Re: fanotify as syscalls

From: Andreas Gruenbacher
Date: Mon Sep 21 2009 - 19:09:58 EST

Next message: Jamie Lokier: "Re: fanotify as syscalls"
Previous message: Tilman Schmidt: "Re: Status of Bug 8094 - ipaq oops on connecting "Vodafone VPA-II"?"
In reply to: Jamie Lokier: "Re: fanotify as syscalls"
Next in thread: Jamie Lokier: "Re: fanotify as syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, 22 September 2009 0:00:02 Jamie Lokier wrote:
> Andreas Gruenbacher wrote:
> > On Monday, 21 September 2009 22:28:23 Jamie Lokier wrote:
> > > It would be logical if fanotify could block and ack those [mount &
> > > umount events] in the same way as it can block and ack other accesses
> > > (with the usual filtering rules on which inodes trigger events, and
> > > which don't or are cached).
> >
> > Hmm. To me, fanotify is about file contents first of all: this is what
> > fanotify wants to be able to veto.
>
> Surely you don't assume that what constitutes malicious content is
> independent of it's location and/or name?

If the antimalware vendors want to base their decisions on pathnames then
that's their decision, and they can check /proc/self/fd/N. We should be able
to treat directory events the same.

> (See also "echo 'run_virus&' >>.bash_login).
>
> Wait a minute. You don't assume that, otherwise why the interest in
> subtrees? :-)
>
> > Directory events seem reasonable to add for inotify compatibility,
>
> Did you see may point about userspace caches and how directory events
> are fundamental to that - there's no way to build a cache without them?

Yes, there were some doubts about this appoach. Waiting for your code to
demonstrate; an object based cache (e.g., st_dev + st_ino) rather than a
pathname based cache would seem more reasonable.

> > but I see no need for access decisions on them.
>
> Please excuse me; I'm a bit confused. Is fanotify intended just for
> use by access decision programs, or is the plan now for it to also be
> a replacement for inotify? I'm getting conflicting signals about
> that.

Inotify doesn't support access decisions. So where's the problem with
having "notify only" events for directory / mount / unmount events?

> If it's just for access decision programs, and if those aren't going
> to care about location, then there's no need to add directory events
> to fanotify at all. But then I'll be demanding subtree support in
> inotify, please :-)
>
> > Even less so for mounts and unmounts.
>
> (as root) mkdir foo; mount dodgy foo -oloop; mount --bind foo/cat
> /bin/cat

... and then someone accesses /bin/cat, which triggers a fanotify access
decision.

Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jamie Lokier: "Re: fanotify as syscalls"
Previous message: Tilman Schmidt: "Re: Status of Bug 8094 - ipaq oops on connecting "Vodafone VPA-II"?"
In reply to: Jamie Lokier: "Re: fanotify as syscalls"
Next in thread: Jamie Lokier: "Re: fanotify as syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]