[PATCH 1/1] Fanotify: Introduce a permissive mode

Paul Moore paul at paul-moore.com
Tue Aug 15 19:19:01 UTC 2017 

On Mon, Aug 14, 2017 at 11:04 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> The fanotify interface can be used as an access control subsystem. If
> for some reason the policy is bad, there is potentially no good way to
> recover the system. This patch introduces a new command line variable,
> fanotify_enforce, to allow overriding the access decision from user
> space. The initialization status is recorded as an audit event so that
> there is a record of being in permissive mode for the security officer.
>
> Signed-off-by: sgrubb <sgrubb at redhat.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt |  7 +++++
>  fs/notify/fanotify/fanotify.c                   | 42 +++++++++++++++++++++++--
>  include/uapi/linux/audit.h                      |  1 +
>  3 files changed, 47 insertions(+), 3 deletions(-)

...

> diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
> index 2fa99ae..cab5c2b 100644
> --- a/fs/notify/fanotify/fanotify.c
> +++ b/fs/notify/fanotify/fanotify.c
> @@ -9,9 +9,43 @@
>  #include <linux/sched/user.h>
>  #include <linux/types.h>
>  #include <linux/wait.h>
> +#include <linux/audit.h>
>
>  #include "fanotify.h"
>
> +
> +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
> +/*
> + * This variable determines if the decisions made by user space listener
> + * will be enforced or overridden for system recovery
> + */
> +static unsigned int enforcing_mode = 1;
> +
> +
> +/* Record status of the fanotify sunsystem */
> +static int __init fanotify_init(void)
> +{
> +       audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
> +               "state=initialized fanotify_enforce=%u res=1",
> +               enforcing_mode);

I realized this has already been NAK'd, but on the chance it is
resubmitted with some tweaks I wanted to make a comment that the
"state=initialized" addition to the audit records seems a bit
redundant, the presence of a FANOTIFY_STATUS audit record should
satisfy that requirement.  Further, looking at how AUDIT_MAC_STATUS is
used (this seemed to be the closest analogue), it doesn't display a
similar state=initialized flag, the one exception being when the state
is set to disabled, which is not the case here.

> +       return 0;
> +}
> +late_initcall(fanotify_init);

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list