Re: [malware-list] A few concerns about fanotify implementation.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Tvrtko,

> > 1. Race in cache implementation.
> 
> [snip]
> 
> > I be believe it could be solved by introducing two more ignore mark
> > flags. The fist one to set before the scan starts. It could be cleaned
> > by write operation. The second one to ask fanotify to set ignore flags
> > only if the first flag is still set. In this case we will never have
> > file with not scanned file changes in cache.
> 
> Interesting that you have also found this - I suspected it but did not
> actually got round verifying it.
> 
> Another possible (and simpler) solution is to refuse (ignore) adding ignore
> marks if file (well inode) is opened for writing (inode->i_writecount > 0)?
> More or less this is the approach we use in Talpa.

I agree. It's simpler and more clear and doesn't require changing the
interface.

> > 2. As I understood it was intended to flush cache via FAN_MARK_FLUSH
> > flag but it is currently disabled and there is no notion about it in the
> > man page. There are cases when it is necessary to flush all cache, for
> > example on anti-malware bases update.
> 
> Where do you see this as disabled?

In fanotify_mark syscall flags argument is checked and if FAN_MARK_FLUSH
bit is set then EINVAL error is returned.

include/linux/fanotify.h:
    31  #define FAN_MARK_ADD            0x00000001
    32  #define FAN_MARK_REMOVE         0x00000002
    33  #define FAN_MARK_DONT_FOLLOW    0x00000004
    34  #define FAN_MARK_ONLYDIR        0x00000008
    35  #define FAN_MARK_MOUNT          0x00000010
    36  #define FAN_MARK_IGNORED_MASK   0x00000020
    37  #define FAN_MARK_IGNORED_SURV_MODIFY    0x00000040
    38  #define FAN_MARK_FLUSH          0x00000080
    39  
    40  #define FAN_ALL_MARK_FLAGS      (FAN_MARK_ADD |\
    41                                   FAN_MARK_REMOVE |\
    42                                   FAN_MARK_DONT_FOLLOW |\
    43                                   FAN_MARK_ONLYDIR |\
    44                                   FAN_MARK_MOUNT |\
    45                                   FAN_MARK_IGNORED_MASK |\
    46                                   FAN_MARK_IGNORED_SURV_MODIFY)

fs/notify/fanotify/fanotify_user.c:
   678  SYSCALL_DEFINE(fanotify_mark)(int fanotify_fd, unsigned int
flags,
   679                                __u64 mask, int dfd,
   680                                const char  __user * pathname)
   ...
   696          if (flags & ~FAN_ALL_MARK_FLAGS)
   697                  return -EINVAL;


Regards,
  Vasily

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux