On 2018-12-12 08:03, Paul Moore wrote: > On Fri, Nov 16, 2018 at 12:34 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > On user and remote filesystems, a forced umount can still hang due to > > attemting to fetch the fcaps of a mounted filesystem that is no longer > > available. > > > > These two patches take different approaches to address this, one by > > avoiding the lookup when the MNT_FORCE flag is included, the other by > > providing a method to filter out auditing specified types of filesystems. > > > > This can happen on ceph, cifs, 9p, lustre, fuse (gluster) or NFS. > > > > Arguably the better way to address this issue is to disable auditing > > processes that touch removable filesystems. > > Please see the github issue tracker > > https://github.com/linux-audit/audit-kernel/issues/100 > > > > Richard Guy Briggs (2): > > audit: avoid fcaps on MNT_FORCE > > audit: moar filter PATH records keyed on filesystem magic > > > > fs/namei.c | 2 +- > > fs/namespace.c | 3 +++ > > include/linux/audit.h | 8 ++++++-- > > kernel/audit.c | 5 +++-- > > kernel/audit.h | 2 +- > > kernel/auditsc.c | 29 ++++++++++++++++++++++++++--- > > 6 files changed, 40 insertions(+), 9 deletions(-) > > Just to get this out of the way, don't use "moar", spell it properly. > > Beyond that, it's not clear to me from your cover letter if you are > proposing these patches as an "or" or as an "and"; assuming the > patch(es) are reasonable, do you want us to merge both of these > patches, or only the one we like the most? I would like each one to be considered on its own merits. The second was discussed back when the logs were flooded with "(null)" PATH records due to debugfs and tracefs noise. Do you agree with the general concept or not? The first is being picked apart (rightfully) due to assumptions and choices made long ago in the audit system. So while it is still in far more flux than the second patch, I think it has the potential to fix the problem more correctly and permanently but in the process may challenge our rules about the format and invariability of audit records. The basic premise is to prevent audit from trying to get information (fcaps) from a filesystem that is likely to be far more ephemeral than local on-disk kernel filesystems or to fail to do so more gracefully. > paul moore - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635