[PATCH 1/1] audit: Add new syscalls to the perm=w filter

Paul Moore paul at paul-moore.com
Mon Oct 16 19:10:59 UTC 2017 

On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> The audit subsystem allows selecting audit events based on watches for
> a particular behavior like writing to a file. A lot of syscalls have
> been added without updating the list. This patch adds 2 syscalls to the
> write filters: fallocate and renameat2.
>
> Signed-off-by: sgrubb <sgrubb at redhat.com>
> ---
>  include/asm-generic/audit_dir_write.h | 4 ++++
>  include/asm-generic/audit_write.h     | 3 +++
>  2 files changed, 7 insertions(+)

FWIW, I expect that this syscall list is almost always going to be out
of date; it's just the way this feature is designed.  That doesn't
mean I'm not going to merge fixes, I just want to make sure
expectations are set accordingly.

Before I merge this Steve, can you explain why fallocate() should be
on the write list?  It doesn't actually write any user data to disk,
it actually doesn't write anything, all it does is play with the
amount of space allocated for the given fd on the storage device.  I
don't really care either way, this just struck me as odd and I want to
make sure you have a good reason (hint: add it to the patch
description).

> diff --git a/include/asm-generic/audit_dir_write.h b/include/asm-generic/audit_dir_write.h
> index 7b61db4fe72b..d9a53eaeea35 100644
> --- a/include/asm-generic/audit_dir_write.h
> +++ b/include/asm-generic/audit_dir_write.h
> @@ -30,3 +30,7 @@ __NR_renameat,
>  __NR_linkat,
>  __NR_symlinkat,
>  #endif
> +#ifdef __NR_renameat2
> +__NR_renameat2,
> +#endif
> +
> diff --git a/include/asm-generic/audit_write.h b/include/asm-generic/audit_write.h
> index 274575d7129f..4fa65816acd3 100644
> --- a/include/asm-generic/audit_write.h
> +++ b/include/asm-generic/audit_write.h
> @@ -19,3 +19,6 @@ __NR_ftruncate64,
>  #ifdef __NR_bind
>  __NR_bind,             /* bind can affect fs object only in one way... */
>  #endif
> +#ifdef __NR_fallocate
> +__NR_fallocate,
> +#endif

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list