linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jan Kara <jack@suse.cz>
To: Marko Rauhamaa <marko.rauhamaa@f-secure.com>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: Can fanotify OPEN_PERM work with CIFS?
Date: Mon, 16 Dec 2019 10:14:11 +0100	[thread overview]
Message-ID: <20191216091410.GA19204@quack2.suse.cz> (raw)
In-Reply-To: <87r22jk7s5.fsf@drapion.f-secure.com>

Hello!

On Thu 07-11-19 17:47:38, Marko Rauhamaa wrote:
> In a common setup, CIFS file access is tied to the credentials of the
> regular Linux user, but the local root has no access. If the local root
> monitors such a CIFS mount point with OPEN_PERM, dentry_open() in
> fs/notify/fanotify/fanotify_user.c fails with EPERM or EACCES depending
> on the kernel version. In effect, the whole mount point becomes
> inaccessible to any user.
> 
> I understand the question has intricate corner cases and security
> considerations, but is the common use case insurmountable? When the
> regular user is opening a file for reading and waiting for a permission
> to continue, must the file be reopened instead of being "lent" to the
> content checker via duping the fd?

I'm sorry for late reply. I've noticed this email only now. It is difficult
to "lend" the fd being opened by the application to the fanotify permission
event. Mainly because by the time the event is generated, that file
descriptor is not open yet - the event gets generated while we are checking
whether open is permitted which is before the "opening act" really happens.
And this is a fundamental thing because open(2) can have various side
effects (like truncating a file). And then there are also other smaller
issues like that different file mode or flags may need to be used for
fanotify event than for the original open.

I don't know details of CIFS permission model but I assume that there's a
similar problem as with NFS with generally untrusted client and thus the
server restricts client access to the authenticated credentials. That is
problematic with fanotify because even if we impersonated original opening
process we needn't be able to open the file with requested mode (think of
client having only read access to a file and fanotify request also write
access). So the permission model of network filesystems is incompatible
with fanotify permission model and I don't see an easy way how to
work-around this :-|.

								Honza

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

      reply	other threads:[~2019-12-16  9:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-07 15:47 Can fanotify OPEN_PERM work with CIFS? Marko Rauhamaa
2019-12-16  9:14 ` Jan Kara [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191216091410.GA19204@quack2.suse.cz \
    --to=jack@suse.cz \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=marko.rauhamaa@f-secure.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).