Re: [PATCH 1/1] Fanotify: Introduce a permissive mode

Hello, The fanotify interface can be used as an access control subsystem. If for some reason the policy is bad, there is potentially no good way to recover the system. This patch introduces a new command line variable, fanotify_enforce, to allow overriding the access decision from user space. The initialization status is recorded as an audit event so that there is a record of being in permissive mode for the security officer. Signed-off-by: sgrubb <sgrubb(a)redhat.com&gt; --- Documentation/admin-guide/kernel-parameters.txt | 7 +++++ fs/notify/fanotify/fanotify.c | 42 +++++++++++++++++++++++-- include/uapi/linux/audit.h | 1 + 3 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index 2fa99ae..cab5c2b 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -9,9 +9,43 @@ #include <linux/sched/user.h> #include <linux/types.h> #include <linux/wait.h> +#include <linux/audit.h> #include "fanotify.h" + +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS +/* + * This variable determines if the decisions made by user space listener + * will be enforced or overridden for system recovery + */ +static unsigned int enforcing_mode = 1; + + +/* Record status of the fanotify sunsystem */ +static int __init fanotify_init(void) +{ + audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS, + "state=initialized fanotify_enforce=%u res=1", + enforcing_mode);

+ return 0; +} +late_initcall(fanotify_init);