Re: Fanotify Directory exclusion not working when using FAN_MARK_MOUNT

Amir Goldstein <amir73il@xxxxxxxxx> · Mon, 14 Mar 2022 11:28:23 +0200

On Mon, Mar 14, 2022 at 10:47 AM Jan Kara <jack@xxxxxxx> wrote:
>
> On Sat 12-03-22 11:22:29, Srinivas wrote:
> > If a  process calls fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT,
> > FAN_OPEN_PERM, 0, "/mountpoint") no other directory exclusions can be
> > applied.
> >
> > However a path (file) exclusion can still be applied using
> >
> > fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
> > FAN_MARK_IGNORED_SURV_MODIFY, FAN_OPEN_PERM | FAN_CLOSE_WRITE, AT_FDCWD,
> > "/tmp/fio/abc");  ===> path exclusion that works.
> >
> > I think the directory exclusion not working is a bug as otherwise AV
> > solutions cant exclude directories when using FAN_MARK_MOUNT.
> >
> > I believe the change should be simple since we are already supporting
> > path exclusions. So we should be able to add the same for the directory
> > inode.
> >
> > 215676 – fanotify Ignoring/Excluding a Directory not working with
> > FAN_MARK_MOUNT (kernel.org)
>
> Thanks for report! So I believe this should be fixed by commit 4f0b903ded
> ("fsnotify: fix merge with parent's ignored mask") which is currently
> sitting in my tree and will go to Linus during the merge (opening in a
> week).

Actually, in a closer look, that fix alone is not enough.

With the current upstream kernel this should work to exclude events
in a directory:

fanotify_mark(fd, FAN_MARK_ADD, FAN_EVENT_ON_CHILD |
                       FAN_OPEN_PERM | FAN_CLOSE_WRITE,
                       AT_FDCWD, "/tmp/fio/");
fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
                       FAN_MARK_IGNORED_SURV_MODIFY,
                       FAN_OPEN_PERM | FAN_CLOSE_WRITE,
                       AT_FDCWD, "/tmp/fio/");

The first call tells fanotify that the inode mark on "/tmp/foo" is
interested in events on children (and not only on self).
The second call sets the ignored mark for open/close events.

The fix only removed the need to include the events in the
first call.

Should we also interpret FAN_EVENT_ON_CHILD correctly
in a call to fanotify_mark() to set an ignored mask?
Possibly. But that has not been done yet.
I can look into that if there is interest.
In retrospect, FAN_EVENT_ON_CHILD and FAN_ONDIR would have
been more clear as FAN_MARK_ flags, but that's too late.

Thanks,
Amir.