[PATCH] audit: add missing syscalls to PERM class tables

[PATCH] audit: add missing syscalls to PERM class tables

[Ricardo Robaina]

Add missing file timestamp and attribute syscalls to the audit PERM
class tables. The most critical gap was the complete absence of
timestamp syscalls from audit_change_attr.h, which meant timestamp
syscalls failed the kernel-side AUDIT_PERM_ATTR class check, so
rules using perm=a did not match those operations.

Changes:
- audit_change_attr.h: Add utime, utimes, futimesat, utimensat,
  utimensat_time64, and file_setattr

- audit_read.h: Add quotactl_fd, file_getattr, stat, lstat, fstat,
  newfstatat, and statx

- audit_write.h: Add quotactl_fd

Architecture-specific and conditionally-compiled syscalls are guarded
with #ifdef.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
---
 include/asm-generic/audit_change_attr.h | 16 ++++++++++++++++
 include/asm-generic/audit_read.h        | 19 +++++++++++++++++++
 include/asm-generic/audit_write.h       |  3 +++
 3 files changed, 38 insertions(+)

diff --git a/include/asm-generic/audit_change_attr.h b/include/asm-generic/audit_change_attr.h
index ddd90bbe40df..5cb036695d8a 100644
--- a/include/asm-generic/audit_change_attr.h
+++ b/include/asm-generic/audit_change_attr.h
@@ -40,3 +40,19 @@ __NR_link,
 #ifdef __NR_linkat
 __NR_linkat,
 #endif
+#ifdef __NR_utime
+__NR_utime,
+#endif
+#ifdef __NR_utimes
+__NR_utimes,
+#endif
+#ifdef __NR_futimesat
+__NR_futimesat,
+#endif
+__NR_utimensat,
+#ifdef __NR_utimensat_time64
+__NR_utimensat_time64,
+#endif
+#ifdef __NR_file_setattr
+__NR_file_setattr,
+#endif
diff --git a/include/asm-generic/audit_read.h b/include/asm-generic/audit_read.h
index fb9991f53fb6..8feebc5b4c50 100644
--- a/include/asm-generic/audit_read.h
+++ b/include/asm-generic/audit_read.h
@@ -3,6 +3,9 @@
 __NR_readlink,
 #endif
 __NR_quotactl,
+#ifdef __NR_quotactl_fd
+__NR_quotactl_fd,
+#endif
 __NR_listxattr,
 #ifdef __NR_listxattrat
 __NR_listxattrat,
@@ -18,3 +21,19 @@ __NR_fgetxattr,
 #ifdef __NR_readlinkat
 __NR_readlinkat,
 #endif
+#ifdef __NR_file_getattr
+__NR_file_getattr,
+#endif
+#ifdef __NR_stat
+__NR_stat,
+#endif
+#ifdef __NR_lstat
+__NR_lstat,
+#endif
+#ifdef __NR_fstat
+__NR_fstat,
+#endif
+#ifdef __NR_newfstatat
+__NR_newfstatat,
+#endif
+__NR_statx,
diff --git a/include/asm-generic/audit_write.h b/include/asm-generic/audit_write.h
index f9f1d0ae11d9..378128dc31e3 100644
--- a/include/asm-generic/audit_write.h
+++ b/include/asm-generic/audit_write.h
@@ -5,6 +5,9 @@ __NR_acct,
 __NR_swapon,
 #endif
 __NR_quotactl,
+#ifdef __NR_quotactl_fd
+__NR_quotactl_fd,
+#endif
 #ifdef __NR_truncate
 __NR_truncate,
 #endif
-- 
2.53.0

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Arnd Bergmann]

On Wed, Jun 10, 2026, at 18:47, Ricardo Robaina wrote:
> diff --git a/include/asm-generic/audit_read.h 
> b/include/asm-generic/audit_read.h
> index fb9991f53fb6..8feebc5b4c50 100644
> --- a/include/asm-generic/audit_read.h
> +++ b/include/asm-generic/audit_read.h
> @@ -18,3 +21,19 @@ __NR_fgetxattr,
>  #ifdef __NR_readlinkat
>  __NR_readlinkat,
>  #endif
> +#ifdef __NR_file_getattr
> +__NR_file_getattr,
> +#endif
> +#ifdef __NR_stat
> +__NR_stat,
> +#endif
> +#ifdef __NR_lstat
> +__NR_lstat,
> +#endif
> +#ifdef __NR_fstat
> +__NR_fstat,
> +#endif
> +#ifdef __NR_newfstatat
> +__NR_newfstatat,
> +#endif
> +__NR_statx,

There are additional variants of 'stat' that I think you need
to cover here:

scripts/syscall.tbl:79	stat64	fstatat64			sys_fstatat64
scripts/syscall.tbl:80	stat64	fstat64				sys_fstat64
arch/x86/entry/syscalls/syscall_32.tbl:18	i386	oldstat			sys_stat
arch/x86/entry/syscalls/syscall_32.tbl:28	i386	oldfstat		sys_fstat
arch/x86/entry/syscalls/syscall_32.tbl:84	i386	oldlstat		sys_lstat
arch/x86/entry/syscalls/syscall_32.tbl:195	i386	stat64			sys_stat64			compat_sys_ia32_stat64
arch/x86/entry/syscalls/syscall_32.tbl:196	i386	lstat64			sys_lstat64			compat_sys_ia32_lstat64
arch/x86/entry/syscalls/syscall_32.tbl:197	i386	fstat64			sys_fstat64			compat_sys_ia32_fstat64
arch/x86/entry/syscalls/syscall_32.tbl:300	i386	fstatat64		sys_fstatat64			compat_sys_ia32_fstatat64
arch/alpha/kernel/syscalls/syscall.tbl:224	common	osf_stat			sys_osf_stat
arch/alpha/kernel/syscalls/syscall.tbl:225	common	osf_lstat			sys_osf_lstat
arch/alpha/kernel/syscalls/syscall.tbl:226	common	osf_fstat			sys_osf_fstat

Not sure about ustat/fstatfs/statfs, I suppose those are a different
category, right?

       Arnd

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Ricardo Robaina]

On Wed, Jun 10, 2026 at 2:05 PM Arnd Bergmann <arnd@arndb.de> wrote:
>
> On Wed, Jun 10, 2026, at 18:47, Ricardo Robaina wrote:
> > diff --git a/include/asm-generic/audit_read.h
> > b/include/asm-generic/audit_read.h
> > index fb9991f53fb6..8feebc5b4c50 100644
> > --- a/include/asm-generic/audit_read.h
> > +++ b/include/asm-generic/audit_read.h
> > @@ -18,3 +21,19 @@ __NR_fgetxattr,
> >  #ifdef __NR_readlinkat
> >  __NR_readlinkat,
> >  #endif
> > +#ifdef __NR_file_getattr
> > +__NR_file_getattr,
> > +#endif
> > +#ifdef __NR_stat
> > +__NR_stat,
> > +#endif
> > +#ifdef __NR_lstat
> > +__NR_lstat,
> > +#endif
> > +#ifdef __NR_fstat
> > +__NR_fstat,
> > +#endif
> > +#ifdef __NR_newfstatat
> > +__NR_newfstatat,
> > +#endif
> > +__NR_statx,
>
> There are additional variants of 'stat' that I think you need
> to cover here:
>
> scripts/syscall.tbl:79  stat64  fstatat64                       sys_fstatat64
> scripts/syscall.tbl:80  stat64  fstat64                         sys_fstat64
> arch/x86/entry/syscalls/syscall_32.tbl:18       i386    oldstat                 sys_stat
> arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat                sys_fstat
> arch/x86/entry/syscalls/syscall_32.tbl:84       i386    oldlstat                sys_lstat
> arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64                  sys_stat64                      compat_sys_ia32_stat64
> arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64                 sys_lstat64                     compat_sys_ia32_lstat64
> arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64                 sys_fstat64                     compat_sys_ia32_fstat64
> arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64               sys_fstatat64                   compat_sys_ia32_fstatat64
> arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat                        sys_osf_stat
> arch/alpha/kernel/syscalls/syscall.tbl:225      common  osf_lstat                       sys_osf_lstat
> arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat                       sys_osf_fstat
>

Hi Arnd,

Thanks for reviewing this patch! You're right, it seems all these stat
variants should be added as well. Steve and Paul, correct me if I'm
wrong here, please.

> Not sure about ustat/fstatfs/statfs, I suppose those are a different
> category, right?

Yes, I believe these would fall under a different category, since they
are related to filesystem stats. Audit PERM classes are specifically
for file metadata and access operations, not filesystem statistics

>
>        Arnd
>

I will work on v2 shortly.

Thanks,
-Ricardo

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Steve Grubb]

On Wednesday, June 10, 2026 1:40:47 PM Eastern Daylight Time Ricardo Robaina 
wrote:
> On Wed, Jun 10, 2026 at 2:05 PM Arnd Bergmann <arnd@arndb.de> wrote:
> > On Wed, Jun 10, 2026, at 18:47, Ricardo Robaina wrote:
> > > diff --git a/include/asm-generic/audit_read.h
> > > b/include/asm-generic/audit_read.h
> > > index fb9991f53fb6..8feebc5b4c50 100644
> > > --- a/include/asm-generic/audit_read.h
> > > +++ b/include/asm-generic/audit_read.h
> > > @@ -18,3 +21,19 @@ __NR_fgetxattr,
> > > 
> > >  #ifdef __NR_readlinkat
> > >  __NR_readlinkat,
> > >  #endif
> > > 
> > > +#ifdef __NR_file_getattr
> > > +__NR_file_getattr,
> > > +#endif
> > > +#ifdef __NR_stat
> > > +__NR_stat,
> > > +#endif
> > > +#ifdef __NR_lstat
> > > +__NR_lstat,
> > > +#endif
> > > +#ifdef __NR_fstat
> > > +__NR_fstat,
> > > +#endif
> > > +#ifdef __NR_newfstatat
> > > +__NR_newfstatat,
> > > +#endif
> > > +__NR_statx,
> > 
> > There are additional variants of 'stat' that I think you need
> > to cover here:
> > 
> > scripts/syscall.tbl:79  stat64  fstatat64                      
> > sys_fstatat64 scripts/syscall.tbl:80  stat64  fstat64                   
> >      sys_fstat64 arch/x86/entry/syscalls/syscall_32.tbl:18       i386   
> > oldstat                 sys_stat
> > arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat        
> >        sys_fstat arch/x86/entry/syscalls/syscall_32.tbl:84       i386   
> > oldlstat                sys_lstat
> > arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64          
> >        sys_stat64                      compat_sys_ia32_stat64
> > arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64         
> >        sys_lstat64                     compat_sys_ia32_lstat64
> > arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64         
> >        sys_fstat64                     compat_sys_ia32_fstat64
> > arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64       
> >        sys_fstatat64                   compat_sys_ia32_fstatat64
> > arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat        
> >                sys_osf_stat arch/alpha/kernel/syscalls/syscall.tbl:225  
> >    common  osf_lstat                       sys_osf_lstat
> > arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat       
> >                sys_osf_fstat
> Hi Arnd,
> 
> Thanks for reviewing this patch! You're right, it seems all these stat
> variants should be added as well. Steve and Paul, correct me if I'm
> wrong here, please.

Alpha is unsupported. Those are True64 compatibility syscalls. You can 
include it and #ifdef will filter it everywhere else.  But, yeah. I guess the 
rest are ok. I don't pay much attention to the 32 bit arches.

-Steve

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Ricardo Robaina]

On Wed, Jun 10, 2026 at 3:13 PM Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Wednesday, June 10, 2026 1:40:47 PM Eastern Daylight Time Ricardo Robaina
> wrote:
> > On Wed, Jun 10, 2026 at 2:05 PM Arnd Bergmann <arnd@arndb.de> wrote:
> > > On Wed, Jun 10, 2026, at 18:47, Ricardo Robaina wrote:
> > > > diff --git a/include/asm-generic/audit_read.h
> > > > b/include/asm-generic/audit_read.h
> > > > index fb9991f53fb6..8feebc5b4c50 100644
> > > > --- a/include/asm-generic/audit_read.h
> > > > +++ b/include/asm-generic/audit_read.h
> > > > @@ -18,3 +21,19 @@ __NR_fgetxattr,
> > > >
> > > >  #ifdef __NR_readlinkat
> > > >  __NR_readlinkat,
> > > >  #endif
> > > >
> > > > +#ifdef __NR_file_getattr
> > > > +__NR_file_getattr,
> > > > +#endif
> > > > +#ifdef __NR_stat
> > > > +__NR_stat,
> > > > +#endif
> > > > +#ifdef __NR_lstat
> > > > +__NR_lstat,
> > > > +#endif
> > > > +#ifdef __NR_fstat
> > > > +__NR_fstat,
> > > > +#endif
> > > > +#ifdef __NR_newfstatat
> > > > +__NR_newfstatat,
> > > > +#endif
> > > > +__NR_statx,
> > >
> > > There are additional variants of 'stat' that I think you need
> > > to cover here:
> > >
> > > scripts/syscall.tbl:79  stat64  fstatat64
> > > sys_fstatat64 scripts/syscall.tbl:80  stat64  fstat64
> > >      sys_fstat64 arch/x86/entry/syscalls/syscall_32.tbl:18       i386
> > > oldstat                 sys_stat
> > > arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat
> > >        sys_fstat arch/x86/entry/syscalls/syscall_32.tbl:84       i386
> > > oldlstat                sys_lstat
> > > arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64
> > >        sys_stat64                      compat_sys_ia32_stat64
> > > arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64
> > >        sys_lstat64                     compat_sys_ia32_lstat64
> > > arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64
> > >        sys_fstat64                     compat_sys_ia32_fstat64
> > > arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64
> > >        sys_fstatat64                   compat_sys_ia32_fstatat64
> > > arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat
> > >                sys_osf_stat arch/alpha/kernel/syscalls/syscall.tbl:225
> > >    common  osf_lstat                       sys_osf_lstat
> > > arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat
> > >                sys_osf_fstat
> > Hi Arnd,
> >
> > Thanks for reviewing this patch! You're right, it seems all these stat
> > variants should be added as well. Steve and Paul, correct me if I'm
> > wrong here, please.
>
> Alpha is unsupported. Those are True64 compatibility syscalls. You can
> include it and #ifdef will filter it everywhere else.  But, yeah. I guess the
> rest are ok. I don't pay much attention to the 32 bit arches.

Thanks, Steve.

>
> -Steve
>
>

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Arnd Bergmann]

On Wed, Jun 10, 2026, at 20:13, Steve Grubb wrote:
> On Wednesday, June 10, 2026 1:40:47 PM Eastern Daylight Time Ricardo Robaina 
> wrote:

>> > scripts/syscall.tbl:79  stat64  fstatat64                      
>> > sys_fstatat64 scripts/syscall.tbl:80  stat64  fstat64                   
>> >      sys_fstat64 arch/x86/entry/syscalls/syscall_32.tbl:18       i386   
>> > oldstat                 sys_stat
>> > arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat        
>> >        sys_fstat arch/x86/entry/syscalls/syscall_32.tbl:84       i386   
>> > oldlstat                sys_lstat
>> > arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64          
>> >        sys_stat64                      compat_sys_ia32_stat64
>> > arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64         
>> >        sys_lstat64                     compat_sys_ia32_lstat64
>> > arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64         
>> >        sys_fstat64                     compat_sys_ia32_fstat64
>> > arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64       
>> >        sys_fstatat64                   compat_sys_ia32_fstatat64
>> > arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat        
>> >                sys_osf_stat arch/alpha/kernel/syscalls/syscall.tbl:225  
>> >    common  osf_lstat                       sys_osf_lstat
>> > arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat       
>> >                sys_osf_fstat
>> Hi Arnd,
>> 
>> Thanks for reviewing this patch! You're right, it seems all these stat
>> variants should be added as well. Steve and Paul, correct me if I'm
>> wrong here, please.
>
> Alpha is unsupported. Those are True64 compatibility syscalls. You can 
> include it and #ifdef will filter it everywhere else.  But, yeah. I guess the 
> rest are ok. I don't pay much attention to the 32 bit arches.

Ah, indeed. I assumed that these were part of the syscalls that
originally came from osf1 but are still used on Linux systems,
but it appears that the stat family was never used like that
with glibc.

The oldstat family is actually in a similar category, as those
were only used on libc5 or earlier. stat64 is definitely
still needed on 32-bit userspace with 32-bit time_t.

     Arnd

Re: [PATCH] audit: add missing syscalls to PERM class tables

[Ricardo Robaina]

On Wed, Jun 10, 2026 at 4:39 PM Arnd Bergmann <arnd@arndb.de> wrote:
>
> On Wed, Jun 10, 2026, at 20:13, Steve Grubb wrote:
> > On Wednesday, June 10, 2026 1:40:47 PM Eastern Daylight Time Ricardo Robaina
> > wrote:
>
> >> > scripts/syscall.tbl:79  stat64  fstatat64
> >> > sys_fstatat64 scripts/syscall.tbl:80  stat64  fstat64
> >> >      sys_fstat64 arch/x86/entry/syscalls/syscall_32.tbl:18       i386
> >> > oldstat                 sys_stat
> >> > arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat
> >> >        sys_fstat arch/x86/entry/syscalls/syscall_32.tbl:84       i386
> >> > oldlstat                sys_lstat
> >> > arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64
> >> >        sys_stat64                      compat_sys_ia32_stat64
> >> > arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64
> >> >        sys_lstat64                     compat_sys_ia32_lstat64
> >> > arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64
> >> >        sys_fstat64                     compat_sys_ia32_fstat64
> >> > arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64
> >> >        sys_fstatat64                   compat_sys_ia32_fstatat64
> >> > arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat
> >> >                sys_osf_stat arch/alpha/kernel/syscalls/syscall.tbl:225
> >> >    common  osf_lstat                       sys_osf_lstat
> >> > arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat
> >> >                sys_osf_fstat
> >> Hi Arnd,
> >>
> >> Thanks for reviewing this patch! You're right, it seems all these stat
> >> variants should be added as well. Steve and Paul, correct me if I'm
> >> wrong here, please.
> >
> > Alpha is unsupported. Those are True64 compatibility syscalls. You can
> > include it and #ifdef will filter it everywhere else.  But, yeah. I guess the
> > rest are ok. I don't pay much attention to the 32 bit arches.
>
> Ah, indeed. I assumed that these were part of the syscalls that
> originally came from osf1 but are still used on Linux systems,
> but it appears that the stat family was never used like that
> with glibc.
>
> The oldstat family is actually in a similar category, as those
> were only used on libc5 or earlier. stat64 is definitely
> still needed on 32-bit userspace with 32-bit time_t.
>
>      Arnd
>

Thanks for the context, Arnd and Steve. I'll append just stat64,
lstat64, fstat64 and fstatat64 to the v2 I'm about to send, then.

Please let me know if there's anything else to adjust.

-Ricardo