rjmcmahon
/
umber-kernel
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

audit: add missing syscalls to read class 

[ Upstream commit bcb90a2834c7393c26df9609b889a3097b7700cd ]

The "at" variant of getxattr() and listxattr() are missing from the
audit read class. Calling getxattrat() or listxattrat() on a file to
read its extended attributes will bypass audit rules such as:

-w /tmp/test -p rwa -k test_rwa

The current patch adds missing syscalls to the audit read class.

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Jeffrey Bencteux 2025-12-27 09:39:24 +01:00 committed by Sasha Levin
parent c6f2c554dd
commit a2e8c14429
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/asm-generic/audit_read.h
View File

@ -4,9 +4,15 @@ __NR_readlink,
#endif #endif
__NR_quotactl, __NR_quotactl,
__NR_listxattr, __NR_listxattr,
#ifdef __NR_listxattrat
__NR_listxattrat,
#endif
__NR_llistxattr, __NR_llistxattr,
__NR_flistxattr, __NR_flistxattr,
__NR_getxattr, __NR_getxattr,
#ifdef __NR_getxattrat
__NR_getxattrat,
#endif
__NR_lgetxattr, __NR_lgetxattr,
__NR_fgetxattr, __NR_fgetxattr,
#ifdef __NR_readlinkat #ifdef __NR_readlinkat