[PATCH 1/1] Fanotify: Introduce a permissive mode
Paul Moore
paul at paul-moore.com
Tue Aug 15 19:19:01 UTC 2017
On Mon, Aug 14, 2017 at 11:04 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> The fanotify interface can be used as an access control subsystem. If
> for some reason the policy is bad, there is potentially no good way to
> recover the system. This patch introduces a new command line variable,
> fanotify_enforce, to allow overriding the access decision from user
> space. The initialization status is recorded as an audit event so that
> there is a record of being in permissive mode for the security officer.
>
> Signed-off-by: sgrubb <sgrubb at redhat.com>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 7 +++++
> fs/notify/fanotify/fanotify.c | 42 +++++++++++++++++++++++--
> include/uapi/linux/audit.h | 1 +
> 3 files changed, 47 insertions(+), 3 deletions(-)
...
> diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> index 2fa99ae..cab5c2b 100644
> --- a/fs/notify/fanotify/fanotify.c
> +++ b/fs/notify/fanotify/fanotify.c
> @@ -9,9 +9,43 @@
> #include <linux/sched/user.h>
> #include <linux/types.h>
> #include <linux/wait.h>
> +#include <linux/audit.h>
>
> #include "fanotify.h"
>
> +
> +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
> +/*
> + * This variable determines if the decisions made by user space listener
> + * will be enforced or overridden for system recovery
> + */
> +static unsigned int enforcing_mode = 1;
> +
> +
> +/* Record status of the fanotify sunsystem */
> +static int __init fanotify_init(void)
> +{
> + audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
> + "state=initialized fanotify_enforce=%u res=1",
> + enforcing_mode);
I realized this has already been NAK'd, but on the chance it is
resubmitted with some tweaks I wanted to make a comment that the
"state=initialized" addition to the audit records seems a bit
redundant, the presence of a FANOTIFY_STATUS audit record should
satisfy that requirement. Further, looking at how AUDIT_MAC_STATUS is
used (this seemed to be the closest analogue), it doesn't display a
similar state=initialized flag, the one exception being when the state
is set to disabled, which is not the case here.
> + return 0;
> +}
> +late_initcall(fanotify_init);
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list