Re: [PATCH v1 1/2] audit: record fanotify event regardless of presence of rules
On Wed 05-03-25 16:33:19, Richard Guy Briggs wrote:
When no audit rules are in place, fanotify event results are
unconditionally dropped due to an explicit check for the existence of
any audit rules. Given this is a report from another security
sub-system, allow it to be recorded regardless of the existence of any
audit rules.
To test, install and run the fapolicyd daemon with default config. Then
as an unprivileged user, create and run a very simple binary that should
be denied. Then check for an event with
ausearch -m FANOTIFY -ts recent
Link: https://issues.redhat.com/browse/RHEL-1367
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
I don't know enough about security modules to tell whether this is what
admins want or not so that's up to you but:
-static inline void audit_fanotify(u32 response, struct
fanotify_response_info_audit_rule *friar)
-{
- if (!audit_dummy_context())
- __audit_fanotify(response, friar);
-}
-
I think this is going to break compilation with !CONFIG_AUDITSYSCALL &&
CONFIG_FANOTIFY?
Honza
--
Jan Kara <jack(a)suse.com>
SUSE Labs, CR