WSL2-Linux-Kernel/include
Jan Kara 6ee8e25fc3 fsnotify: fix handling of renames in audit
Commit e9fd702a58 ("audit: convert audit watches to use fsnotify
instead of inotify") broke handling of renames in audit.  Audit code
wants to update inode number of an inode corresponding to watched name
in a directory.  When something gets renamed into a directory to a
watched name, inotify previously passed moved inode to audit code
however new fsnotify code passes directory inode where the change
happened.  That confuses audit and it starts watching parent directory
instead of a file in a directory.

This can be observed for example by doing:

  cd /tmp
  touch foo bar
  auditctl -w /tmp/foo
  touch foo
  mv bar foo
  touch foo

In audit log we see events like:

  type=CONFIG_CHANGE msg=audit(1423563584.155:90): auid=1000 ses=2 op="updated rules" path="/tmp/foo" key=(null) list=4 res=1
  ...
  type=PATH msg=audit(1423563584.155:91): item=2 name="bar" inode=1046884 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
  type=PATH msg=audit(1423563584.155:91): item=3 name="foo" inode=1046842 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
  type=PATH msg=audit(1423563584.155:91): item=4 name="foo" inode=1046884 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
  ...

and that's it - we see event for the first touch after creating the
audit rule, we see events for rename but we don't see any event for the
last touch.  However we start seeing events for unrelated stuff
happening in /tmp.

Fix the problem by passing moved inode as data in the FS_MOVED_FROM and
FS_MOVED_TO events instead of the directory where the change happens.
This doesn't introduce any new problems because noone besides
audit_watch.c cares about the passed value:

  fs/notify/fanotify/fanotify.c cares only about FSNOTIFY_EVENT_PATH events.
  fs/notify/dnotify/dnotify.c doesn't care about passed 'data' value at all.
  fs/notify/inotify/inotify_fsnotify.c uses 'data' only for FSNOTIFY_EVENT_PATH.
  kernel/audit_tree.c doesn't care about passed 'data' at all.
  kernel/audit_watch.c expects moved inode as 'data'.

Fixes: e9fd702a58 ("audit: convert audit watches to use fsnotify instead of inotify")
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-10 14:30:28 -08:00
..
acpi ACPI / processor: Convert apic_id to phys_id to make it arch agnostic 2015-01-05 23:32:42 +01:00
asm-generic mm: mmu_gather: use tlb->end != 0 only for TLB invalidation 2015-01-13 15:20:40 +13:00
clocksource
crypto
drm Revert "drm/gem: Warn on illegal use of the dumb buffer interface v2" 2014-12-24 13:13:22 +10:00
dt-bindings ARM: dt: GIC: Spelling s/specific/specifier/, s/flaggs/flags/ 2015-01-13 13:48:16 -06:00
keys
kvm
linux fsnotify: fix handling of renames in audit 2015-02-10 14:30:28 -08:00
math-emu
media
memory
misc
net ipv6: fix sparse errors in ip6_make_flowlabel() 2015-02-05 00:42:28 -08:00
pcmcia
ras
rdma Revert "IB/core: Add support for extended query device caps" 2015-02-06 00:54:33 -08:00
rxrpc
scsi SCSI for-linus on 20141220 2014-12-20 13:42:57 -08:00
soc
sound ASoC: AC'97 fixes 2015-02-05 21:31:19 +01:00
target target: Drop left-over fabric_max_sectors attribute 2015-01-09 15:22:05 -08:00
trace Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-02-09 15:43:55 -08:00
uapi Revert "IB/core: Add support for extended query device caps" 2015-02-06 00:54:33 -08:00
video
xen x86/xen: properly retrieve NMI reason 2015-01-13 09:39:50 +00:00
Kbuild