From: Steve Grubb <sgrubb@redhat.com>
To: linux-fsdevel@vger.kernel.org, Jan Kara <jack@suse.cz>,
linux-audit@redhat.com, Paul Moore <paul@paul-moore.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Subject: [PATCH 3/3] fanotify: Allow audit to use the full permission event response
Date: Wed, 30 Sep 2020 12:12:33 -0400 [thread overview]
Message-ID: <3075502.aeNJFYEL58@x2> (raw)
This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
fs/notify/fanotify/fanotify.c | 2 +-
kernel/auditsc.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
/* Check if the response should be audited */
if (event->response & FAN_AUDIT)
- audit_fanotify(event->response & ~FAN_AUDIT);
+ audit_fanotify(event->response);
pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
#include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
#include "audit.h"
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
void __audit_fanotify(unsigned int response)
{
- audit_log(audit_context(), GFP_KERNEL,
- AUDIT_FANOTIFY, "resp=%u", response);
+ audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+ "resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+ FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+ FAN_DEC_CONTEXT_TO_VALUE(response));
}
void __audit_tk_injoffset(struct timespec64 offset)
--
2.26.2
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
reply other threads:[~2020-09-30 16:16 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3075502.aeNJFYEL58@x2 \
--to=sgrubb@redhat.com \
--cc=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).