Re: [PATCH v4 0/3] fanotify: introduce new event types FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 11, 2018 at 1:42 PM Matthew Bobrowski
<mbobrowski@xxxxxxxxxxxxxx> wrote:
>
> Currently, the fanotify API does not provide a means for user space
> applications to receive events when a file has been opened specifically
> for execution. New event types FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM have
> been introduced in order to provide users this capability.
>
> These event types, when either are explicitly requested by the user, will
> be returned within the event mask when a marked file object is being
> opened has __FMODE_EXEC set as one of the flags for open_flag.
>
> Linux is used as an operating system in some products, with an environment
> that can be certified under the Common Criteria Operating System
> Protection Profile (OSPP). This is a formal threat model for a class of
> technology. It requires specific countermeasures to mitigate threats. It
> requires documentation to explain how a product implements these
> countermeasures. It requires proof via a test suite to demonstrate that
> the requirements are met, observed and checked by an independent qualified
> third party. The latest set of requirements for OSPP v4.2 can be found
> here:
>
> https://www.niap-ccevs.org/Profile/Info.cfm?PPID=424&id=424
>
> If you look on page 58, you will see the following requirement:
>
> FPT_SRP_EXT.1 Software Restriction Policies FPT_SRP_EXT.1.1
> administrator specified [selection:
>         file path,
>         file digital signature,
>         version,
>         hash,
>         [assignment: other characteristics]
> ]
>
> This patch is to help aid in meeting this requirement.
>
> I've also written the required updates for the man-pages project. You can
> find the necessary changes for these new event types within the following
> commit:
>
> https://github.com/matthewbobrowski/man-pages/commit/d075dd8c8dfe19fccb9ea91f9550ea41b6e67334
>
> Please note that all modifications here are based on the changes Amir has
> made around deprecating some of the previously exposed UAPI constants. The
> branch which my changes are based on can be found here:
>
> https://github.com/amir73il/linux/tree/fanotify_api-v3
>

There is already a newer version merge to Jan's fsnotify branch.
You should reabse on that branch, althrough I don't see any immediate
merge conflicts.

> Lastly, thanks to both Amir and Jan for their help and feedback along the
> way, truly appreciated.
>

Jan,

You may add
Reviewed-by: Amir Goldstein <amir73il@xxxxxxxxx>

on the series.

Thanks,
Amir.



[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux