| Message ID | 3cd20de9fcf1ffa3044b5e48d21a91f280094cf1.1539758834.git.mbobrowski@mbobrowski.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fanotify: introduce new event types FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM | expand |
On Wed 17-10-18 20:05:37, Matthew Bobrowski wrote: > diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h > index 329ac6684326..96616651220c 100644 > --- a/include/linux/fsnotify_backend.h > +++ b/include/linux/fsnotify_backend.h > @@ -44,8 +44,9 @@ > #define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ > #define FS_IN_IGNORED 0x00008000 /* last inotify event here */ > > -#define FS_OPEN_PERM 0x00010000 /* open event in an permission hook */ > +#define FS_OPEN_PERM 0x00010000 /* open event in a permission hook */ This hunk would belong to patch 1 instead of this one. > #define FS_ACCESS_PERM 0x00020000 /* access event in a permissions hook */ > +#define FS_OPEN_EXEC_PERM 0x00040000 /* open/exec in a permission hook */ > > #define FS_EXCL_UNLINK 0x04000000 /* do not send events if object is unlinked */ > #define FS_ISDIR 0x40000000 /* event occurred against dir */ > @@ -64,7 +65,7 @@ > FS_CLOSE_WRITE | FS_CLOSE_NOWRITE | FS_OPEN |\ > FS_MOVED_FROM | FS_MOVED_TO | FS_CREATE |\ > FS_DELETE | FS_OPEN_PERM | FS_ACCESS_PERM |\ > - FS_OPEN_EXEC) > + FS_OPEN_EXEC | FS_OPEN_EXEC_PERM) > > #define FS_MOVE (FS_MOVED_FROM | FS_MOVED_TO) > You seem to be missing an update of ALL_FSNOTIFY_PERM_EVENTS to also include FS_OPEN_EXEC_PERM. Otherwise the patch looks good to me. Honza
On Thu, Oct 18, 2018 at 11:26:20AM +0200, Jan Kara wrote: > On Wed 17-10-18 20:05:37, Matthew Bobrowski wrote: > > diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h > > index 329ac6684326..96616651220c 100644 > > --- a/include/linux/fsnotify_backend.h > > +++ b/include/linux/fsnotify_backend.h > > @@ -44,8 +44,9 @@ > > #define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ > > #define FS_IN_IGNORED 0x00008000 /* last inotify event here */ > > > > -#define FS_OPEN_PERM 0x00010000 /* open event in an permission hook */ > > +#define FS_OPEN_PERM 0x00010000 /* open event in a permission hook */ > > This hunk would belong to patch 1 instead of this one. Strange and totally agree. I'm quite perplexed as to why this came through in like this in this particular patch. Something really weird must've happened when I was "amending" previously recommended updates. > > > #define FS_ACCESS_PERM 0x00020000 /* access event in a permissions hook */ > > +#define FS_OPEN_EXEC_PERM 0x00040000 /* open/exec in a permission hook */ > > > > #define FS_EXCL_UNLINK 0x04000000 /* do not send events if object is unlinked */ > > #define FS_ISDIR 0x40000000 /* event occurred against dir */ > > @@ -64,7 +65,7 @@ > > FS_CLOSE_WRITE | FS_CLOSE_NOWRITE | FS_OPEN |\ > > FS_MOVED_FROM | FS_MOVED_TO | FS_CREATE |\ > > FS_DELETE | FS_OPEN_PERM | FS_ACCESS_PERM |\ > > - FS_OPEN_EXEC) > > + FS_OPEN_EXEC | FS_OPEN_EXEC_PERM) > > > > #define FS_MOVE (FS_MOVED_FROM | FS_MOVED_TO) > > > > You seem to be missing an update of ALL_FSNOTIFY_PERM_EVENTS to also > include FS_OPEN_EXEC_PERM. Oh, yep! Thanks for pointing that out. > Otherwise the patch looks good to me. :-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index 8a49a0adab73..a427daf8d117 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -211,8 +211,9 @@ static int fanotify_handle_event(struct fsnotify_group *group, BUILD_BUG_ON(FAN_ACCESS_PERM != FS_ACCESS_PERM); BUILD_BUG_ON(FAN_ONDIR != FS_ISDIR); BUILD_BUG_ON(FAN_OPEN_EXEC != FS_OPEN_EXEC); + BUILD_BUG_ON(FAN_OPEN_EXEC_PERM != FS_OPEN_EXEC_PERM); - BUILD_BUG_ON(HWEIGHT32(ALL_FANOTIFY_EVENT_BITS) != 11); + BUILD_BUG_ON(HWEIGHT32(ALL_FANOTIFY_EVENT_BITS) != 12); mask = fanotify_group_event_mask(iter_info, mask, data, data_type); if (!mask) diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index 051e5fc0dba1..40ed97aede29 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c @@ -402,7 +402,7 @@ static __init int fsnotify_init(void) { int ret; - BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 24); + BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 25); ret = init_srcu_struct(&fsnotify_mark_srcu); if (ret) diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h index 0e07d23b6c17..614943153596 100644 --- a/include/linux/fanotify.h +++ b/include/linux/fanotify.h @@ -42,7 +42,8 @@ FAN_CLOSE | FAN_OPEN | FAN_OPEN_EXEC) /* Events that require a permission response from user */ -#define FANOTIFY_PERM_EVENTS (FAN_OPEN_PERM | FAN_ACCESS_PERM) +#define FANOTIFY_PERM_EVENTS (FAN_OPEN_PERM | FAN_ACCESS_PERM | \ + FAN_OPEN_EXEC_PERM) /* Extra flags that may be reported with event or control handling of events */ #define FANOTIFY_EVENT_FLAGS (FAN_EVENT_ON_CHILD | FAN_ONDIR) diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index 1fe5ac93b252..6fb8d1fcfeaf 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h @@ -38,12 +38,14 @@ static inline int fsnotify_perm(struct file *file, int mask) return 0; if (!(mask & (MAY_READ | MAY_OPEN))) return 0; - if (mask & MAY_OPEN) + if (mask & MAY_OPEN) { fsnotify_mask = FS_OPEN_PERM; - else if (mask & MAY_READ) + + if (file->f_flags & __FMODE_EXEC) + fsnotify_mask |= FS_OPEN_EXEC_PERM; + } else if (mask & MAY_READ) { fsnotify_mask = FS_ACCESS_PERM; - else - BUG(); + } ret = fsnotify_parent(path, NULL, fsnotify_mask); if (ret) diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h index 329ac6684326..96616651220c 100644 --- a/include/linux/fsnotify_backend.h +++ b/include/linux/fsnotify_backend.h @@ -44,8 +44,9 @@ #define FS_Q_OVERFLOW 0x00004000 /* Event queued overflowed */ #define FS_IN_IGNORED 0x00008000 /* last inotify event here */ -#define FS_OPEN_PERM 0x00010000 /* open event in an permission hook */ +#define FS_OPEN_PERM 0x00010000 /* open event in a permission hook */ #define FS_ACCESS_PERM 0x00020000 /* access event in a permissions hook */ +#define FS_OPEN_EXEC_PERM 0x00040000 /* open/exec in a permission hook */ #define FS_EXCL_UNLINK 0x04000000 /* do not send events if object is unlinked */ #define FS_ISDIR 0x40000000 /* event occurred against dir */ @@ -64,7 +65,7 @@ FS_CLOSE_WRITE | FS_CLOSE_NOWRITE | FS_OPEN |\ FS_MOVED_FROM | FS_MOVED_TO | FS_CREATE |\ FS_DELETE | FS_OPEN_PERM | FS_ACCESS_PERM |\ - FS_OPEN_EXEC) + FS_OPEN_EXEC | FS_OPEN_EXEC_PERM) #define FS_MOVE (FS_MOVED_FROM | FS_MOVED_TO) @@ -77,7 +78,7 @@ FS_DELETE | FS_DELETE_SELF | FS_MOVE_SELF | \ FS_UNMOUNT | FS_Q_OVERFLOW | FS_IN_IGNORED | \ FS_OPEN_PERM | FS_ACCESS_PERM | FS_DN_RENAME |\ - FS_OPEN_EXEC) + FS_OPEN_EXEC | FS_OPEN_EXEC_PERM) /* Extra flags that may be reported with event or control handling of events */ #define ALL_FSNOTIFY_FLAGS (FS_EXCL_UNLINK | FS_ISDIR | FS_IN_ONESHOT | \ diff --git a/include/uapi/linux/fanotify.h b/include/uapi/linux/fanotify.h index da278f11ab29..e2df10c61cb1 100644 --- a/include/uapi/linux/fanotify.h +++ b/include/uapi/linux/fanotify.h @@ -16,6 +16,7 @@ #define FAN_OPEN_PERM 0x00010000 /* File open in perm check */ #define FAN_ACCESS_PERM 0x00020000 /* File accessed in perm check */ +#define FAN_OPEN_EXEC_PERM 0x00040000 /* File open/exec in perm check */ #define FAN_ONDIR 0x40000000 /* event occurred against dir */
A new event type FAN_OPEN_EXEC_PERM has been defined. This allows users to receive and grant access to files that are intending to be opened for execution. Events of FAN_OPEN_EXEC_PERM type will be generated when a file has been opened by using either execve(), execveat() or uselib() system calls. This acts in the same manor as previous permission event types, meaning that an access response is required from the application to permit further operations on the file. This feature is implemented within the fsnotify_perm() hook by setting FAN_OPEN_EXEC_PERM event type if __FMODE_EXEC is set within file->f_flags. Signed-off-by: Matthew Bobrowski <mbobrowski@mbobrowski.org> --- fs/notify/fanotify/fanotify.c | 3 ++- fs/notify/fsnotify.c | 2 +- include/linux/fanotify.h | 3 ++- include/linux/fsnotify.h | 10 ++++++---- include/linux/fsnotify_backend.h | 7 ++++--- include/uapi/linux/fanotify.h | 1 + 6 files changed, 16 insertions(+), 10 deletions(-)