From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBA20C4727C for ; Wed, 30 Sep 2020 16:16:06 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2374A20759 for ; Wed, 30 Sep 2020 16:16:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="SbRyxabK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2374A20759 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1601482564; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=R6g/oRKcD8q+g4KlJ5afGaei2A+kzn5zNfiX8xT1REY=; b=SbRyxabKQflkngh53iZLWb3b/u1SYtvRncA5Tc4QnXerpTZwaQhgdgG03FPdxjyklRbLj7 FvUVqi9VQgZ0zZVOesQIDmbKHW+Qi1Mqe7m0paLybyiCGePLSBEmqMrV2I1xv4i23jYhwk wMxyvyQYAMJ5OciumPS9vhgB4RCKLpE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-51-1F9VD1-bOFGIVeX0I7p6lQ-1; Wed, 30 Sep 2020 12:15:54 -0400 X-MC-Unique: 1F9VD1-bOFGIVeX0I7p6lQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 22564801F95; Wed, 30 Sep 2020 16:15:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 92C631C4; Wed, 30 Sep 2020 16:15:49 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5EDDA44A4A; Wed, 30 Sep 2020 16:15:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 08UGCQQd006581 for ; Wed, 30 Sep 2020 12:12:26 -0400 Received: by smtp.corp.redhat.com (Postfix) id D42836198B; Wed, 30 Sep 2020 16:12:26 +0000 (UTC) Received: from x2.localnet (ovpn-117-41.rdu2.redhat.com [10.10.117.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 742D865F5E; Wed, 30 Sep 2020 16:12:21 +0000 (UTC) From: Steve Grubb To: linux-fsdevel@vger.kernel.org, Jan Kara , linux-audit@redhat.com, Paul Moore Subject: [PATCH 0/3] fanotify: Allow user space to pass back additional audit info Date: Wed, 30 Sep 2020 12:12:19 -0400 Message-ID: <2042449.irdbgypaU6@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com Cc: Amir Goldstein X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The Fanotify API can be used for access control by requesting permission event notification. The user space tooling that uses it may have a complicated policy that inherently contains additional context for the decision. If this information were available in the audit trail, policy writers can close the loop on debugging policy. Also, if this additional information were available, it would enable the creation of tools that can suggest changes to the policy similar to how audit2allow can help refine labeled security. This patch defines 2 bit maps within the response variable returned from user space on a permission event. The first field is 3 bits for the context type. The context type will describe what the meaning is of the second bit field. The audit system will separate the pieces and log them individually. The audit function was updated to log the additional information in the AUDIT_FANOTIFY record. The following is an example of the new record format: type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17 Steve Grubb (3): fanotify: Ensure consistent variable type for response fanotify: define bit map fields to hold response decision context fanotify: Allow audit to use the full permission event response fs/notify/fanotify/fanotify.c | 5 ++--- fs/notify/fanotify/fanotify.h | 2 +- fs/notify/fanotify/fanotify_user.c | 11 +++-------- include/linux/fanotify.h | 5 +++++ include/uapi/linux/fanotify.h | 31 ++++++++++++++++++++++++++++++ kernel/auditsc.c | 7 +++++-- 6 files changed, 47 insertions(+), 14 deletions(-) -- 2.26.2 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit