Amir Goldstein <amir73il@xxxxxxxxx>: > On Wed, Mar 20, 2019 at 4:30 PM Jan Kara <jack@xxxxxxx> wrote: >> Well, I didn't mean all marks, just the permission ones. I'm not sure >> there are apps that place permission events on /proc... > > Maybe not intentionally. > I once tested a few fanotify based AntiVirus solutions. > In some of them, setting an "Exclude path" on some mount point > would cause mark to not be set on that path, but for one in particular, > the mark was still being set on the mount so path pattern filtering was > done after receiving the events. > I did not check whether /proc was blacklisted out of the box or if it > could be marked/excluded from scan. > IMO, assuming that all AntiVirus vendors blacklist all virtual filesystems > is an assumption that we need to validate. > [CC Marko from F-Secure for commenting on the above.] Yeah, we have learned by experimentation to not mark some file systems. (Also, inspecting some /proc files *during* OPEN_PERM processing of a regular file can lead to deadlocks.) Marko
