On user and remote filesystems, a forced umount can still hang due to attemting to fetch the fcaps of a mounted filesystem that is no longer available. These two patches take different approaches to address this, one by avoiding the lookup when the MNT_FORCE flag is included, the other by providing a method to filter out auditing specified types of filesystems. This can happen on ceph, cifs, 9p, lustre, fuse (gluster) or NFS or any other userspace or remote filesystem. Arguably the better way to address this issue is to avoid auditing processes that touch removable filesystems. Please see the github issue tracker https://github.com/linux-audit/audit-kernel/issues/100 Passes audit-testsuite including ghak100 branch. Changelog: v2: - rebase on v5.0-rc1 audit/next - refactor 3 levels of *if* indentation down to 1 incl. orig - rename LOOKUP_NO_REVAL to LOOKUP_NO_EVAL to avoid existing usage conflict - don't depend on MNT_FORCE - rename AUDIT_INODE_NOREVAL to AUDIT_INODE_NOREVAL to be consistent - rename lflags to flags and flags to aflags - document LOOKUP_ flags - signal cap_* values unknown and set cap_* fields to "?" indicating so Richard Guy Briggs (2): audit: more filter PATH records keyed on filesystem magic audit: ignore fcaps on umount fs/namei.c | 2 +- fs/namespace.c | 2 ++ include/linux/audit.h | 15 ++++++++++----- include/linux/namei.h | 3 +++ kernel/audit.c | 10 +++++++++- kernel/audit.h | 2 +- kernel/auditsc.c | 41 ++++++++++++++++++++++++++++++----------- 7 files changed, 56 insertions(+), 19 deletions(-) -- 1.8.3.1