On Thu, Oct 11, 2018 at 1:42 PM Matthew Bobrowski <mbobrowski@xxxxxxxxxxxxxx> wrote: > > Currently, the fanotify API does not provide a means for user space > applications to receive events when a file has been opened specifically > for execution. New event types FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM have > been introduced in order to provide users this capability. > > These event types, when either are explicitly requested by the user, will > be returned within the event mask when a marked file object is being > opened has __FMODE_EXEC set as one of the flags for open_flag. > > Linux is used as an operating system in some products, with an environment > that can be certified under the Common Criteria Operating System > Protection Profile (OSPP). This is a formal threat model for a class of > technology. It requires specific countermeasures to mitigate threats. It > requires documentation to explain how a product implements these > countermeasures. It requires proof via a test suite to demonstrate that > the requirements are met, observed and checked by an independent qualified > third party. The latest set of requirements for OSPP v4.2 can be found > here: > > https://www.niap-ccevs.org/Profile/Info.cfm?PPID=424&id=424 > > If you look on page 58, you will see the following requirement: > > FPT_SRP_EXT.1 Software Restriction Policies FPT_SRP_EXT.1.1 > administrator specified [selection: > file path, > file digital signature, > version, > hash, > [assignment: other characteristics] > ] > > This patch is to help aid in meeting this requirement. > > I've also written the required updates for the man-pages project. You can > find the necessary changes for these new event types within the following > commit: > > https://github.com/matthewbobrowski/man-pages/commit/d075dd8c8dfe19fccb9ea91f9550ea41b6e67334 > > Please note that all modifications here are based on the changes Amir has > made around deprecating some of the previously exposed UAPI constants. The > branch which my changes are based on can be found here: > > https://github.com/amir73il/linux/tree/fanotify_api-v3 > There is already a newer version merge to Jan's fsnotify branch. You should reabse on that branch, althrough I don't see any immediate merge conflicts. > Lastly, thanks to both Amir and Jan for their help and feedback along the > way, truly appreciated. > Jan, You may add Reviewed-by: Amir Goldstein <amir73il@xxxxxxxxx> on the series. Thanks, Amir.
