* Re: [PATCH] audit_tree: keep inode pinned [not found] <20141104102712.GA7088@tucsk.piliscsaba.szeredi.hu> @ 2014-11-05 16:58 ` Richard Guy Briggs 2014-11-05 19:36 ` Miklos Szeredi 2014-11-11 19:47 ` Paul Moore 1 sibling, 1 reply; 4+ messages in thread From: Richard Guy Briggs @ 2014-11-05 16:58 UTC (permalink / raw) To: Miklos Szeredi Cc: Eric Paris, Al Viro, Linux Kernel Mailing List, linux-audit On 14/11/04, Miklos Szeredi wrote: > From: Miklos Szeredi <mszeredi@suse.cz> Hi Miklos, > Audit rules disappear when an inode they watch is evicted from the cache. > This is likely not what we want. > > The guilty commit is "fsnotify: allow marks to not pin inodes in core", > which didn't take into account that audit_tree adds watches with a zero > mask. > > Adding any mask should fix this. Nice find! Do you have a quick reproducer to detect this? > Fixes: 90b1e7a57880 ("fsnotify: allow marks to not pin inodes in core") > Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> > Cc: stable@vger.kernel.org # 2.6.36+ > --- > kernel/audit_tree.c | 1 + > 1 file changed, 1 insertion(+) > > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(i > chunk->owners[i].index = i; > } > fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch); > + chunk->mark.mask = FS_IN_IGNORED; > return chunk; > } > - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] audit_tree: keep inode pinned 2014-11-05 16:58 ` [PATCH] audit_tree: keep inode pinned Richard Guy Briggs @ 2014-11-05 19:36 ` Miklos Szeredi 2014-11-12 17:30 ` Richard Guy Briggs 0 siblings, 1 reply; 4+ messages in thread From: Miklos Szeredi @ 2014-11-05 19:36 UTC (permalink / raw) To: Richard Guy Briggs Cc: Eric Paris, Al Viro, Linux Kernel Mailing List, linux-audit On Wed, Nov 5, 2014 at 5:58 PM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 14/11/04, Miklos Szeredi wrote: >> From: Miklos Szeredi <mszeredi@suse.cz> > > Hi Miklos, > >> Audit rules disappear when an inode they watch is evicted from the cache. >> This is likely not what we want. >> >> The guilty commit is "fsnotify: allow marks to not pin inodes in core", >> which didn't take into account that audit_tree adds watches with a zero >> mask. >> >> Adding any mask should fix this. > > Nice find! Do you have a quick reproducer to detect this? - reboot - add tree rule - echo 2 > /proc/sys/vm/drop_caches drop_caches doesn't guarantee dropping the inode from the cache, but after a reboot it usually does. Thanks, Miklos ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] audit_tree: keep inode pinned 2014-11-05 19:36 ` Miklos Szeredi @ 2014-11-12 17:30 ` Richard Guy Briggs 0 siblings, 0 replies; 4+ messages in thread From: Richard Guy Briggs @ 2014-11-12 17:30 UTC (permalink / raw) To: Miklos Szeredi Cc: Eric Paris, Al Viro, Linux Kernel Mailing List, linux-audit On 14/11/05, Miklos Szeredi wrote: > On Wed, Nov 5, 2014 at 5:58 PM, Richard Guy Briggs <rgb@redhat.com> wrote: > > On 14/11/04, Miklos Szeredi wrote: > >> From: Miklos Szeredi <mszeredi@suse.cz> > > > > Hi Miklos, > > > >> Audit rules disappear when an inode they watch is evicted from the cache. > >> This is likely not what we want. > >> > >> The guilty commit is "fsnotify: allow marks to not pin inodes in core", > >> which didn't take into account that audit_tree adds watches with a zero > >> mask. > >> > >> Adding any mask should fix this. > > > > Nice find! Do you have a quick reproducer to detect this? > > - reboot > - add tree rule > - echo 2 > /proc/sys/vm/drop_caches > > drop_caches doesn't guarantee dropping the inode from the cache, but > after a reboot it usually does. Perfect, thanks! That works as expected. While I was at it, I checked the audit_watch code and the pending "filter on process name" patches to make sure they didn't have the same problem. > Thanks, > Miklos - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] audit_tree: keep inode pinned [not found] <20141104102712.GA7088@tucsk.piliscsaba.szeredi.hu> 2014-11-05 16:58 ` [PATCH] audit_tree: keep inode pinned Richard Guy Briggs @ 2014-11-11 19:47 ` Paul Moore 1 sibling, 0 replies; 4+ messages in thread From: Paul Moore @ 2014-11-11 19:47 UTC (permalink / raw) To: Miklos Szeredi Cc: Eric Paris, Al Viro, Linux Kernel Mailing List, linux-audit, rgb On Tue, Nov 4, 2014 at 5:27 AM, Miklos Szeredi <miklos@szeredi.hu> wrote: > From: Miklos Szeredi <mszeredi@suse.cz> > > Audit rules disappear when an inode they watch is evicted from the cache. > This is likely not what we want. > > The guilty commit is "fsnotify: allow marks to not pin inodes in core", > which didn't take into account that audit_tree adds watches with a zero > mask. > > Adding any mask should fix this. > > Fixes: 90b1e7a57880 ("fsnotify: allow marks to not pin inodes in core") > Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> > Cc: stable@vger.kernel.org # 2.6.36+ > --- > kernel/audit_tree.c | 1 + > 1 file changed, 1 insertion(+) Thanks for your help on this, I've merged this into the audit stable-3.18 branch; I plan on pushing this to Linus later this week. * git://git.infradead.org/users/pcmoore/audit stable-3.18 > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(i > chunk->owners[i].index = i; > } > fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch); > + chunk->mark.mask = FS_IN_IGNORED; > return chunk; > } -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-11-12 17:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20141104102712.GA7088@tucsk.piliscsaba.szeredi.hu>
2014-11-05 16:58 ` [PATCH] audit_tree: keep inode pinned Richard Guy Briggs
2014-11-05 19:36 ` Miklos Szeredi
2014-11-12 17:30 ` Richard Guy Briggs
2014-11-11 19:47 ` Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox