fanotify_init.2, fanotify.7: Document FAN_AUDIT flag and FAN_ENABLE_AUDIT

Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-12-02 16:43:54 +01:00 · 2020-12-02 16:43:54 +01:00 · f040d28675
parent 028350ffb8
commit f040d28675
2 changed files with 15 additions and 1 deletions
--- a/man2/fanotify_init.2
+++ b/man2/fanotify_init.2
@ -156,6 +156,13 @@ supplied to
 (see
 .BR fanotify (7)).
 .TP
+.BR FAN_ENABLE_AUDIT " (since Linux 4.15)"
+.\" commit de8cd83e91bc3ee212b3e6ec6e4283af9e4ab269
+Enable generation of audit log records about access mediation performed by
+permission events. The permission event response has to be marked with
+.B FAN_AUDIT
+flag for audit log record to be generated.
+.TP
 .BR FAN_REPORT_FID " (since Linux 5.1)"
 .\" commit a8b13aa20afb69161b5123b4f1acc7ea0a03d360
 This value allows the receipt of events which contain additional information
--- a/man7/fanotify.7
+++ b/man7/fanotify.7
@ -588,7 +588,14 @@ to deny the file operation.
 .PP
 If access is denied, the requesting application call will receive an
 .BR EPERM
-error.
+error. Additionally, if the notification group has been created with
+.B FAN_ENABLE_AUDIT
+flag,
+.B FAN_AUDIT
+flag can be set in the
+.I response
+field. In that case audit subsystem will log information about the access
+decision to the audit logs.
 .\"
 .SS Closing the fanotify file descriptor
 When all file descriptors referring to the fanotify notification group are