audit: more filter PATH records keyed on filesystem magic
Like commit 42d5e37654
("audit: filter PATH records keyed on
filesystem magic") that addresses
https://github.com/linux-audit/audit-kernel/issues/8
Any user or remote filesystem could become unavailable and effectively
block on a forced unmount.
-a always,exit -S umount2 -F key=umount2
Provide a method to ignore these user and remote filesystems to prevent
them from being impossible to unmount.
Extend the "AUDIT_FILTER_FS" filter that uses the field type
AUDIT_FSTYPE keying off the filesystem 4-octet hexadecimal magic
identifier to filter specific filesystems to cover audit_inode() to address
this blockage.
An example rule would look like:
-a never,filesystem -F fstype=0x517B -F key=ignore_smb
-a never,filesystem -F fstype=0x6969 -F key=ignore_nfs
Arguably the better way to address this issue is to disable auditing
processes that touch removable filesystems.
Note: refactor __audit_inode_child() to remove two levels of if
indentation.
Please see the github issue tracker
https://github.com/linux-audit/audit-kernel/issues/100
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Родитель
2fec30e245
Коммит
a252f56a3c
|
@ -1766,10 +1766,31 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
|
|||
struct inode *inode = d_backing_inode(dentry);
|
||||
struct audit_names *n;
|
||||
bool parent = flags & AUDIT_INODE_PARENT;
|
||||
struct audit_entry *e;
|
||||
struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
|
||||
int i;
|
||||
|
||||
if (!context->in_syscall)
|
||||
return;
|
||||
|
||||
rcu_read_lock();
|
||||
if (!list_empty(list)) {
|
||||
list_for_each_entry_rcu(e, list, list) {
|
||||
for (i = 0; i < e->rule.field_count; i++) {
|
||||
struct audit_field *f = &e->rule.fields[i];
|
||||
|
||||
if (f->type == AUDIT_FSTYPE
|
||||
&& audit_comparator(inode->i_sb->s_magic,
|
||||
f->op, f->val)
|
||||
&& e->rule.action == AUDIT_NEVER) {
|
||||
rcu_read_unlock();
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
rcu_read_unlock();
|
||||
|
||||
if (!name)
|
||||
goto out_alloc;
|
||||
|
||||
|
@ -1878,14 +1899,12 @@ void __audit_inode_child(struct inode *parent,
|
|||
for (i = 0; i < e->rule.field_count; i++) {
|
||||
struct audit_field *f = &e->rule.fields[i];
|
||||
|
||||
if (f->type == AUDIT_FSTYPE) {
|
||||
if (audit_comparator(parent->i_sb->s_magic,
|
||||
f->op, f->val)) {
|
||||
if (e->rule.action == AUDIT_NEVER) {
|
||||
rcu_read_unlock();
|
||||
return;
|
||||
}
|
||||
}
|
||||
if (f->type == AUDIT_FSTYPE
|
||||
&& audit_comparator(parent->i_sb->s_magic,
|
||||
f->op, f->val)
|
||||
&& e->rule.action == AUDIT_NEVER) {
|
||||
rcu_read_unlock();
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче