[PATCH v2] audit: record fanotify event regardless of presence of rules

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] audit: record fanotify event regardless of presence of rules
@ 2025-08-06 21:04 Richard Guy Briggs
  2025-08-07  1:47 ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2025-08-06 21:04 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML, linux-fsdevel,
	Linux Kernel Audit Mailing List
  Cc: Paul Moore, Eric Paris, Steve Grubb, Richard Guy Briggs, Jan Kara,
	Amir Goldstein

When no audit rules are in place, fanotify event results are
unconditionally dropped due to an explicit check for the existence of
any audit rules.  Given this is a report from another security
sub-system, allow it to be recorded regardless of the existence of any
audit rules.

To test, install and run the fapolicyd daemon with default config.  Then
as an unprivileged user, create and run a very simple binary that should
be denied.  Then check for an event with
	ausearch -m FANOTIFY -ts recent

Link: https://issues.redhat.com/browse/RHEL-9065
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
changelog:
v2
- re-add audit_enabled check
---
 include/linux/audit.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index a394614ccd0b..e3f06eba9c6e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -527,7 +527,7 @@ static inline void audit_log_kern_module(const char *name)
 
 static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
 {
-	if (!audit_dummy_context())
+	if (audit_enabled)
 		__audit_fanotify(response, friar);
 }
 
-- 
2.43.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] audit: record fanotify event regardless of presence of  rules
  2025-08-06 21:04 [PATCH v2] audit: record fanotify event regardless of presence of rules Richard Guy Briggs
@ 2025-08-07  1:47 ` Paul Moore
  2025-08-07 14:04   ` Richard Guy Briggs
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2025-08-07  1:47 UTC (permalink / raw)
  To: Richard Guy Briggs, Linux-Audit Mailing List, LKML, linux-fsdevel,
	Linux Kernel Audit Mailing List
  Cc: Eric Paris, Steve Grubb, Richard Guy Briggs, Jan Kara,
	Amir Goldstein

On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> When no audit rules are in place, fanotify event results are
> unconditionally dropped due to an explicit check for the existence of
> any audit rules.  Given this is a report from another security
> sub-system, allow it to be recorded regardless of the existence of any
> audit rules.
> 
> To test, install and run the fapolicyd daemon with default config.  Then
> as an unprivileged user, create and run a very simple binary that should
> be denied.  Then check for an event with
> 	ausearch -m FANOTIFY -ts recent
> 
> Link: https://issues.redhat.com/browse/RHEL-9065
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> changelog:
> v2
> - re-add audit_enabled check
> ---
>  include/linux/audit.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Merged into audit/dev-staging with the plan being to merge it to
audit/dev once the merge window closes.

--
paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] audit: record fanotify event regardless of presence of rules
  2025-08-07  1:47 ` Paul Moore
@ 2025-08-07 14:04   ` Richard Guy Briggs
  2025-08-11 22:23     ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2025-08-07 14:04 UTC (permalink / raw)
  To: Paul Moore
  Cc: Linux-Audit Mailing List, LKML, linux-fsdevel,
	Linux Kernel Audit Mailing List, Eric Paris, Steve Grubb,
	Jan Kara, Amir Goldstein

On 2025-08-06 21:47, Paul Moore wrote:
> On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> > 
> > When no audit rules are in place, fanotify event results are
> > unconditionally dropped due to an explicit check for the existence of
> > any audit rules.  Given this is a report from another security
> > sub-system, allow it to be recorded regardless of the existence of any
> > audit rules.
> > 
> > To test, install and run the fapolicyd daemon with default config.  Then
> > as an unprivileged user, create and run a very simple binary that should
> > be denied.  Then check for an event with
> > 	ausearch -m FANOTIFY -ts recent
> > 
> > Link: https://issues.redhat.com/browse/RHEL-9065
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > changelog:
> > v2
> > - re-add audit_enabled check
> > ---
> >  include/linux/audit.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Merged into audit/dev-staging with the plan being to merge it to
> audit/dev once the merge window closes.

Thanks Paul.

> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] audit: record fanotify event regardless of presence of rules
  2025-08-07 14:04   ` Richard Guy Briggs
@ 2025-08-11 22:23     ` Paul Moore
  0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2025-08-11 22:23 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: Linux-Audit Mailing List, LKML, linux-fsdevel,
	Linux Kernel Audit Mailing List, Eric Paris, Steve Grubb,
	Jan Kara, Amir Goldstein

On Thu, Aug 7, 2025 at 10:04 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2025-08-06 21:47, Paul Moore wrote:
> > On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> > >
> > > When no audit rules are in place, fanotify event results are
> > > unconditionally dropped due to an explicit check for the existence of
> > > any audit rules.  Given this is a report from another security
> > > sub-system, allow it to be recorded regardless of the existence of any
> > > audit rules.
> > >
> > > To test, install and run the fapolicyd daemon with default config.  Then
> > > as an unprivileged user, create and run a very simple binary that should
> > > be denied.  Then check for an event with
> > >     ausearch -m FANOTIFY -ts recent
> > >
> > > Link: https://issues.redhat.com/browse/RHEL-9065
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > changelog:
> > > v2
> > > - re-add audit_enabled check
> > > ---
> > >  include/linux/audit.h | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Merged into audit/dev-staging with the plan being to merge it to
> > audit/dev once the merge window closes.
>
> Thanks Paul.

Now merged into audit/dev, thanks!

-- 
paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-08-11 22:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-06 21:04 [PATCH v2] audit: record fanotify event regardless of presence of rules Richard Guy Briggs
2025-08-07  1:47 ` Paul Moore
2025-08-07 14:04   ` Richard Guy Briggs
2025-08-11 22:23     ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).