[PATCH 1/1] Fanotify: Introduce a permissive mode
Steve Grubb
sgrubb at redhat.com
Tue Aug 15 16:23:08 UTC 2017
On Tuesday, August 15, 2017 11:37:19 AM EDT Amir Goldstein wrote:
> > So, there is some utility to having the application stopped so that the
> > daemon can do its checks but then throw away the answer so that more of
> > the policy can be verified.
> >
> >> *if* at all this method is acceptable overriding access decision should
> >> probably be accompanied with pr_warn_ratelimited and a big warning
> >> for fanotify_init with FAN_CLASS_{,PRE_}CONTENT priority.
> >
> > I was hoping the audit event was a big enough warning. But something for
> > dmesg/syslog is easy to add.
>
> No warning is big enough if the change breaks existing apps behavior.
> One of the major flaws in your suggestion is that it changes the behavior
> globally. I think what you want for the debugging use case is to introduce
> a new fanotify_init() flag FAN_PERMISSIVE.
> Your daemon could set the new flag to opt-in for the new behavior, which
> may depend on kernel parameter, or even on sysfs knob if you like.
Thanks for the discussion. I'm self-NAK'ing this for now.
-Steve
More information about the Linux-audit
mailing list