The "at" variant of getxattr() and listxattr() are missing from the
audit read class. Calling getxattrat() or listxattrat() on a file to
read its extended attributes will bypass audit rules such as:

-w /tmp/test -p rwa -k test_rwa

The current patch adds missing syscalls to the audit read class.

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 include/asm-generic/audit_read.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/asm-generic/audit_read.h b/include/asm-generic/audit_read.h
index 7bb7b5a83ae2..fb9991f53fb6 100644
--- a/include/asm-generic/audit_read.h
+++ b/include/asm-generic/audit_read.h
@@ -4,9 +4,15 @@ __NR_readlink,
 #endif
 __NR_quotactl,
 __NR_listxattr,
+#ifdef __NR_listxattrat
+__NR_listxattrat,
+#endif
 __NR_llistxattr,
 __NR_flistxattr,
 __NR_getxattr,
+#ifdef __NR_getxattrat
+__NR_getxattrat,
+#endif
 __NR_lgetxattr,
 __NR_fgetxattr,
 #ifdef __NR_readlinkat

base-commit: 15b0c43aa621fb77b32c46eb642eaf25557e9fdb
-- 
2.52.0

On Dec 27, 2025 Jeffrey Bencteux <jeff@bencteux.fr> wrote:
> 
> The "at" variant of getxattr() and listxattr() are missing from the
> audit read class. Calling getxattrat() or listxattrat() on a file to
> read its extended attributes will bypass audit rules such as:
> 
> -w /tmp/test -p rwa -k test_rwa
> 
> The current patch adds missing syscalls to the audit read class.
> 
> Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
> ---
>  include/asm-generic/audit_read.h | 6 ++++++
>  1 file changed, 6 insertions(+)

Merged into audit/dev, thanks Jeffrey!

--
paul-moore.com