audit: record fanotify event regardless of presence of rules

When no audit rules are in place, fanotify event results are unconditionally dropped due to an explicit check for the existence of any audit rules. Given this is a report from another security sub-system, allow it to be recorded regardless of the existence of any audit rules. To test, install and run the fapolicyd daemon with default config. Then as an unprivileged user, create and run a very simple binary that should be denied. Then check for an event with ausearch -m FANOTIFY -ts recent Link: https://issues.redhat.com/browse/RHEL-9065 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Guy Briggs <rgb@redhat.com> 2025-08-06 17:04:07 -0400
committer: Paul Moore <paul@paul-moore.com> 2025-08-11 11:44:58 -0400
commit: ce8370e2e62a903e18be7dd0e0be2eee079501e1 (patch)
tree: a739906f35807c337bc5c327e65fc872c89a5161
parent: df1145b56c6f92696acec7730694a19fb4c8a174 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index a394614ccd0b..e3f06eba9c6e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -527,7 +527,7 @@ static inline void audit_log_kern_module(const char *name)
 
 static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
 {
-	if (!audit_dummy_context())
+	if (audit_enabled)
 		__audit_fanotify(response, friar);
 }
author	Richard Guy Briggs <rgb@redhat.com>	2025-08-06 17:04:07 -0400
committer	Paul Moore <paul@paul-moore.com>	2025-08-11 11:44:58 -0400
commit	ce8370e2e62a903e18be7dd0e0be2eee079501e1 (patch)
tree	a739906f35807c337bc5c327e65fc872c89a5161
parent	df1145b56c6f92696acec7730694a19fb4c8a174 (diff)