1. Patchew
  2. linux
  3. View series

[PATCH v2] audit: record fanotify event regardless of presence of rules

Richard Guy Briggs posted 1 patch 1 month, 4 weeks ago 
include/linux/audit.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v2] audit: record fanotify event regardless of presence of rules
Posted by Richard Guy Briggs 1 month, 4 weeks ago 
When no audit rules are in place, fanotify event results are
unconditionally dropped due to an explicit check for the existence of
any audit rules.  Given this is a report from another security
sub-system, allow it to be recorded regardless of the existence of any
audit rules.

To test, install and run the fapolicyd daemon with default config.  Then
as an unprivileged user, create and run a very simple binary that should
be denied.  Then check for an event with
	ausearch -m FANOTIFY -ts recent

Link: https://issues.redhat.com/browse/RHEL-9065
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
changelog:
v2
- re-add audit_enabled check
---
 include/linux/audit.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index a394614ccd0b..e3f06eba9c6e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -527,7 +527,7 @@ static inline void audit_log_kern_module(const char *name)
 
 static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
 {
-	if (!audit_dummy_context())
+	if (audit_enabled)
 		__audit_fanotify(response, friar);
 }
 
-- 
2.43.5
Re: [PATCH v2] audit: record fanotify event regardless of presence of rules
Posted by Paul Moore 1 month, 4 weeks ago 
On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> When no audit rules are in place, fanotify event results are
> unconditionally dropped due to an explicit check for the existence of
> any audit rules.  Given this is a report from another security
> sub-system, allow it to be recorded regardless of the existence of any
> audit rules.
> 
> To test, install and run the fapolicyd daemon with default config.  Then
> as an unprivileged user, create and run a very simple binary that should
> be denied.  Then check for an event with
> 	ausearch -m FANOTIFY -ts recent
> 
> Link: https://issues.redhat.com/browse/RHEL-9065
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> changelog:
> v2
> - re-add audit_enabled check
> ---
>  include/linux/audit.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Merged into audit/dev-staging with the plan being to merge it to
audit/dev once the merge window closes.

--
paul-moore.com
Re: [PATCH v2] audit: record fanotify event regardless of presence of rules
Posted by Richard Guy Briggs 1 month, 4 weeks ago 
On 2025-08-06 21:47, Paul Moore wrote:
> On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> > 
> > When no audit rules are in place, fanotify event results are
> > unconditionally dropped due to an explicit check for the existence of
> > any audit rules.  Given this is a report from another security
> > sub-system, allow it to be recorded regardless of the existence of any
> > audit rules.
> > 
> > To test, install and run the fapolicyd daemon with default config.  Then
> > as an unprivileged user, create and run a very simple binary that should
> > be denied.  Then check for an event with
> > 	ausearch -m FANOTIFY -ts recent
> > 
> > Link: https://issues.redhat.com/browse/RHEL-9065
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > changelog:
> > v2
> > - re-add audit_enabled check
> > ---
> >  include/linux/audit.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Merged into audit/dev-staging with the plan being to merge it to
> audit/dev once the merge window closes.

Thanks Paul.

> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570
Re: [PATCH v2] audit: record fanotify event regardless of presence of rules
Posted by Paul Moore 1 month, 3 weeks ago 
On Thu, Aug 7, 2025 at 10:04 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2025-08-06 21:47, Paul Moore wrote:
> > On Aug  6, 2025 Richard Guy Briggs <rgb@redhat.com> wrote:
> > >
> > > When no audit rules are in place, fanotify event results are
> > > unconditionally dropped due to an explicit check for the existence of
> > > any audit rules.  Given this is a report from another security
> > > sub-system, allow it to be recorded regardless of the existence of any
> > > audit rules.
> > >
> > > To test, install and run the fapolicyd daemon with default config.  Then
> > > as an unprivileged user, create and run a very simple binary that should
> > > be denied.  Then check for an event with
> > >     ausearch -m FANOTIFY -ts recent
> > >
> > > Link: https://issues.redhat.com/browse/RHEL-9065
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > changelog:
> > > v2
> > > - re-add audit_enabled check
> > > ---
> > >  include/linux/audit.h | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Merged into audit/dev-staging with the plan being to merge it to
> > audit/dev once the merge window closes.
>
> Thanks Paul.

Now merged into audit/dev, thanks!

-- 
paul-moore.com

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.