summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2017-08-15 13:00:37 +0200
committerPaul Moore <paul@paul-moore.com>2017-08-15 22:03:00 +0200
commitb5fed474b98332559f2590c6bc90388a0899e793 (patch)
tree4f7cd528a01280492744ff415ba745f62a02ecfc /kernel
parentaudit: Fix use after free in audit_remove_watch_rule() (diff)
downloadlinux-b5fed474b98332559f2590c6bc90388a0899e793.tar.xz
linux-b5fed474b98332559f2590c6bc90388a0899e793.zip
audit: Receive unmount event
Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is not part of AUDIT_FS_WATCH mask and thus such event never gets to audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify subsystem on unmount without audit being notified about that which leads to a strange state of existing audit rules with dead fsnotify marks. Add FS_UNMOUNT to the mask of events to be received so that audit can clean up its state accordingly. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/audit_watch.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 1c7ded42f82f..d1b5857b7e33 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
/* fsnotify events we care about. */
#define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
- FS_MOVE_SELF | FS_EVENT_ON_CHILD)
+ FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
static void audit_free_parent(struct audit_parent *parent)
{