| From 0292a3aa978968ede70a2ce5ed5086fca81dcfbd Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 27 Dec 2025 09:39:24 +0100 |
| Subject: audit: add missing syscalls to read class |
| |
| From: Jeffrey Bencteux <jeff@bencteux.fr> |
| |
| [ Upstream commit bcb90a2834c7393c26df9609b889a3097b7700cd ] |
| |
| The "at" variant of getxattr() and listxattr() are missing from the |
| audit read class. Calling getxattrat() or listxattrat() on a file to |
| read its extended attributes will bypass audit rules such as: |
| |
| -w /tmp/test -p rwa -k test_rwa |
| |
| The current patch adds missing syscalls to the audit read class. |
| |
| Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr> |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| include/asm-generic/audit_read.h | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/include/asm-generic/audit_read.h b/include/asm-generic/audit_read.h |
| index 7bb7b5a83ae2e..fb9991f53fb6f 100644 |
| --- a/include/asm-generic/audit_read.h |
| +++ b/include/asm-generic/audit_read.h |
| @@ -4,9 +4,15 @@ __NR_readlink, |
| #endif |
| __NR_quotactl, |
| __NR_listxattr, |
| +#ifdef __NR_listxattrat |
| +__NR_listxattrat, |
| +#endif |
| __NR_llistxattr, |
| __NR_flistxattr, |
| __NR_getxattr, |
| +#ifdef __NR_getxattrat |
| +__NR_getxattrat, |
| +#endif |
| __NR_lgetxattr, |
| __NR_fgetxattr, |
| #ifdef __NR_readlinkat |
| -- |
| 2.51.0 |
| |
