Closed rgbriggs closed 5 years ago
Paul, please assign to me... ref bz1570612
Paul, please assign to me
Done.
Sorry for the delay (vacation).
2018-11-16: Posted v1 with updated testsuite PR: https://lkml.org/lkml/2018/11/16/840 https://www.redhat.com/archives/linux-audit/2018-November/msg00080.html https://github.com/linux-audit/audit-testsuite/pull/76
2019-01-25: v2.1/2 Staged in audit/next v5.0-rc1: a252f56a3c92 (:audit: more filter PATH records keyed on filesystem magic")
2019-01-30: v2.2/2 Staged in audit/next v5.0-rc1: 57d4657716ac ("audit: ignore fcaps on umount")
2019-02-01: Build failure in linux-next next-20190201 reported by natechancellor and sfr due to ARCH=arm and allyesconfig (as CONFIG_AUDITSYCALL doesn't get selected) in 57d4657 ("audit: ignore fcaps on umount"): https://www.redhat.com/archives/linux-audit/2019-February/msg00012.html https://lkml.org/lkml/2019/2/1/803 kernel/audit.c: In function 'audit_copy_inode': kernel/audit.c:2130:14: error: 'AUDIT_INODE_NOEVAL' undeclared
Fixed by moving audit_copy_inode to auditsc.c in ghak105 patch v3 (2/2): 5f3d544 ('audit: remove auditcontext when CONFIG AUDIT and not AUDITSYSCALL")
The process hangs when trying to unmount a missing filesystem (ceph, cifs, 9p, lustre, fuse (gluster) or NFS) when the task is auditable. This happens because user_path_mountpoint_at() calls audit_copy_inode() (via filename_mountpoint() and audit_inode()) which attempts to record the mounted filesystem's root directory fcaps to report in a PATH record.
Sample backtrace:
Steps to Reproduce:
OR
At this point the filesystem is hung (simulates network failure).
Normally this should succeed, but if audit is doing a getxattr, then it will hang. Note the comment above user_path_mountpoint_at() that warns:
Suggested solutions:
Upon reading the comment above user_path_mountpoint_at() this looks like a bad idea and at minimum the MNT_FORCE flag should signal to audit not to fetch the mount's root directory fcaps.
Address this the same way we addressed https://github.com/linux-audit/audit-kernel/issues/8 by allowing certain types of filesystems to be bypassed, adding this functionality to __audit_inode() the way it was implemented for __audit_inode_child().