Commit a252f56a authored Jan 23, 2019 by Richard Guy Briggs Committed by Paul Moore Jan 25, 2019

audit: more filter PATH records keyed on filesystem magic

Like commit 42d5e376 ("audit: filter PATH records keyed on
filesystem magic") that addresses
https://github.com/linux-audit/audit-kernel/issues/8

Any user or remote filesystem could become unavailable and effectively
block on a forced unmount.

    -a always,exit -S umount2 -F key=umount2

Provide a method to ignore these user and remote filesystems to prevent
them from being impossible to unmount.

Extend the "AUDIT_FILTER_FS" filter that uses the field type
AUDIT_FSTYPE keying off the filesystem 4-octet hexadecimal magic
identifier to filter specific filesystems to cover audit_inode() to address
this blockage.

An example rule would look like:
    -a never,filesystem -F fstype=0x517B -F key=ignore_smb
    -a never,filesystem -F fstype=0x6969 -F key=ignore_nfs

Arguably the better way to address this issue is to disable auditing
processes that touch removable filesystems.

Note: refactor __audit_inode_child() to remove two levels of if
indentation.

Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100



Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

parent 2fec30e2

kernel/auditsc.c

+27 −8

Original line number	Diff line number	Diff line
		@@ -1766,10 +1766,31 @@ void __audit_inode(struct filename name, const struct dentry dentry,
		struct inode *inode = d_backing_inode(dentry);
		struct audit_names *n;
		bool parent = flags & AUDIT_INODE_PARENT;
		struct audit_entry *e;
		struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
		int i;

		if (!context->in_syscall)
		return;

		rcu_read_lock();
		if (!list_empty(list)) {
		list_for_each_entry_rcu(e, list, list) {
		for (i = 0; i < e->rule.field_count; i++) {
		struct audit_field *f = &e->rule.fields[i];

		if (f->type == AUDIT_FSTYPE
		&& audit_comparator(inode->i_sb->s_magic,
		f->op, f->val)
		&& e->rule.action == AUDIT_NEVER) {
		rcu_read_unlock();
		return;
		}
		}
		}
		}
		rcu_read_unlock();

		if (!name)
		goto out_alloc;

		@@ -1878,18 +1899,16 @@ void __audit_inode_child(struct inode *parent,
		for (i = 0; i < e->rule.field_count; i++) {
		struct audit_field *f = &e->rule.fields[i];

		if (f->type == AUDIT_FSTYPE) {
		if (audit_comparator(parent->i_sb->s_magic,
		f->op, f->val)) {
		if (e->rule.action == AUDIT_NEVER) {
		if (f->type == AUDIT_FSTYPE
		&& audit_comparator(parent->i_sb->s_magic,
		f->op, f->val)
		&& e->rule.action == AUDIT_NEVER) {
		rcu_read_unlock();
		return;
		}
		}
		}
		}
		}
		}
		rcu_read_unlock();

		if (inode)

Admin message