A flaw was found in the kernel's audit by access permission feature which would not record open_by_handle_at syscalls. This does not mean that a user is granted access to resources that they would not be able to. This means that the audit log trail would not contain the log events of access.
Acknowledgments: Name: Felix Kosterhon (SECUINFRA GmbH)
This is public: 2021-02-18 https://seclists.org/oss-sec/2021/q1/155 2021-03-02 https://listman.redhat.com/archives/linux-audit/2021-February/msg00079.html related 2016-04-16 https://github.com/linux-audit/audit-kernel/issues/9
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1936258]
Mitigation: This syscall can still be audited by using the 'syscall auditing feature' by passing open_by_handle_at to it in the rule. Existing auditing ruleset requirements generally use this mechanism.