fanotify_init.2, fanotify.7: Document FAN_AUDIT flag and FAN_ENABLE_AUDIT

Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

2 files changed, 15 insertions, 1 deletions

diff --git a/man2/fanotify_init.2 b/man2/fanotify_init.2
index 62d07a4658..13538912b9 100644
--- a/man2/fanotify_init.2
+++ b/man2/fanotify_init.2
@@ -156,6 +156,13 @@ supplied to
 (see
 .BR fanotify (7)).
 .TP
+.BR FAN_ENABLE_AUDIT " (since Linux 4.15)"
+.\" commit de8cd83e91bc3ee212b3e6ec6e4283af9e4ab269
+Enable generation of audit log records about access mediation performed by
+permission events. The permission event response has to be marked with
+.B FAN_AUDIT
+flag for audit log record to be generated.
+.TP
 .BR FAN_REPORT_FID " (since Linux 5.1)"
 .\" commit a8b13aa20afb69161b5123b4f1acc7ea0a03d360
 This value allows the receipt of events which contain additional information
diff --git a/man7/fanotify.7 b/man7/fanotify.7
index 46ebf767df..d5bf6d9877 100644
--- a/man7/fanotify.7
+++ b/man7/fanotify.7
@@ -588,7 +588,14 @@ to deny the file operation.
 .PP
 If access is denied, the requesting application call will receive an
 .BR EPERM
-error.
+error. Additionally, if the notification group has been created with
+.B FAN_ENABLE_AUDIT
+flag,
+.B FAN_AUDIT
+flag can be set in the
+.I response
+field. In that case audit subsystem will log information about the access
+decision to the audit logs.
 .\"
 .SS Closing the fanotify file descriptor
 When all file descriptors referring to the fanotify notification group are