[PATCH v2] audit: add missing syscalls to PERM class tables

From: Ricardo Robaina

Date: Fri Jun 12 2026 - 10:16:12 EST


Add missing file metadata syscalls to the audit PERM class tables,
addressing gaps where certain file operations were not properly
classified for audit rule matching.

Changes:
- audit_change_attr.h: Add file_setattr

- audit_read.h: Add quotactl_fd, file_getattr, stat, stat64, lstat,
lstat64, fstat, fstat64, newfstatat, fstatat64, and statx

- audit_write.h: Add quotactl_fd

Architecture-specific and conditionally-compiled syscalls are guarded
with #ifdef.

Signed-off-by: Steve Grubb <sgrubb@xxxxxxxxxx>
Signed-off-by: Ricardo Robaina <rrobaina@xxxxxxxxxx>
---
Changes in v2:
- Added stat64 family syscalls (stat64, lstat64, fstat64, fstatat64) to
audit_read.h for 32-bit architecture support.
- Dropped timestamp-related syscalls (utime, utimes, utimensat, etc.)
due to potential audit log volume increase impact. Those will be
addressed in a separate patch after closer investigation.

include/asm-generic/audit_change_attr.h | 3 +++
include/asm-generic/audit_read.h | 31 +++++++++++++++++++++++++
include/asm-generic/audit_write.h | 3 +++
3 files changed, 37 insertions(+)

diff --git a/include/asm-generic/audit_change_attr.h b/include/asm-generic/audit_change_attr.h
index ddd90bbe40df..94388da3490c 100644
--- a/include/asm-generic/audit_change_attr.h
+++ b/include/asm-generic/audit_change_attr.h
@@ -40,3 +40,6 @@ __NR_link,
#ifdef __NR_linkat
__NR_linkat,
#endif
+#ifdef __NR_file_setattr
+__NR_file_setattr,
+#endif
diff --git a/include/asm-generic/audit_read.h b/include/asm-generic/audit_read.h
index fb9991f53fb6..d8dc3dd6bf63 100644
--- a/include/asm-generic/audit_read.h
+++ b/include/asm-generic/audit_read.h
@@ -3,6 +3,9 @@
__NR_readlink,
#endif
__NR_quotactl,
+#ifdef __NR_quotactl_fd
+__NR_quotactl_fd,
+#endif
__NR_listxattr,
#ifdef __NR_listxattrat
__NR_listxattrat,
@@ -18,3 +21,31 @@ __NR_fgetxattr,
#ifdef __NR_readlinkat
__NR_readlinkat,
#endif
+#ifdef __NR_file_getattr
+__NR_file_getattr,
+#endif
+#ifdef __NR_stat
+__NR_stat,
+#endif
+#ifdef __NR_stat64
+__NR_stat64,
+#endif
+#ifdef __NR_lstat
+__NR_lstat,
+#endif
+#ifdef __NR_lstat64
+__NR_lstat64,
+#endif
+#ifdef __NR_fstat
+__NR_fstat,
+#endif
+#ifdef __NR_fstat64
+__NR_fstat64,
+#endif
+#ifdef __NR_newfstatat
+__NR_newfstatat,
+#endif
+#ifdef __NR_fstatat64
+__NR_fstatat64,
+#endif
+__NR_statx,
diff --git a/include/asm-generic/audit_write.h b/include/asm-generic/audit_write.h
index f9f1d0ae11d9..378128dc31e3 100644
--- a/include/asm-generic/audit_write.h
+++ b/include/asm-generic/audit_write.h
@@ -5,6 +5,9 @@ __NR_acct,
__NR_swapon,
#endif
__NR_quotactl,
+#ifdef __NR_quotactl_fd
+__NR_quotactl_fd,
+#endif
#ifdef __NR_truncate
__NR_truncate,
#endif
--
2.53.0