Currently, the fanotify API does not provide a means for user space applications to receive events when a file has been opened specifically for execution. New event masks FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM have been introduced in order to provide users with this capability. These event types, when either are explicitly requested by the user, will be returned within the event mask when a marked file object is being opened has __FMODE_EXEC set as one of the flags for open_flag. Linux is used as an operating system in some products, with an environment that can be certified under the Common Criteria Operating System Protection Profile (OSPP). This is a formal threat model for a class of technology. It requires specific countermeasures to mitigate threats. It requires documentation to explain how a product implements these countermeasures. It requires proof via a test suite to demonstrate that the requirements are met, observed and checked by an independent qualified third party. The latest set of requirements for OSPP v4.2 can be found here: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=424&id=424 If you look on page 58, you will see the following requirement: FPT_SRP_EXT.1 Software Restriction Policies FPT_SRP_EXT.1.1 administrator specified [selection: file path, file digital signature, version, hash, [assignment: other characteristics] ] This patch is to help aid in meeting this requirement. Note that this set of patches are based on Amir's fsnotify-fixes branch, which has already been posted through for review. For those interested, this branch can be found here: https://github.com/amir73il/linux/commits/fsnotify-fixes LTP tests for this feature are on my 'fanotify-exec' branch here: https://github.com/matthewbobrowski/ltp/commits/fanotify_exec. The files that contains the test cases are provided below: syscalls/fanotify03: test cases have been updated to cover FAN_OPEN_EXEC_PERM events syscalls/fanotify12: newly introduced LTP test file to cover FAN_OPEN_EXEC events The man pages updates for these newly defined event masks can be found here: https://github.com/matthewbobrowski/man-pages/commits/fanotify_exec. I would like to thank both Amir and Jan for their time and help, highly appreciated once again. --- Matthew Bobrowski (4): fanotify: return only user requested event types in event mask fanotify: introduce new event mask FAN_OPEN_EXEC fanotify: introduce new event mask FAN_OPEN_EXEC_PERM fsnotify: don't merge events FS_OPEN_PERM and FS_OPEN_EXEC_PERM fs/notify/fanotify/fanotify.c | 29 +++++++++------- fs/notify/fsnotify.c | 2 +- include/linux/fanotify.h | 5 +-- include/linux/fsnotify.h | 58 +++++++++++++++++++------------- include/linux/fsnotify_backend.h | 13 ++++--- include/uapi/linux/fanotify.h | 2 ++ 6 files changed, 66 insertions(+), 43 deletions(-) -- 2.17.2 -- Matthew Bobrowski