On Fri, Jan 31, 2025 at 11:53:33AM +0100, Miklos Szeredi wrote: > On Thu, 30 Jan 2025 at 22:06, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > On Wed, Jan 29, 2025 at 11:58 AM Miklos Szeredi <mszeredi@xxxxxxxxxx> wrote: > > > > > > Add notifications for attaching and detaching mounts. The following new > > > event masks are added: > > > > > > FAN_MNT_ATTACH - Mount was attached > > > FAN_MNT_DETACH - Mount was detached > > > > > > If a mount is moved, then the event is reported with (FAN_MNT_ATTACH | > > > FAN_MNT_DETACH). > > > > > > These events add an info record of type FAN_EVENT_INFO_TYPE_MNT containing > > > these fields identifying the affected mounts: > > > > > > __u64 mnt_id - the ID of the mount (see statmount(2)) > > > > > > FAN_REPORT_MNT must be supplied to fanotify_init() to receive these events > > > and no other type of event can be received with this report type. > > > > > > Marks are added with FAN_MARK_MNTNS, which records the mount namespace from > > > an nsfs file (e.g. /proc/self/ns/mnt). > > > > > > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> > > > --- > > > fs/mount.h | 2 + > > > fs/namespace.c | 14 +++-- > > > fs/notify/fanotify/fanotify.c | 38 +++++++++++-- > > > fs/notify/fanotify/fanotify.h | 18 +++++++ > > > fs/notify/fanotify/fanotify_user.c | 87 +++++++++++++++++++++++++----- > > > fs/notify/fdinfo.c | 5 ++ > > > include/linux/fanotify.h | 12 +++-- > > > include/uapi/linux/fanotify.h | 10 ++++ > > > security/selinux/hooks.c | 4 ++ > > > 9 files changed, 167 insertions(+), 23 deletions(-) > > > > ... > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 7b867dfec88b..06d073eab53c 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -3395,6 +3395,10 @@ static int selinux_path_notify(const struct path *path, u64 mask, > > > case FSNOTIFY_OBJ_TYPE_INODE: > > > perm = FILE__WATCH; > > > break; > > > + case FSNOTIFY_OBJ_TYPE_MNTNS: > > > + /* Maybe introduce FILE__WATCH_MOUNTNS? */ > > > + perm = FILE__WATCH_MOUNT; > > > + break; > > > default: > > > return -EINVAL; > > > } > > > > Ignoring for a moment that this patch was merged without an explicit > > ACK for the SELinux changes, let's talk about these SELinux changes > > ... > > > > I understand that you went with the "simpler version" because you > > didn't believe the discussion was converging, which is fair, however, > > I believe Daniel's argument is convincing enough to warrant the new > > permission. > > Fine, I'll work on this. Make it separate patches please. All LSM changes have been dropped.
