* [PATCH 0/3] fanotify: Allow user space to pass back additional audit info
@ 2020-09-30 16:12 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-09-30 16:12 UTC (permalink / raw)
To: linux-fsdevel, Jan Kara, linux-audit, Paul Moore
Cc: Amir Goldstein, Eric Paris
The Fanotify API can be used for access control by requesting permission
event notification. The user space tooling that uses it may have a
complicated policy that inherently contains additional context for the
decision. If this information were available in the audit trail, policy
writers can close the loop on debugging policy. Also, if this additional
information were available, it would enable the creation of tools that
can suggest changes to the policy similar to how audit2allow can help
refine labeled security.
This patch defines 2 bit maps within the response variable returned from
user space on a permission event. The first field is 3 bits for the
context type. The context type will describe what the meaning is of the
second bit field. The audit system will separate the pieces and log them
individually.
The audit function was updated to log the additional information in the
AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Steve Grubb (3):
fanotify: Ensure consistent variable type for response
fanotify: define bit map fields to hold response decision context
fanotify: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 5 ++---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 11 +++--------
include/linux/fanotify.h | 5 +++++
include/uapi/linux/fanotify.h | 31 ++++++++++++++++++++++++++++++
kernel/auditsc.c | 7 +++++--
6 files changed, 47 insertions(+), 14 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 0/3] fanotify: Allow user space to pass back additional audit info
@ 2020-09-30 16:12 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-09-30 16:12 UTC (permalink / raw)
To: linux-fsdevel, Jan Kara, linux-audit, Paul Moore; +Cc: Amir Goldstein
The Fanotify API can be used for access control by requesting permission
event notification. The user space tooling that uses it may have a
complicated policy that inherently contains additional context for the
decision. If this information were available in the audit trail, policy
writers can close the loop on debugging policy. Also, if this additional
information were available, it would enable the creation of tools that
can suggest changes to the policy similar to how audit2allow can help
refine labeled security.
This patch defines 2 bit maps within the response variable returned from
user space on a permission event. The first field is 3 bits for the
context type. The context type will describe what the meaning is of the
second bit field. The audit system will separate the pieces and log them
individually.
The audit function was updated to log the additional information in the
AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Steve Grubb (3):
fanotify: Ensure consistent variable type for response
fanotify: define bit map fields to hold response decision context
fanotify: Allow audit to use the full permission event response
fs/notify/fanotify/fanotify.c | 5 ++---
fs/notify/fanotify/fanotify.h | 2 +-
fs/notify/fanotify/fanotify_user.c | 11 +++--------
include/linux/fanotify.h | 5 +++++
include/uapi/linux/fanotify.h | 31 ++++++++++++++++++++++++++++++
kernel/auditsc.c | 7 +++++--
6 files changed, 47 insertions(+), 14 deletions(-)
--
2.26.2
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-30 16:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-30 16:12 [PATCH 0/3] fanotify: Allow user space to pass back additional audit info Steve Grubb
2020-09-30 16:12 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.