Re: [PATCH v2 1/1] fanotify: introduce new event flag FAN_EXEC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon 01-10-18 17:01:23, Amir Goldstein wrote:
> On Mon, Oct 1, 2018 at 1:58 PM Jan Kara <jack@xxxxxxx> wrote:
> >
> > On Thu 27-09-18 23:05:14, Matthew Bobrowski wrote:
> > > This is a reduced version of a patch that I originally submitted a while ago.
> > >
> > > In short, the fanotify API currently does not provide any means for user space
> > > programs to receive events specifically when a file has been opened with the
> > > intent to be executed. The FAN_EXEC flag will be set within the event mask when
> > > a object has been opened with one of the open flags being __FMODE_EXEC.
> > >
> > > Linux is used as an Operating System in some products, with an environment that
> > > can be certified under the Common Criteria Operating System Protection Profile
> > > (OSPP). This is a formal threat model for a class of technology. It requires
> > > specific countermeasures to mitigate threats. It requires documentation to
> > > explain how a product implements these countermeasures. It requires proof via a
> > > test suite to demonstrate that the requirements are met, observed and checked by
> > > an independent qualified third party. The latest set of requirements for OSPP
> > > v4.2 can be found here:
> > >
> > > https://www.niap-ccevs.org/Profile/Info.cfm?PPID=424&id=424
> > >
> > > If you look on page 58, you will see the following requirement:
> > >
> > > FPT_SRP_EXT.1 Software Restriction Policies   FPT_SRP_EXT.1.1
> > >
> > > The OS shall restrict execution to only programs which match an administrator
> > > specified [selection:
> > >         file path,
> > >         file digital signature,
> > >         version,
> > >         hash,
> > >         [assignment: other characteristics]
> > > ]
> > >
> > > This patch is to help aid in meeting this requirement.
> > >
> > > Signed-off-by: Matthew Bobrowski <mbobrowski@xxxxxxxxxxxxxx>
> >
> > I agree with Amir's points wrt API so I won't repeat those. But I have one
> > more API question:
> >
> > You implement FS_EXEC as a flag that can get set for certain FAN_OPEN
> > events. That is a new API concept for fanotify. So far you can only request
> > event of a certain type and then you get the same flag back when the event
> > happens.  There is also a case of FAN_ONDIR where you can restrict set of
> > events only to events on a particular inode type but that's again
> > different. Hence my question: Is there a good reason why we don't create
> > FAN_OPEN_EXEC event that would trigger only on executable opens?
> >
> > If someone is interested only in executable opens, he'd have less events to
> > care about. OTOH additional FS_EXEC flag is probably more flexible (e.g.
> > you can easily implement equivalent of FAN_OPEN_NOEXEC in userspace if you
> > wished). Just the inconsistency of the FS_EXEC and e.g. how we handle
> > FAN_CLOSE_NOWRITE & FAN_CLOSE_WRITE is bothering me...
> >
> 
> I understand why the inconsitency is bothering you, but IMO it is too late
> to change that. By trying to be more consistent in the *implementation* of
> the flags, we will end up confusing users instead of making their life easy
> by sticking to FAN_OPEN sematics they are used to.
> 
> IMO we need to report FAN_OPEN for every open like we do now.
> and additionally report FAN_OPEN_EXEC for open for exec.

Fully agreed.

> Then user can implement FAN_OPEN_NOEXEC by setting ignore mask
> with FAN_OPEN_EXEC.

Good point.

> You can make the analogy to the compound event FAN_CLOSE.
> If user sets a mask to the compound event FAN_CLOSE and sets ignore
> mask with FAN_CLOSE_WRITE, then user effectively implemented
> FAN_CLOSE_NOWRITE with similar semantics to implementation of
> FAN_OPEN_NOEXEC.
> 
> Similarly, if user requests FAN_OPEN|FAN_CLOSE and then checks
> (event->mask & FAN_OPEN) or (event->mask & FAN_CLOSE) it  has
> similar meaning. Testing (event->mask & FAN_OPEN_EXEC) and
> (event->mask & FAN_CLOSE_WRITE) in this case is similarly informative.
> 
> Honestly, I can't think of an application interested only in
> FAN_CLOSE_NOWRITE nor only in FAN_OPEN_NOEXEC, but the
> functionality is available for both. The fact that user *can* implement the
> former without ignore mask and cannot implement to latter without
> ignore mask is IMO the neccesary evil we need to carry for historic API
> decisions.

So it seems we are in full agreement that we don't want "optional event
flags" as Matthew implemented it currently and rather want new event type
FAN_OPEN_EXEC?

								Honza
-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux