When reading files inside container, the file_open LSM hook gets triggered twice. Before this change, it resulted in threat alerts being issued twice in case the opened file matched a rule.
The only difference which can be spotted between struct file instances in both calls of file_open is an additional bit in file->f_flags during the second call.
When calling cat /etc/shadow inside container, the f_flags are respectively:
When reading files inside container, the
file_open
LSM hook gets triggered twice. Before this change, it resulted in threat alerts being issued twice in case the opened file matched a rule.The only difference which can be spotted between
struct file
instances in both calls offile_open
is an additional bit infile->f_flags
during the second call.When calling
cat /etc/shadow
inside container, thef_flags
are respectively:131072
(0x1000000000000000000
)393216
(0x1100000000000000000
)