[PATCH 3/3] fanotify: Allow audit to use the full permission event response
Steve Grubb
sgrubb at redhat.com
Wed Sep 30 16:12:33 UTC 2020
This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Signed-off-by: Steve Grubb <sgrubb at redhat.com>
---
fs/notify/fanotify/fanotify.c | 2 +-
kernel/auditsc.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
/* Check if the response should be audited */
if (event->response & FAN_AUDIT)
- audit_fanotify(event->response & ~FAN_AUDIT);
+ audit_fanotify(event->response);
pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
#include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
#include "audit.h"
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
void __audit_fanotify(unsigned int response)
{
- audit_log(audit_context(), GFP_KERNEL,
- AUDIT_FANOTIFY, "resp=%u", response);
+ audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+ "resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+ FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+ FAN_DEC_CONTEXT_TO_VALUE(response));
}
void __audit_tk_injoffset(struct timespec64 offset)
--
2.26.2
More information about the Linux-audit
mailing list