Re: [PATCH 2/2] audit: fix removal of dangling executable rules

Re: [PATCH 2/2] audit: fix removal of dangling executable rules

[Paul Moore]

On Apr 14, 2026 Ricardo Robaina <rrobaina@redhat.com> wrote:
> 
> When an audited executable is deleted from the disk, its dentry
> becomes negative. Any later attempt to delete the associated audit
> rule will lead to audit_alloc_mark() encountering this negative
> dentry and immediately aborting, returning -ENOENT.
> 
> This early abort prevents the subsystem from allocating the temporary
> fsnotify mark needed to construct the search key, meaning the kernel
> cannot find the existing rule in its own lists to delete it. This
> leaves a dangling rule in memory, resulting in the following error
> while attempting to delete the rule:
> 
>  # ./audit-dupe-exe-deadlock.sh
>  No rules
>  Error deleting rule (No such file or directory)
>  There was an error while processing parameters
> 
>  # auditctl -l
>  -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
> 
>  # auditctl -D
>  Error deleting rule (No such file or directory)
>  There was an error while processing parameters
> 
> This patch fixes this issue by removing the d_really_is_negative()
> check. By doing so, a dummy mark can be successfully generated for
> the deleted path, which allows the audit subsystem to properly match
> and flush the dangling rule.
> 
> Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
> Acked-by: Waiman Long <longman@redhat.com>
> Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit_fsnotify.c | 4 ----
>  1 file changed, 4 deletions(-)

Good catch.  I might reorder the patchset so this patch comes first
in the patchset, but this isn't a big deal either way.

--
paul-moore.com

Re: [PATCH 2/2] audit: fix removal of dangling executable rules

[Ricardo Robaina]

On Tue, May 12, 2026 at 4:12 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Apr 14, 2026 Ricardo Robaina <rrobaina@redhat.com> wrote:
> >
> > When an audited executable is deleted from the disk, its dentry
> > becomes negative. Any later attempt to delete the associated audit
> > rule will lead to audit_alloc_mark() encountering this negative
> > dentry and immediately aborting, returning -ENOENT.
> >
> > This early abort prevents the subsystem from allocating the temporary
> > fsnotify mark needed to construct the search key, meaning the kernel
> > cannot find the existing rule in its own lists to delete it. This
> > leaves a dangling rule in memory, resulting in the following error
> > while attempting to delete the rule:
> >
> >  # ./audit-dupe-exe-deadlock.sh
> >  No rules
> >  Error deleting rule (No such file or directory)
> >  There was an error while processing parameters
> >
> >  # auditctl -l
> >  -a always,exit -S all -F exe=/tmp/file -F path=/tmp/file -F key=dr
> >
> >  # auditctl -D
> >  Error deleting rule (No such file or directory)
> >  There was an error while processing parameters
> >
> > This patch fixes this issue by removing the d_really_is_negative()
> > check. By doing so, a dummy mark can be successfully generated for
> > the deleted path, which allows the audit subsystem to properly match
> > and flush the dangling rule.
> >
> > Fixes: 76a53de6f7ff ("VFS/audit: introduce kern_path_parent() for audit")
> > Acked-by: Waiman Long <longman@redhat.com>
> > Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
> > Acked-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit_fsnotify.c | 4 ----
> >  1 file changed, 4 deletions(-)
>
> Good catch.  I might reorder the patchset so this patch comes first
> in the patchset, but this isn't a big deal either way.
>
> --
> paul-moore.com
>

I'm sending the v2 reordered. Thanks for reviewing it as well!