[PATCH 2/2] fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()
Amir Goldstein
amir73il at gmail.com
Mon Feb 16 15:46:38 UTC 2026
On Mon, Feb 16, 2026 at 5:06 PM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> The latter trigger LSM (e.g. SELinux) checks, which will log a denial
> when permission is denied, so it's better to do them after validity
> checks to avoid logging a denial when the operation would fail anyway.
>
> Fixes: 0b3b094ac9a7 ("fanotify: Disallow permission events for proc filesystem")
> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> ---
Fine by me,
Feel free to add
Reviewed-by: Amir Goldstein <amir73il at gmail.com>
> fs/notify/fanotify/fanotify_user.c | 25 ++++++++++---------------
> 1 file changed, 10 insertions(+), 15 deletions(-)
>
> diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> index 9c9fca2976d2b..bfc4d09e6964a 100644
> --- a/fs/notify/fanotify/fanotify_user.c
> +++ b/fs/notify/fanotify/fanotify_user.c
> @@ -1210,6 +1210,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
>
> *path = fd_file(f)->f_path;
> path_get(path);
> + ret = 0;
> } else {
> unsigned int lookup_flags = 0;
>
> @@ -1219,22 +1220,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
> lookup_flags |= LOOKUP_DIRECTORY;
>
> ret = user_path_at(dfd, filename, lookup_flags, path);
> - if (ret)
> - goto out;
> }
> -
> - /* you can only watch an inode if you have read permissions on it */
> - ret = path_permission(path, MAY_READ);
> - if (ret) {
> - path_put(path);
> - goto out;
> - }
> -
> - ret = security_path_notify(path, mask, obj_type);
> - if (ret)
> - path_put(path);
> -
> -out:
> return ret;
> }
>
> @@ -2058,6 +2044,15 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
> goto path_put_and_out;
> }
>
> + /* you can only watch an inode if you have read permissions on it */
> + ret = path_permission(&path, MAY_READ);
> + if (ret)
> + goto path_put_and_out;
> +
> + ret = security_path_notify(&path, mask, obj_type);
> + if (ret)
> + goto path_put_and_out;
> +
> if (fid_mode) {
> ret = fanotify_test_fsid(path.dentry, flags, &__fsid);
> if (ret)
> --
> 2.53.0
>
More information about the Linux-security-module-archive
mailing list