Message ID | 23c7f206a465d88cc646a944515fcc6a365f5eb2.1651174324.git.rgb@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | fanotify: Allow user space to pass back additional audit info | expand |
On Thu, Apr 28, 2022 at 8:45 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > This patch passes the full value so that the audit function can use all > of it. The audit function was updated to log the additional information in > the AUDIT_FANOTIFY record. The following is an example of the new record > format: > > type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17 > > Suggested-by: Steve Grubb <sgrubb@redhat.com> > Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Link: https://lore.kernel.org/r/23c7f206a465d88cc646a944515fcc6a365f5eb2.1651174324.git.rgb@redhat.com > --- > fs/notify/fanotify/fanotify.c | 4 +++- > include/linux/audit.h | 8 ++++---- > kernel/auditsc.c | 18 +++++++++++++++--- > 3 files changed, 22 insertions(+), 8 deletions(-) ... > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index ea2ee1181921..afdbc416069a 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -64,6 +64,7 @@ > #include <uapi/linux/limits.h> > #include <uapi/linux/netfilter/nf_tables.h> > #include <uapi/linux/openat2.h> // struct open_how > +#include <uapi/linux/fanotify.h> > > #include "audit.h" > > @@ -2893,10 +2894,21 @@ void __audit_log_kern_module(char *name) > context->type = AUDIT_KERN_MODULE; > } > > -void __audit_fanotify(unsigned int response) > +void __audit_fanotify(__u16 response, __u16 type, char *buf) > { > - audit_log(audit_context(), GFP_KERNEL, > - AUDIT_FANOTIFY, "resp=%u", response); > + switch (type) { > + case FAN_RESPONSE_INFO_AUDIT_RULE: > + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, > + "resp=%u fan_type=%u fan_ctx=%u", > + response, type, (__u32)*buf); I think the above awkward cast helps the argument that fanotify_response:extra_info_buf (and fanotify_perm_event) should properly define a union to encapsulate the type specific data. If you defined a common union type you could share it among all of the different users. -- paul-moore.com
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index 00aff6e29bf8..bb16d9e0f31b 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -272,7 +272,9 @@ static int fanotify_get_response(struct fsnotify_group *group, /* Check if the response should be audited */ if (event->response & FAN_AUDIT) - audit_fanotify(event->response & ~FAN_AUDIT); + audit_fanotify(event->response & ~FAN_AUDIT, + event->extra_info_type, + (char *)&event->extra_info_buf); pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__, group, event, ret); diff --git a/include/linux/audit.h b/include/linux/audit.h index d06134ac6245..0897128ee43b 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -419,7 +419,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); extern void __audit_openat2_how(struct open_how *how); extern void __audit_log_kern_module(char *name); -extern void __audit_fanotify(unsigned int response); +extern void __audit_fanotify(__u16 response, __u16 type, char *buf); extern void __audit_tk_injoffset(struct timespec64 offset); extern void __audit_ntp_log(const struct audit_ntp_data *ad); extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, @@ -526,10 +526,10 @@ static inline void audit_log_kern_module(char *name) __audit_log_kern_module(name); } -static inline void audit_fanotify(unsigned int response) +static inline void audit_fanotify(__u16 response, __u16 type, char *buf) { if (!audit_dummy_context()) - __audit_fanotify(response); + __audit_fanotify(response, type, buf); } static inline void audit_tk_injoffset(struct timespec64 offset) @@ -686,7 +686,7 @@ static inline void audit_log_kern_module(char *name) { } -static inline void audit_fanotify(unsigned int response) +static inline void audit_fanotify(__u16 response, __u16 type, char *buf) { } static inline void audit_tk_injoffset(struct timespec64 offset) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ea2ee1181921..afdbc416069a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -64,6 +64,7 @@ #include <uapi/linux/limits.h> #include <uapi/linux/netfilter/nf_tables.h> #include <uapi/linux/openat2.h> // struct open_how +#include <uapi/linux/fanotify.h> #include "audit.h" @@ -2893,10 +2894,21 @@ void __audit_log_kern_module(char *name) context->type = AUDIT_KERN_MODULE; } -void __audit_fanotify(unsigned int response) +void __audit_fanotify(__u16 response, __u16 type, char *buf) { - audit_log(audit_context(), GFP_KERNEL, - AUDIT_FANOTIFY, "resp=%u", response); + switch (type) { + case FAN_RESPONSE_INFO_AUDIT_RULE: + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, + "resp=%u fan_type=%u fan_ctx=%u", + response, type, (__u32)*buf); + break; + case FAN_RESPONSE_INFO_AUDIT_NONE: + default: + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, + "resp=%u fan_type=%u fan_ctx=?", + response, type); + break; + } } void __audit_tk_injoffset(struct timespec64 offset)
This patch passes the full value so that the audit function can use all of it. The audit function was updated to log the additional information in the AUDIT_FANOTIFY record. The following is an example of the new record format: type=FANOTIFY msg=audit(1600385147.372:590): resp=2 fan_type=1 fan_ctx=17 Suggested-by: Steve Grubb <sgrubb@redhat.com> Link: https://lore.kernel.org/r/3075502.aeNJFYEL58@x2 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Link: https://lore.kernel.org/r/23c7f206a465d88cc646a944515fcc6a365f5eb2.1651174324.git.rgb@redhat.com --- fs/notify/fanotify/fanotify.c | 4 +++- include/linux/audit.h | 8 ++++---- kernel/auditsc.c | 18 +++++++++++++++--- 3 files changed, 22 insertions(+), 8 deletions(-)