[PATCH git] fix missing records when watched files removed

Thu Jun 1 23:14:40 UTC 2006

audit_update_watch() invalidates rule data early, before we hit the
syscall exit filter.  This means audit fails to emit records when
watched files or directories are removed.  Fix by calling
audit_filter_inodes() right before the update.

Al, please fold this one in with latest filesystem auditing patch
46c438b705c31284f31c64a0d18bf3bd6c62cde3.

Signed-off-by: Amy Griffis <amy.griffis at hp.com>

diff --git a/kernel/audit.h b/kernel/audit.h
index 125aebe..f337845 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -126,6 +126,9 @@ extern void audit_free_parent(struct ino
 extern void audit_handle_ievent(struct inotify_watch *, u32, u32, u32,
 				const char *, struct inode *);
 extern int selinux_audit_rule_update(void);
+extern enum audit_state audit_filter_inodes(struct task_struct *,
+					    struct audit_context *);
+extern void audit_set_auditable(struct audit_context *);
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 7609694..ff85fee 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -26,6 +26,7 @@ #include <linux/mutex.h>
 #include <linux/fs.h>
 #include <linux/namei.h>
 #include <linux/netlink.h>
+#include <linux/sched.h>
 #include <linux/inotify.h>
 #include <linux/selinux.h>
 #include "audit.h"
@@ -736,7 +737,7 @@ static struct audit_entry *audit_dupe_ru
 /* Update inode info in audit rules based on filesystem event. */
 static inline void audit_update_watch(struct audit_parent *parent,
 				      const char *dname, dev_t dev,
-				      unsigned long ino)
+				      unsigned long ino, unsigned invalidating)
 {
 	struct audit_watch *owatch, *nwatch, *nextw;
 	struct audit_krule *r, *nextr;
@@ -748,6 +749,12 @@ static inline void audit_update_watch(st
 		if (audit_compare_dname_path(dname, owatch->path))
 			continue;
 
+		/* If the update involves invalidating rules, do the inode-based
+		 * filtering now, so we don't omit records. */
+		if (invalidating &&
+		    audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
+			audit_set_auditable(current->audit_context);
+
 		nwatch = audit_dupe_watch(owatch);
 		if (unlikely(IS_ERR(nwatch))) {
 			mutex_unlock(&audit_filter_mutex);
@@ -1523,9 +1530,9 @@ void audit_handle_ievent(struct inotify_
 
 	if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
 		audit_update_watch(parent, dname, inode->i_sb->s_dev,
-				   inode->i_ino);
+				   inode->i_ino, 0);
 	else if (mask & (IN_DELETE|IN_MOVED_FROM))
-		audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1);
+		audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
 	/* inotify automatically removes the watch and sends IN_IGNORED */
 	else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
 		audit_remove_parent_watches(parent);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f4b09a3..4858bdd 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -417,8 +417,8 @@ static enum audit_state audit_filter_sys
  * buckets applicable to the inode numbers in audit_names[].
  * Regarding audit_state, same rules apply as for audit_filter_syscall().
  */
-static enum audit_state audit_filter_inodes(struct task_struct *tsk,
-					     struct audit_context *ctx)
+enum audit_state audit_filter_inodes(struct task_struct *tsk,
+				     struct audit_context *ctx)
 {
 	int i;
 	struct audit_entry *e;
@@ -450,6 +450,11 @@ static enum audit_state audit_filter_ino
 	return AUDIT_BUILD_CONTEXT;
 }
 
+void audit_set_auditable(struct audit_context *ctx)
+{
+	ctx->auditable = 1;
+}
+
 static inline struct audit_context *audit_get_context(struct task_struct *tsk,
 						      int return_valid,
 						      int return_code)


