RFE: generate audit records for fanotify decisions

[pcmoore]

From @stevegrubb:

Fanotify subsystem allows a user space daemon to make file access decisions. Since this is a flow control decision, there must be auditing around the decision. This must be configurable in some sense in that the admin has to be able to decide if they want access audit events or not in the policy.

I would like to propose adding 2 new decision flags for the FAN_*_PERM events: FAN_ALLOW_AUDIT and FAN_DENY_AUDIT. This way policy in the daemon can dictate whether an audit event should be created or not and what the access decision is.

[pcmoore]

We should have a RFE wiki page and a new test for this feature.

• https://github.com/linux-audit/audit-kernel/wiki
• https://github.com/linux-audit/audit-testsuite

[pcmoore]

@stevegrubb I know you sent the kernel patch by way of the fanotify team, but did you ever document it and provide test cases as mentioned above?

[stevegrubb]

It is documented in the header file just like any other event. I think Ondrej has a test for it.

[pcmoore]

That is not our general agreement, new things like this need to be documented in the wiki[1] (using the template[2]) and a test added to the audit-testsuite[3].

[1] https://github.com/linux-audit/audit-kernel/wiki [2] https://github.com/linux-audit/audit-kernel/wiki/Template-RFE [3] https://github.com/linux-audit/audit-testsuite

[pcmoore]

@stevegrubb I believe you addressed this with the fanotify folks, can we close this out or is there still something that needs to be done?

[stevegrubb]

We can close it...

[pcmoore]

I closed this, but @stevegrubb you really need to add the RFE wiki page as stated above.