removing the d_really_is_negative()
> check. By doing so, a dummy mark can be successfully generated for
> the deleted path, which allows the audit subsystem to properly match
> and flush the dangling rule.
>
> Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
> Acked-by: Waiman Long <longman@redhat.com>
> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> kernel/audit_fsnotify.c | 4 ----
> 1 file changed, 4 deletions(-)
Good catch. I might reorder the patchset so this patch comes first
in the patchset, but this isn't a big deal either way.
--
paul-moore.com
next prev parent reply other threads:[~2026-05-12 19:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 20:00 [PATCH 0/2] audit: fix recursive locking deadlock and dangling rule removal Ricardo Robaina
2026-04-14 20:00 ` [PATCH 1/2] audit: fix recursive locking deadlock in audit_dupe_exe() Ricardo Robaina
2026-04-15 18:21 ` Richard Guy Briggs
2026-05-12 19:12 ` Paul Moore
2026-05-13 21:02 ` Ricardo Robaina
2026-04-14 20:00 ` [PATCH 2/2] audit: fix removal of dangling executable rules Ricardo Robaina
2026-04-15 18:22 ` Richard Guy Briggs
2026-05-12 19:12 ` Paul Moore [this message]
2026-05-13 21:04 ` Ricardo Robaina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=402f11211fcab76b6410f3f57372c58f@paul-moore.com \
--to=paul@paul-moore.com \
--cc=audit@vger.kernel.org \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=rgb@redhat.com \
--cc=rrobaina@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox