Skip to content

Commit

Permalink
audit: Receive unmount event
Browse files Browse the repository at this point in the history 
Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is
not part of AUDIT_FS_WATCH mask and thus such event never gets to
audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify
subsystem on unmount without audit being notified about that which leads
to a strange state of existing audit rules with dead fsnotify marks.

Add FS_UNMOUNT to the mask of events to be received so that audit can
clean up its state accordingly.

Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
  • Loading branch information
@jankara @pcmoore
jankara authored and pcmoore committed Aug 15, 2017
1 parent d76036a commit b5fed47
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion kernel/audit_watch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;

/* fsnotify events we care about. */
#define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
FS_MOVE_SELF | FS_EVENT_ON_CHILD)
FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)

static void audit_free_parent(struct audit_parent *parent)
{
Expand Down

0 comments on commit b5fed47

Please sign in to comment.