On Wed, Jan 23, 2019 at 1:35 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> Like commit 42d5e37654e4 ("audit: filter PATH records keyed on
> filesystem magic") that addresses
> https://github.com/linux-audit/audit-kernel/issues/8
>
> Any user or remote filesystem could become unavailable and effectively
> block on a forced unmount.
>
> -a always,exit -S umount2 -F key=umount2
>
> Provide a method to ignore these user and remote filesystems to prevent
> them from being impossible to unmount.
>
> Extend the "AUDIT_FILTER_FS" filter that uses the field type
> AUDIT_FSTYPE keying off the filesystem 4-octet hexadecimal magic
> identifier to filter specific filesystems to cover audit_inode() to address
> this blockage.
>
> An example rule would look like:
> -a never,filesystem -F fstype=0x517B -F key=ignore_smb
> -a never,filesystem -F fstype=0x6969 -F key=ignore_nfs
>
> Arguably the better way to address this issue is to disable auditing
> processes that touch removable filesystems.
>
> Note: refactor __audit_inode_child() to remove two levels of if
> indentation.
>
> Please see the github issue tracker
> https://github.com/linux-audit/audit-kernel/issues/100
>
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> ---
> kernel/auditsc.c | 35 +++++++++++++++++++++++++++--------
> 1 file changed, 27 insertions(+), 8 deletions(-)
Thanks, merged.
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b585ceb2f7a2..3d05d5fc6240 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1763,10 +1763,31 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
> struct inode *inode = d_backing_inode(dentry);
> struct audit_names *n;
> bool parent = flags & AUDIT_INODE_PARENT;
> + struct audit_entry *e;
> + struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
> + int i;
>
> if (!context->in_syscall)
> return;
>
> + rcu_read_lock();
> + if (!list_empty(list)) {
> + list_for_each_entry_rcu(e, list, list) {
> + for (i = 0; i < e->rule.field_count; i++) {
> + struct audit_field *f = &e->rule.fields[i];
> +
> + if (f->type == AUDIT_FSTYPE
> + && audit_comparator(inode->i_sb->s_magic,
> + f->op, f->val)
> + && e->rule.action == AUDIT_NEVER) {
> + rcu_read_unlock();
> + return;
> + }
> + }
> + }
> + }
> + rcu_read_unlock();
> +
> if (!name)
> goto out_alloc;
>
> @@ -1875,14 +1896,12 @@ void __audit_inode_child(struct inode *parent,
> for (i = 0; i < e->rule.field_count; i++) {
> struct audit_field *f = &e->rule.fields[i];
>
> - if (f->type == AUDIT_FSTYPE) {
> - if (audit_comparator(parent->i_sb->s_magic,
> - f->op, f->val)) {
> - if (e->rule.action == AUDIT_NEVER) {
> - rcu_read_unlock();
> - return;
> - }
> - }
> + if (f->type == AUDIT_FSTYPE
> + && audit_comparator(parent->i_sb->s_magic,
> + f->op, f->val)
> + && e->rule.action == AUDIT_NEVER) {
> + rcu_read_unlock();
> + return;
> }
> }
> }
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
