[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aJSyXpsVfU+PfFzN@madcap2.tricolour.ca>
Date: Thu, 7 Aug 2025 10:04:14 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: Paul Moore <paul@...l-moore.com>
Cc: Linux-Audit Mailing List <linux-audit@...ts.linux-audit.osci.io>,
LKML <linux-kernel@...r.kernel.org>, linux-fsdevel@...r.kernel.org,
Linux Kernel Audit Mailing List <audit@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>, Steve Grubb <sgrubb@...hat.com>,
Jan Kara <jack@...e.cz>, Amir Goldstein <amir73il@...il.com>
Subject: Re: [PATCH v2] audit: record fanotify event regardless of presence
of rules
On 2025-08-06 21:47, Paul Moore wrote:
> On Aug 6, 2025 Richard Guy Briggs <rgb@...hat.com> wrote:
> >
> > When no audit rules are in place, fanotify event results are
> > unconditionally dropped due to an explicit check for the existence of
> > any audit rules. Given this is a report from another security
> > sub-system, allow it to be recorded regardless of the existence of any
> > audit rules.
> >
> > To test, install and run the fapolicyd daemon with default config. Then
> > as an unprivileged user, create and run a very simple binary that should
> > be denied. Then check for an event with
> > ausearch -m FANOTIFY -ts recent
> >
> > Link: https://issues.redhat.com/browse/RHEL-9065
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > ---
> > changelog:
> > v2
> > - re-add audit_enabled check
> > ---
> > include/linux/audit.h | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Merged into audit/dev-staging with the plan being to merge it to
> audit/dev once the merge window closes.
Thanks Paul.
> paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
Upstream IRC: SunRaycer
Voice: +1.613.860 2354 SMS: +1.613.518.6570
Powered by blists - more mailing lists