[PATCH] fsnotify: add generic perm check for unlink/rmdir
Jan Kara
jack at suse.cz
Wed May 4 15:49:58 UTC 2022
On Wed 04-05-22 17:12:16, Amir Goldstein wrote:
> On Tue, May 3, 2022 at 10:49 PM Jan Kara <jack at suse.cz> wrote:
> >
> > On Wed 04-05-22 02:37:50, Guowei Du wrote:
> > > From: duguowei <duguowei at xiaomi.com>
> > >
> > > For now, there have been open/access/open_exec perms for file operation,
> > > so we add new perms check with unlink/rmdir syscall. if one app deletes
> > > any file/dir within pubic area, fsnotify can sends fsnotify_event to
> > > listener to deny that, even if the app have right dac/mac permissions.
> > >
> > > Signed-off-by: duguowei <duguowei at xiaomi.com>
> >
> > Before we go into technical details of implementation can you tell me more
> > details about the usecase? Why do you need to check specifically for unlink
> > / delete?
> >
> > Also on the design side of things: Do you realize these permission events
> > will not be usable together with other permission events like
> > FAN_OPEN_PERM? Because these require notification group returning file
> > descriptors while your events will return file handles... I guess we should
> > somehow fix that.
> >
>
> IMO, regardless of file descriptions vs. file handles, blocking events have
> no business with async events in the same group at all.
> What is the use case for that?
> Sure, we have the legacy permission event, but if we do add new blocking
> events to UAPI, IMO they should be added to a group that was initialized with a
> different class to indicate "blocking events only".
>
> And if we do that, we will not need to pollute the event mask namespace
> for every permission event.
That's an interesting idea. I agree mixing of permission and normal events
is not very useful and separating event mask for permission and other
events looks like a compelling reason to really forbid that :). It's a pity
nobody had this idea when proposing fanotify permission events.
> When users request to get FAN_UNLINK/FAN_RMDIR events in a
> FAN_CLASS_PERMISSION group, internally, that only captures
> events reported from fsnotify_perm()/fsnotify_path_perm().
>
> FYI, I do intend to try and upload "pre-modify events" [1].
> I had no intention to expose those in fanotify and my implementation
> does not have the granularity of UNLINK/RMDIR, but we do need
> to think about not duplicating too much code with those overlapping
> features.
Definitely.
Honza
> [1] https://github.com/amir73il/linux/commits/fsnotify_pre_modify
--
Jan Kara <jack at suse.com>
SUSE Labs, CR
More information about the Linux-security-module-archive
mailing list