Re: [PATCH] audit: add missing syscalls to PERM class tables

[Ricardo Robaina]

On Wed, Jun 10, 2026 at 2:05 PM Arnd Bergmann <arnd@xxxxxxxx> wrote:
>
> On Wed, Jun 10, 2026, at 18:47, Ricardo Robaina wrote:
> > diff --git a/include/asm-generic/audit_read.h
> > b/include/asm-generic/audit_read.h
> > index fb9991f53fb6..8feebc5b4c50 100644
> > --- a/include/asm-generic/audit_read.h
> > +++ b/include/asm-generic/audit_read.h
> > @@ -18,3 +21,19 @@ __NR_fgetxattr,
> >  #ifdef __NR_readlinkat
> >  __NR_readlinkat,
> >  #endif
> > +#ifdef __NR_file_getattr
> > +__NR_file_getattr,
> > +#endif
> > +#ifdef __NR_stat
> > +__NR_stat,
> > +#endif
> > +#ifdef __NR_lstat
> > +__NR_lstat,
> > +#endif
> > +#ifdef __NR_fstat
> > +__NR_fstat,
> > +#endif
> > +#ifdef __NR_newfstatat
> > +__NR_newfstatat,
> > +#endif
> > +__NR_statx,
>
> There are additional variants of 'stat' that I think you need
> to cover here:
>
> scripts/syscall.tbl:79  stat64  fstatat64                       sys_fstatat64
> scripts/syscall.tbl:80  stat64  fstat64                         sys_fstat64
> arch/x86/entry/syscalls/syscall_32.tbl:18       i386    oldstat                 sys_stat
> arch/x86/entry/syscalls/syscall_32.tbl:28       i386    oldfstat                sys_fstat
> arch/x86/entry/syscalls/syscall_32.tbl:84       i386    oldlstat                sys_lstat
> arch/x86/entry/syscalls/syscall_32.tbl:195      i386    stat64                  sys_stat64                      compat_sys_ia32_stat64
> arch/x86/entry/syscalls/syscall_32.tbl:196      i386    lstat64                 sys_lstat64                     compat_sys_ia32_lstat64
> arch/x86/entry/syscalls/syscall_32.tbl:197      i386    fstat64                 sys_fstat64                     compat_sys_ia32_fstat64
> arch/x86/entry/syscalls/syscall_32.tbl:300      i386    fstatat64               sys_fstatat64                   compat_sys_ia32_fstatat64
> arch/alpha/kernel/syscalls/syscall.tbl:224      common  osf_stat                        sys_osf_stat
> arch/alpha/kernel/syscalls/syscall.tbl:225      common  osf_lstat                       sys_osf_lstat
> arch/alpha/kernel/syscalls/syscall.tbl:226      common  osf_fstat                       sys_osf_fstat
>

Hi Arnd,

Thanks for reviewing this patch! You're right, it seems all these stat
variants should be added as well. Steve and Paul, correct me if I'm
wrong here, please.

> Not sure about ustat/fstatfs/statfs, I suppose those are a different
> category, right?

Yes, I believe these would fall under a different category, since they
are related to filesystem stats. Audit PERM classes are specifically
for file metadata and access operations, not filesystem statistics

>
>        Arnd
>

I will work on v2 shortly.

Thanks,
-Ricardo