Re: [PATCH 2/2] audit: fix removal of dangling executable rules

[Richard Guy Briggs <rgb@redhat.com>]

On 2026-04-14 17:00, Ricardo Robaina wrote:
> When an audited executable is deleted from the disk, its dentry
> becomes negative. Any later attempt to delete the associated audit
> rule will lead to audit_alloc_mark() encountering this negative
> dentry and immediately aborting, returning -ENOENT.
> 
> This early abort prevents the subsystem from allocating the temporary
> fsnotify mark needed to construct the search key, meaning the kernel
> cannot find the existing rule in its own lists to delete it. This
> leaves a dangling rule in memory, resulting in the following error
> while attempting to delete the rule:
> 
>  # ./audit-dupe-exe-deadlock.sh
>  No rules
>  Error deleting rule (No such file or directory)
>  There was an error while processing parameters
> 
>  # auditctl -l
>  -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
> 
>  # auditctl -D
>  Error deleting rule (No such file or directory)
>  There was an error while processing parameters
> 
> This patch fixes this issue by removing the d_really_is_negative()
> check. By doing so, a dummy mark can be successfully generated for
> the deleted path, which allows the audit subsystem to properly match
> and flush the dangling rule.
> 
> Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
> Acked-by: Waiman Long <longman@redhat.com>
> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  kernel/audit_fsnotify.c | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
> index eee589bca86e..703a110cebd4 100644
> --- a/kernel/audit_fsnotify.c
> +++ b/kernel/audit_fsnotify.c
> @@ -86,10 +86,6 @@ struct audit_fsnotify_mark *audit_alloc_mark(struct audit_krule *krule, char *pa
>  		dentry = kern_path_parent(pathname, &path);
>  		if (IS_ERR(dentry))
>  			return ERR_CAST(dentry); /* returning an error */
> -		if (d_really_is_negative(dentry)) {
> -			audit_mark = ERR_PTR(-ENOENT);
> -			goto out;
> -		}
>  	}
>  
>  	audit_mark = kzalloc_obj(*audit_mark);
> -- 
> 2.53.0
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570