Re: [PATCH 1/1] Fanotify: Introduce a permissive mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 14, 2017 at 11:04 AM, Steve Grubb <sgrubb@xxxxxxxxxx> wrote:
> Hello,
>
> The fanotify interface can be used as an access control subsystem. If
> for some reason the policy is bad, there is potentially no good way to
> recover the system. This patch introduces a new command line variable,
> fanotify_enforce, to allow overriding the access decision from user
> space. The initialization status is recorded as an audit event so that
> there is a record of being in permissive mode for the security officer.
>
> Signed-off-by: sgrubb <sgrubb@xxxxxxxxxx>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |  7 +++++
>  fs/notify/fanotify/fanotify.c                   | 42 +++++++++++++++++++++++--
>  include/uapi/linux/audit.h                      |  1 +
>  3 files changed, 47 insertions(+), 3 deletions(-)

...

> diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> index 2fa99ae..cab5c2b 100644
> --- a/fs/notify/fanotify/fanotify.c
> +++ b/fs/notify/fanotify/fanotify.c
> @@ -9,9 +9,43 @@
>  #include <linux/sched/user.h>
>  #include <linux/types.h>
>  #include <linux/wait.h>
> +#include <linux/audit.h>
>
>  #include "fanotify.h"
>
> +
> +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
> +/*
> + * This variable determines if the decisions made by user space listener
> + * will be enforced or overridden for system recovery
> + */
> +static unsigned int enforcing_mode = 1;
> +
> +
> +/* Record status of the fanotify sunsystem */
> +static int __init fanotify_init(void)
> +{
> +       audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
> +               "state=initialized fanotify_enforce=%u res=1",
> +               enforcing_mode);

I realized this has already been NAK'd, but on the chance it is
resubmitted with some tweaks I wanted to make a comment that the
"state=initialized" addition to the audit records seems a bit
redundant, the presence of a FANOTIFY_STATUS audit record should
satisfy that requirement.  Further, looking at how AUDIT_MAC_STATUS is
used (this seemed to be the closest analogue), it doesn't display a
similar state=initialized flag, the one exception being when the state
is set to disabled, which is not the case here.

> +       return 0;
> +}
> +late_initcall(fanotify_init);

-- 
paul moore
www.paul-moore.com



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux