diff options
| author | Jan Kara <jack@suse.cz> | 2017-08-15 07:00:37 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-08-15 16:03:00 -0400 |
| commit | b5fed474b98332559f2590c6bc90388a0899e793 (patch) | |
| tree | 4f7cd528a01280492744ff415ba745f62a02ecfc | |
| parent | d76036ab47eafa6ce52b69482e91ca3ba337d6d6 (diff) | |
audit: Receive unmount event
Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
not part of AUDIT_FS_WATCH mask and thus such event never gets to
audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
subsystem on unmount without audit being notified about that which leads
to a strange state of existing audit rules with dead fsnotify marks.
Add FS_UNMOUNT to the mask of events to be received so that audit can
clean up its state accordingly.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | kernel/audit_watch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 1c7ded42f82f..d1b5857b7e33 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c | |||
| @@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group; | |||
| 66 | 66 | ||
| 67 | /* fsnotify events we care about. */ | 67 | /* fsnotify events we care about. */ |
| 68 | #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\ | 68 | #define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\ |
| 69 | FS_MOVE_SELF | FS_EVENT_ON_CHILD) | 69 | FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT) |
| 70 | 70 | ||
| 71 | static void audit_free_parent(struct audit_parent *parent) | 71 | static void audit_free_parent(struct audit_parent *parent) |
| 72 | { | 72 | { |