This patch unmasks the full value so that the audit function can use all
of it. The audit function was updated to log the additional information in
the AUDIT_FANOTIFY record. The following is an example of the new record
format:
type=FANOTIFY msg=audit(1600385147.372:590): resp=2 ctx_type=1 fan_ctx=17
Signed-off-by: Steve Grubb <sgrubb@xxxxxxxxxx>
---
fs/notify/fanotify/fanotify.c | 2 +-
kernel/auditsc.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index e72b7e59aa24..a9278e983e30 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -188,7 +188,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
/* Check if the response should be audited */
if (event->response & FAN_AUDIT)
- audit_fanotify(event->response & ~FAN_AUDIT);
+ audit_fanotify(event->response);
pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
group, event, ret);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd840c40abf7..9d6a3ad2037d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -75,6 +75,7 @@
#include <linux/uaccess.h>
#include <linux/fsnotify_backend.h>
#include <uapi/linux/limits.h>
+#include <uapi/linux/fanotify.h>
#include "audit.h"
@@ -2523,8 +2524,10 @@ void __audit_log_kern_module(char *name)
void __audit_fanotify(unsigned int response)
{
- audit_log(audit_context(), GFP_KERNEL,
- AUDIT_FANOTIFY, "resp=%u", response);
+ audit_log(audit_context(), GFP_KERNEL, AUDIT_FANOTIFY,
+ "resp=%u ctx_type=%u fan_ctx=%u", FAN_DEC_MASK(response),
+ FAN_DEC_CONTEXT_TYPE_TO_VALUE(response),
+ FAN_DEC_CONTEXT_TO_VALUE(response));
}
void __audit_tk_injoffset(struct timespec64 offset)
--
2.26.2
