[PATCH 1/1] Fanotify: Introduce a permissive mode

From: Steve Grubb <sgrubb@redhat.com>
To: fsdevel <linux-fsdevel@vger.kernel.org>,
	eparis@redhat.com, Linux Audit <linux-audit@redhat.com>
Subject: [PATCH 1/1] Fanotify: Introduce a permissive mode
Date: Mon, 14 Aug 2017 11:04:10 -0400	[thread overview]
Message-ID: <3663877.NZSPRKlUQW@x2> (raw)

Hello,

The fanotify interface can be used as an access control subsystem. If
for some reason the policy is bad, there is potentially no good way to
recover the system. This patch introduces a new command line variable,
fanotify_enforce, to allow overriding the access decision from user
space. The initialization status is recorded as an audit event so that
there is a record of being in permissive mode for the security officer.

Signed-off-by: sgrubb <sgrubb@redhat.com>
---
 Documentation/admin-guide/kernel-parameters.txt |  7 +++++
 fs/notify/fanotify/fanotify.c                   | 42 +++++++++++++++++++++++--
 include/uapi/linux/audit.h                      |  1 +
 3 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 7737ab5..84c0e78 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1141,6 +1141,13 @@
 			Format: <interval>,<probability>,<space>,<times>
 			See also Documentation/fault-injection/.
 
+	fanotify_enforce=[FANOTIFY] Enable or disable enforcement of policy
+			decisions at boot time.
+			Format: { "0" | "1" }
+			0 -- disable enforcement.
+			1 -- enable enforcement.
+			Default value is 1 (enforcing).
+
 	floppy=		[HW]
 			See Documentation/blockdev/floppy.txt.
 
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 2fa99ae..cab5c2b 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -9,9 +9,43 @@
 #include <linux/sched/user.h>
 #include <linux/types.h>
 #include <linux/wait.h>
+#include <linux/audit.h>
 
 #include "fanotify.h"
 
+
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+/*
+ * This variable determines if the decisions made by user space listener
+ * will be enforced or overridden for system recovery
+ */
+static unsigned int enforcing_mode = 1;
+
+
+/* Record status of the fanotify sunsystem */
+static int __init fanotify_init(void)
+{
+	audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
+		"state=initialized fanotify_enforce=%u res=1",
+		enforcing_mode);
+	return 0;
+}
+late_initcall(fanotify_init);
+
+static int __init set_fanotify_enforce(char *str)
+{
+	long val;
+
+	if (kstrtol(str, 0, &val) == 0) {
+		enforcing_mode = !!val;
+		pr_info("fanotify initialized with fanotify_enforce=%u\n",
+			enforcing_mode);
+	}
+	return 1;
+}
+__setup("fanotify_enforce=", set_fanotify_enforce);
+#endif
+
 static bool should_merge(struct fsnotify_event *old_fsn,
 			 struct fsnotify_event *new_fsn)
 {
@@ -88,9 +122,12 @@ static int fanotify_get_response(struct fsnotify_group *group,
 	}
 	event->response = 0;
 
-	pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
-		 group, event, ret);
-	
+	pr_debug("%s: group=%p event=%p about to return ret=%d enforce=%u\n",
+		 __func__, group, event, ret, enforcing_mode);
+
+	if (unlikely(!enforcing_mode))
+		ret = 0;
+
 	return ret;
 }
 #endif
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0714a66..9560627 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -112,6 +112,7 @@
 #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
 #define AUDIT_REPLACE		1329	/* Replace auditd if this packet unanswerd */
 #define AUDIT_KERN_MODULE	1330	/* Kernel Module events */
+#define AUDIT_FANOTIFY_STATUS	1331	/* Fanotify enforcing status */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
-- 
2.9.4
