On Thu 06-03-25 20:12:23, Richard Guy Briggs wrote: > On 2025-03-06 16:06, Jan Kara wrote: > > On Wed 05-03-25 16:33:19, Richard Guy Briggs wrote: > > > When no audit rules are in place, fanotify event results are > > > unconditionally dropped due to an explicit check for the existence of > > > any audit rules. Given this is a report from another security > > > sub-system, allow it to be recorded regardless of the existence of any > > > audit rules. > > > > > > To test, install and run the fapolicyd daemon with default config. Then > > > as an unprivileged user, create and run a very simple binary that should > > > be denied. Then check for an event with > > > ausearch -m FANOTIFY -ts recent > > > > > > Link: https://issues.redhat.com/browse/RHEL-1367 > > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > > > > I don't know enough about security modules to tell whether this is what > > admins want or not so that's up to you but: > > > > > -static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar) > > > -{ > > > - if (!audit_dummy_context()) > > > - __audit_fanotify(response, friar); > > > -} > > > - > > > > I think this is going to break compilation with !CONFIG_AUDITSYSCALL && > > CONFIG_FANOTIFY? > > Why would that break it? The part of the patch you (prematurely) > deleted takes care of that. So I'm failing to see how it takes care of that when with !CONFIG_AUDITSYSCALL kernel/auditsc.c does not get compiled into the kernel. So what does provide the implementation of audit_fanotify() in that case? I think you need to provide empty audit_fanotify() inline wrapper for that case... Honza > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 0050ef288ab3..d0c6f23503a1 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -418,7 +418,7 @@ extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > extern void __audit_openat2_how(struct open_how *how); > extern void __audit_log_kern_module(char *name); > -extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar); > +extern void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar); > extern void __audit_tk_injoffset(struct timespec64 offset); > extern void __audit_ntp_log(const struct audit_ntp_data *ad); > extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, > > > Honza > > -- > > Jan Kara <jack@xxxxxxxx> > > SUSE Labs, CR > > - RGB > > -- > Richard Guy Briggs <rgb@xxxxxxxxxx> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > Upstream IRC: SunRaycer > Voice: +1.613.860 2354 SMS: +1.613.518.6570 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
