This patch unmasks the full value so that the audit function can use all of it. The audit function was updated to log the additional information in the AUDIT_FANOTIFY record. The following is an example of the new record format: type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17 Signed-off-by: Steve Grubb <sgrubb(a)redhat.com&gt; --- fs/notify/fanotify/fanotify.c | 2 +- kernel/auditsc.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index e72b7e59aa24..a9278e983e30 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group, /* Check if the response should be audited */ if (event->response & FAN_AUDIT) - audit_fanotify(event->response & ~FAN_AUDIT); + audit_fanotify(event->response); pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__, group, event, ret); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fd840c40abf7..9d6a3ad2037d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -75,6 +75,7 @@ #include <linux/uaccess.h> #include <linux/fsnotify_backend.h> #include <uapi/linux/limits.h> +#include <uapi/linux/fanotify.h> #include "audit.h" @@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name) void __audit_fanotify(unsigned int response) { - audit_log(audit_context(), GFP_KERNEL, - AUDIT_FANOTIFY, "resp=%u", response); + audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY, + "resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response), + FAN_DEC_CONTEXT_TYPE_TO_VALUE(response), + FAN_DEC_CONTEXT_TO_VALUE(response)); } void __audit_tk_injoffset(struct timespec64 offset) -- 2.26.2