From: Jan Kara <jack@suse.cz>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Audit <linux-audit@redhat.com>, Jan Kara <jack@suse.cz>
Subject: Re: [PATCH 1/1] Fanotify: Introduce a permissive mode
Date: Tue, 15 Aug 2017 13:48:53 +0200 [thread overview]
Message-ID: <20170815114853.GE27505@quack2.suse.cz> (raw)
In-Reply-To: <CAOQ4uxjA_DWN7c1_Vo9_s1ckrXYfS7mJ7c0P7Y0sjhxuVj47fQ@mail.gmail.com>
On Tue 15-08-17 12:19:50, Amir Goldstein wrote:
> On Mon, Aug 14, 2017 at 5:04 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> >
> > The fanotify interface can be used as an access control subsystem. If
> > for some reason the policy is bad, there is potentially no good way to
> > recover the system. This patch introduces a new command line variable,
> > fanotify_enforce, to allow overriding the access decision from user
> > space. The initialization status is recorded as an audit event so that
> > there is a record of being in permissive mode for the security officer.
>
> :-/ overriding the security access decision sounds like a bad practice
> *if* at all this method is acceptable overriding access decision should
> probably be accompanied with pr_warn_ratelimited and a big warning
> for fanotify_init with FAN_CLASS_{,PRE_}CONTENT priority.
>
> If the proposed kernel param is acceptable by others, I would prefer
> that it prevents setting up FAN_CLASS_{,PRE_}CONTENT priority
> watches, instead of setting them up and ignoring the user daemon response.
Agreed. You need CAP_SYS_ADMIN to be able to set up watches for access
control. If you have applications with CAP_SYS_ADMIN you don't trust, just
don't run them or fix bugs in them. Kernel parameter is not the right way
to fix broken applications with administrative priviledges.
> I hope I am not out of line to propose:
>
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
>
> FANOTIFY
> -M: Eric Paris <eparis@redhat.com>
> +M: Jan Kara <jack@suse.com>
> +R: Amir Goldstein <amir73il@gmail.com>
> +L: linux-fsdevel@vger.kernel.org
> S: Maintained
> F: fs/notify/fanotify/
> F: include/linux/fanotify.h
Yeah, I'll queue it up and the same for inotify & dnotify.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2017-08-15 11:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-14 15:04 [PATCH 1/1] Fanotify: Introduce a permissive mode Steve Grubb
2017-08-15 10:19 ` Amir Goldstein
2017-08-15 11:48 ` Jan Kara [this message]
2017-08-15 14:44 ` Steve Grubb
2017-08-15 15:37 ` Amir Goldstein
2017-08-15 16:23 ` Steve Grubb
2017-08-15 19:19 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170815114853.GE27505@quack2.suse.cz \
--to=jack@suse.cz \
--cc=amir73il@gmail.com \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.