* [PATCH git] fix missing records when watched files removed
@ 2006-06-01 23:14 Amy Griffis
2006-06-02 12:55 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Amy Griffis @ 2006-06-01 23:14 UTC (permalink / raw)
To: linux-audit
audit_update_watch() invalidates rule data early, before we hit the
syscall exit filter. This means audit fails to emit records when
watched files or directories are removed. Fix by calling
audit_filter_inodes() right before the update.
Al, please fold this one in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
diff --git a/kernel/audit.h b/kernel/audit.h
index 125aebe..f337845 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,6 +126,9 @@ extern void audit_free_parent(struct ino
extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
const char *, struct inode *);
extern int selinux_audit_rule_update(void);
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+ struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
#ifdef CONFIG_AUDITSYSCALL
extern void __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7609694..ff85fee 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -26,6 +26,7 @@ #include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/netlink.h>
+#include <linux/sched.h>
#include <linux/inotify.h>
#include <linux/selinux.h>
#include "audit.h"
@@ -736,7 +737,7 @@ static struct audit_entry *audit_dupe_ru
/* Update inode info in audit rules based on filesystem event. */
static inline void audit_update_watch(struct audit_parent *parent,
const char *dname, dev_t dev,
- unsigned long ino)
+ unsigned long ino, unsigned invalidating)
{
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
@@ -748,6 +749,12 @@ static inline void audit_update_watch(st
if (audit_compare_dname_path(dname, owatch->path))
continue;
+ /* If the update involves invalidating rules, do the inode-based
+ * filtering now, so we don't omit records. */
+ if (invalidating &&
+ audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
+ audit_set_auditable(current->audit_context);
+
nwatch = audit_dupe_watch(owatch);
if (unlikely(IS_ERR(nwatch))) {
mutex_unlock(&audit_filter_mutex);
@@ -1523,9 +1530,9 @@ void audit_handle_ievent(struct inotify_
if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
audit_update_watch(parent, dname, inode->i_sb->s_dev,
- inode->i_ino);
+ inode->i_ino, 0);
else if (mask & (IN_DELETE|IN_MOVED_FROM))
- audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1);
+ audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
/* inotify automatically removes the watch and sends IN_IGNORED */
else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
audit_remove_parent_watches(parent);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f4b09a3..4858bdd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -417,8 +417,8 @@ static enum audit_state audit_filter_sys
* buckets applicable to the inode numbers in audit_names[].
* Regarding audit_state, same rules apply as for audit_filter_syscall().
*/
-static enum audit_state audit_filter_inodes(struct task_struct *tsk,
- struct audit_context *ctx)
+enum audit_state audit_filter_inodes(struct task_struct *tsk,
+ struct audit_context *ctx)
{
int i;
struct audit_entry *e;
@@ -450,6 +450,11 @@ static enum audit_state audit_filter_ino
return AUDIT_BUILD_CONTEXT;
}
+void audit_set_auditable(struct audit_context *ctx)
+{
+ ctx->auditable = 1;
+}
+
static inline struct audit_context *audit_get_context(struct task_struct *tsk,
int return_valid,
int return_code)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH git] fix missing records when watched files removed
2006-06-01 23:14 [PATCH git] fix missing records when watched files removed Amy Griffis
@ 2006-06-02 12:55 ` Steve Grubb
2006-06-02 14:14 ` Amy Griffis
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2006-06-02 12:55 UTC (permalink / raw)
To: linux-audit
On Thursday 01 June 2006 19:14, Amy Griffis wrote:
>
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 7609694..ff85fee 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -26,6 +26,7 @@ #include <linux/mutex.h>
> #include <linux/fs.h>
> #include <linux/namei.h>
> #include <linux/netlink.h>
> +#include <linux/sched.h>
What is sched.h used for?
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH git] fix missing records when watched files removed
2006-06-02 12:55 ` Steve Grubb
@ 2006-06-02 14:14 ` Amy Griffis
0 siblings, 0 replies; 3+ messages in thread
From: Amy Griffis @ 2006-06-02 14:14 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Fri, Jun 02, 2006 at 08:55:24AM -0400, Steve Grubb wrote:
> On Thursday 01 June 2006 19:14, Amy Griffis wrote:
> >
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 7609694..ff85fee 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -26,6 +26,7 @@ #include <linux/mutex.h>
> > #include <linux/fs.h>
> > #include <linux/namei.h>
> > #include <linux/netlink.h>
> > +#include <linux/sched.h>
>
> What is sched.h used for?
So we can use 'current'.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-02 14:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-01 23:14 [PATCH git] fix missing records when watched files removed Amy Griffis
2006-06-02 12:55 ` Steve Grubb
2006-06-02 14:14 ` Amy Griffis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox