audit: Receive unmount event
Although audit_watch_handle_event() can handle FS_UNMOUNT event, it is not part of AUDIT_FS_WATCH mask and thus such event never gets to audit_watch_handle_event(). Thus fsnotify marks are deleted by fsnotify subsystem on unmount without audit being notified about that which leads to a strange state of existing audit rules with dead fsnotify marks. Add FS_UNMOUNT to the mask of events to be received so that audit can clean up its state accordingly. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
d76036ab47
commit
b5fed474b9
|
@ -66,7 +66,7 @@ static struct fsnotify_group *audit_watch_group;
|
|||
|
||||
/* fsnotify events we care about. */
|
||||
#define AUDIT_FS_WATCH (FS_MOVE | FS_CREATE | FS_DELETE | FS_DELETE_SELF |\
|
||||
FS_MOVE_SELF | FS_EVENT_ON_CHILD)
|
||||
FS_MOVE_SELF | FS_EVENT_ON_CHILD | FS_UNMOUNT)
|
||||
|
||||
static void audit_free_parent(struct audit_parent *parent)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue