[PATCH 1/1] Fanotify: Introduce a permissive mode
Steve Grubb
sgrubb at redhat.com
Mon Aug 14 15:04:10 UTC 2017
Hello,
The fanotify interface can be used as an access control subsystem. If
for some reason the policy is bad, there is potentially no good way to
recover the system. This patch introduces a new command line variable,
fanotify_enforce, to allow overriding the access decision from user
space. The initialization status is recorded as an audit event so that
there is a record of being in permissive mode for the security officer.
Signed-off-by: sgrubb <sgrubb at redhat.com>
---
Documentation/admin-guide/kernel-parameters.txt | 7 +++++
fs/notify/fanotify/fanotify.c | 42 +++++++++++++++++++++++--
include/uapi/linux/audit.h | 1 +
3 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 7737ab5..84c0e78 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1141,6 +1141,13 @@
Format: <interval>,<probability>,<space>,<times>
See also Documentation/fault-injection/.
+ fanotify_enforce=[FANOTIFY] Enable or disable enforcement of policy
+ decisions at boot time.
+ Format: { "0" | "1" }
+ 0 -- disable enforcement.
+ 1 -- enable enforcement.
+ Default value is 1 (enforcing).
+
floppy= [HW]
See Documentation/blockdev/floppy.txt.
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 2fa99ae..cab5c2b 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -9,9 +9,43 @@
#include <linux/sched/user.h>
#include <linux/types.h>
#include <linux/wait.h>
+#include <linux/audit.h>
#include "fanotify.h"
+
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+/*
+ * This variable determines if the decisions made by user space listener
+ * will be enforced or overridden for system recovery
+ */
+static unsigned int enforcing_mode = 1;
+
+
+/* Record status of the fanotify sunsystem */
+static int __init fanotify_init(void)
+{
+ audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
+ "state=initialized fanotify_enforce=%u res=1",
+ enforcing_mode);
+ return 0;
+}
+late_initcall(fanotify_init);
+
+static int __init set_fanotify_enforce(char *str)
+{
+ long val;
+
+ if (kstrtol(str, 0, &val) == 0) {
+ enforcing_mode = !!val;
+ pr_info("fanotify initialized with fanotify_enforce=%u\n",
+ enforcing_mode);
+ }
+ return 1;
+}
+__setup("fanotify_enforce=", set_fanotify_enforce);
+#endif
+
static bool should_merge(struct fsnotify_event *old_fsn,
struct fsnotify_event *new_fsn)
{
@@ -88,9 +122,12 @@ static int fanotify_get_response(struct fsnotify_group *group,
}
event->response = 0;
- pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
- group, event, ret);
-
+ pr_debug("%s: group=%p event=%p about to return ret=%d enforce=%u\n",
+ __func__, group, event, ret, enforcing_mode);
+
+ if (unlikely(!enforcing_mode))
+ ret = 0;
+
return ret;
}
#endif
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0714a66..9560627 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -112,6 +112,7 @@
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
+#define AUDIT_FANOTIFY_STATUS 1331 /* Fanotify enforcing status */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
--
2.9.4
More information about the Linux-audit
mailing list