[PATCH 3/3] fanotify: Allow audit to use the full permission event response

[PATCH 3/3] fanotify: Allow audit to use the full permission event response

[Steve Grubb]

This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:

type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
 fs/notify/fanotify/fanotify.c | 2 +-
 kernel/auditsc.c              | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
 
 	/* Check if the response should be audited */
 	if (event->response & FAN_AUDIT)
-		audit_fanotify(event->response & ~FAN_AUDIT);
+		audit_fanotify(event->response);
 
 	pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
 		 group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
 #include <linux/uaccess.h>
 #include <linux/fsnotify_backend.h>
 #include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
 
 #include "audit.h"
 
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
 
 void __audit_fanotify(unsigned int response)
 {
-	audit_log(audit_context(), GFP_KERNEL,
-		AUDIT_FANOTIFY,	"resp=%u", response);
+	audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+		"resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+		FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+		FAN_DEC_CONTEXT_TO_VALUE(response));
 }
 
 void __audit_tk_injoffset(struct timespec64 offset)
-- 
2.26.2




--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

[PATCH 3/3] fanotify: Allow audit to use the full permission event response

[Steve Grubb]

This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:

type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
 fs/notify/fanotify/fanotify.c | 2 +-
 kernel/auditsc.c              | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
 
 	/* Check if the response should be audited */
 	if (event->response & FAN_AUDIT)
-		audit_fanotify(event->response & ~FAN_AUDIT);
+		audit_fanotify(event->response);
 
 	pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
 		 group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
 #include <linux/uaccess.h>
 #include <linux/fsnotify_backend.h>
 #include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
 
 #include "audit.h"
 
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
 
 void __audit_fanotify(unsigned int response)
 {
-	audit_log(audit_context(), GFP_KERNEL,
-		AUDIT_FANOTIFY,	"resp=%u", response);
+	audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+		"resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+		FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+		FAN_DEC_CONTEXT_TO_VALUE(response));
 }
 
 void __audit_tk_injoffset(struct timespec64 offset)
-- 
2.26.2