* [PATCH 3/3] fanotify: Allow audit to use the full permission event response
@ 2020-09-30 16:12 Steve Grubb
0 siblings, 0 replies; only message in thread
From: Steve Grubb @ 2020-09-30 16:12 UTC (permalink / raw)
To: linux-fsdevel, Jan Kara, linux-audit, Paul Moore; +Cc: Amir Goldstein
This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
fs/notify/fanotify/fanotify.c | 2 +-
kernel/auditsc.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
/* Check if the response should be audited */
if (event->response & FAN_AUDIT)
- audit_fanotify(event->response & ~FAN_AUDIT);
+ audit_fanotify(event->response);
pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
#include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
#include "audit.h"
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
void __audit_fanotify(unsigned int response)
{
- audit_log(audit_context(), GFP_KERNEL,
- AUDIT_FANOTIFY, "resp=%u", response);
+ audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+ "resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+ FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+ FAN_DEC_CONTEXT_TO_VALUE(response));
}
void __audit_tk_injoffset(struct timespec64 offset)
--
2.26.2
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-09-30 16:16 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-30 16:12 [PATCH 3/3] fanotify: Allow audit to use the full permission event response Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).