From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-lf0-f65.google.com ([209.85.215.65]:37157 "EHLO
        mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751856AbdHOTTE (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Tue, 15 Aug 2017 15:19:04 -0400
Received: by mail-lf0-f65.google.com with SMTP id x16so1146229lfb.4
        for <linux-fsdevel@vger.kernel.org>; Tue, 15 Aug 2017 12:19:03 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <3663877.NZSPRKlUQW@x2>
References: <3663877.NZSPRKlUQW@x2>
From: Paul Moore <paul@paul-moore.com>
Date: Tue, 15 Aug 2017 15:19:01 -0400
Message-ID: <CAHC9VhRt=QrFdnyJqT4R5SAKfzkxQZaWN5ip3FrxtrA8eZYL=A@mail.gmail.com>
Subject: Re: [PATCH 1/1] Fanotify: Introduce a permissive mode
To: Steve Grubb <sgrubb@redhat.com>
Cc: fsdevel <linux-fsdevel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>,
        Linux Audit <linux-audit@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, Aug 14, 2017 at 11:04 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> The fanotify interface can be used as an access control subsystem. If
> for some reason the policy is bad, there is potentially no good way to
> recover the system. This patch introduces a new command line variable,
> fanotify_enforce, to allow overriding the access decision from user
> space. The initialization status is recorded as an audit event so that
> there is a record of being in permissive mode for the security officer.
>
> Signed-off-by: sgrubb <sgrubb@redhat.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |  7 +++++
>  fs/notify/fanotify/fanotify.c                   | 42 +++++++++++++++++++++++--
>  include/uapi/linux/audit.h                      |  1 +
>  3 files changed, 47 insertions(+), 3 deletions(-)

...

> diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> index 2fa99ae..cab5c2b 100644
> --- a/fs/notify/fanotify/fanotify.c
> +++ b/fs/notify/fanotify/fanotify.c
> @@ -9,9 +9,43 @@
>  #include <linux/sched/user.h>
>  #include <linux/types.h>
>  #include <linux/wait.h>
> +#include <linux/audit.h>
>
>  #include "fanotify.h"
>
> +
> +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
> +/*
> + * This variable determines if the decisions made by user space listener
> + * will be enforced or overridden for system recovery
> + */
> +static unsigned int enforcing_mode = 1;
> +
> +
> +/* Record status of the fanotify sunsystem */
> +static int __init fanotify_init(void)
> +{
> +       audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
> +               "state=initialized fanotify_enforce=%u res=1",
> +               enforcing_mode);

I realized this has already been NAK'd, but on the chance it is
resubmitted with some tweaks I wanted to make a comment that the
"state=initialized" addition to the audit records seems a bit
redundant, the presence of a FANOTIFY_STATUS audit record should
satisfy that requirement.  Further, looking at how AUDIT_MAC_STATUS is
used (this seemed to be the closest analogue), it doesn't display a
similar state=initialized flag, the one exception being when the state
is set to disabled, which is not the case here.

> +       return 0;
> +}
> +late_initcall(fanotify_init);

-- 
paul moore
www.paul-moore.com