When setting up an fanotify listener, user may request to get fid
information in event instead of an open file descriptor.
The fid obtained with event on a watched object contains the file
handle returned by name_to_handle_at(2) and fsid returned by statfs(2).
Both name_to_handle_at(2) and statfs(2) are allowed for unprivileged
users that have access to a given path, so we also allow an unprivileged
listener to get fid information, because with unprivileged listener,
users can only set marks on inode objects they have read access to.
When setting a mark, we need to make sure that the filesystem
supports file handles, so user can use name_to_handle_at(2) to compare
fid returned with event to the file handle of watched objects.
Cc: <linux-api@xxxxxxxxxxxxxxx>
Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
---
fs/notify/fanotify/fanotify_user.c | 17 ++++++++++++++++-
include/linux/fanotify.h | 2 +-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 7e38d7a1854b..8ded9b5c0e76 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -17,6 +17,7 @@
#include <linux/compat.h>
#include <linux/sched/signal.h>
#include <linux/memcontrol.h>
+#include <linux/exportfs.h>
#include <asm/ioctls.h>
@@ -942,6 +943,19 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
if (ret)
goto fput_and_out;
+ /*
+ * We need to make sure whether the file system supports at least
+ * encoding a file handle so user can use name_to_handle_at() to
+ * compare fid returned with event to the file handle of watched
+ * objects. However, name_to_handle_at() requires that filesystem
+ * supports decoding file handles as well.
+ */
+ ret = -EOPNOTSUPP;
+ if (FAN_GROUP_FLAG(group, FAN_REPORT_FID) &&
+ (!path.dentry->d_sb->s_export_op ||
+ !path.dentry->d_sb->s_export_op->fh_to_dentry))
+ goto path_put_and_out;
+
/* inode held in place by reference to path; group by fget on fd */
if (mark_type == FAN_MARK_INODE)
inode = path.dentry->d_inode;
@@ -970,6 +984,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
ret = -EINVAL;
}
+path_put_and_out:
path_put(&path);
fput_and_out:
fdput(f);
@@ -1006,7 +1021,7 @@ COMPAT_SYSCALL_DEFINE6(fanotify_mark,
*/
static int __init fanotify_user_setup(void)
{
- BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 7);
+ BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 8);
BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h
index 9e2142795335..f59be967f72b 100644
--- a/include/linux/fanotify.h
+++ b/include/linux/fanotify.h
@@ -19,7 +19,7 @@
FAN_CLASS_PRE_CONTENT)
#define FANOTIFY_INIT_FLAGS (FANOTIFY_CLASS_BITS | \
- FAN_REPORT_TID | \
+ FAN_REPORT_TID | FAN_REPORT_FID | \
FAN_CLOEXEC | FAN_NONBLOCK | \
FAN_UNLIMITED_QUEUE | FAN_UNLIMITED_MARKS)
--
2.17.1
