From mboxrd@z Thu Jan  1 00:00:00 1970
From: Amy Griffis <amy.griffis@hp.com>
Subject: [PATCH git] fix missing records when watched files removed
Date: Thu, 1 Jun 2006 19:14:40 -0400
Message-ID: <20060601231440.GA4557@zk3.dec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k51NEmcc020685
	for <linux-audit@redhat.com>; Thu, 1 Jun 2006 19:14:48 -0400
Received: from atlrel9.hp.com (atlrel9.hp.com [156.153.255.214])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k51NEjMO018121
	for <linux-audit@redhat.com>; Thu, 1 Jun 2006 19:14:45 -0400
Received: from atarelint01.atl.hp.com (atarelint01.atl.hp.com [15.45.89.136])
	by atlrel9.hp.com (Postfix) with ESMTP id 79F7A349BB
	for <linux-audit@redhat.com>; Thu,  1 Jun 2006 19:14:40 -0400 (EDT)
Received: from dill.zko.hp.com (dill.zko.hp.com [16.116.96.242])
	by atarelint01.atl.hp.com (Postfix) with ESMTP id 57A203401C
	for <linux-audit@redhat.com>; Thu,  1 Jun 2006 19:14:40 -0400 (EDT)
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

audit_update_watch() invalidates rule data early, before we hit the
syscall exit filter.  This means audit fails to emit records when
watched files or directories are removed.  Fix by calling
audit_filter_inodes() right before the update.

Al, please fold this one in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>

diff --git a/kernel/audit.h b/kernel/audit.h
index 125aebe..f337845 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,6 +126,9 @@ extern void audit_free_parent(struct ino
 extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
 				const char *, struct inode *);
 extern int selinux_audit_rule_update(void);
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+					    struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7609694..ff85fee 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -26,6 +26,7 @@ #include <linux/mutex.h>
 #include <linux/fs.h>
 #include <linux/namei.h>
 #include <linux/netlink.h>
+#include <linux/sched.h>
 #include <linux/inotify.h>
 #include <linux/selinux.h>
 #include "audit.h"
@@ -736,7 +737,7 @@ static struct audit_entry *audit_dupe_ru
 /* Update inode info in audit rules based on filesystem event. */
 static inline void audit_update_watch(struct audit_parent *parent,
 				      const char *dname, dev_t dev,
-				      unsigned long ino)
+				      unsigned long ino, unsigned invalidating)
 {
 	struct audit_watch *owatch, *nwatch, *nextw;
 	struct audit_krule *r, *nextr;
@@ -748,6 +749,12 @@ static inline void audit_update_watch(st
 		if (audit_compare_dname_path(dname, owatch->path))
 			continue;
 
+		/* If the update involves invalidating rules, do the inode-based
+		 * filtering now, so we don't omit records. */
+		if (invalidating &&
+		    audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
+			audit_set_auditable(current->audit_context);
+
 		nwatch = audit_dupe_watch(owatch);
 		if (unlikely(IS_ERR(nwatch))) {
 			mutex_unlock(&audit_filter_mutex);
@@ -1523,9 +1530,9 @@ void audit_handle_ievent(struct inotify_
 
 	if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
 		audit_update_watch(parent, dname, inode->i_sb->s_dev,
-				   inode->i_ino);
+				   inode->i_ino, 0);
 	else if (mask & (IN_DELETE|IN_MOVED_FROM))
-		audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1);
+		audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
 	/* inotify automatically removes the watch and sends IN_IGNORED */
 	else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
 		audit_remove_parent_watches(parent);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f4b09a3..4858bdd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -417,8 +417,8 @@ static enum audit_state audit_filter_sys
  * buckets applicable to the inode numbers in audit_names[].
  * Regarding audit_state, same rules apply as for audit_filter_syscall().
  */
-static enum audit_state audit_filter_inodes(struct task_struct *tsk,
-					     struct audit_context *ctx)
+enum audit_state audit_filter_inodes(struct task_struct *tsk,
+				     struct audit_context *ctx)
 {
 	int i;
 	struct audit_entry *e;
@@ -450,6 +450,11 @@ static enum audit_state audit_filter_ino
 	return AUDIT_BUILD_CONTEXT;
 }
 
+void audit_set_auditable(struct audit_context *ctx)
+{
+	ctx->auditable = 1;
+}
+
 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
 						      int return_valid,
 						      int return_code)