Linux-Fsdevel Archive on lore.kernel.org
 help / color / Atom feed
* Can fanotify OPEN_PERM work with CIFS?
@ 2019-11-07 15:47 Marko Rauhamaa
  0 siblings, 0 replies; only message in thread
From: Marko Rauhamaa @ 2019-11-07 15:47 UTC (permalink / raw)
  To: linux-fsdevel


In a common setup, CIFS file access is tied to the credentials of the
regular Linux user, but the local root has no access. If the local root
monitors such a CIFS mount point with OPEN_PERM, dentry_open() in
fs/notify/fanotify/fanotify_user.c fails with EPERM or EACCES depending
on the kernel version. In effect, the whole mount point becomes
inaccessible to any user.

I understand the question has intricate corner cases and security
considerations, but is the common use case insurmountable? When the
regular user is opening a file for reading and waiting for a permission
to continue, must the file be reopened instead of being "lent" to the
content checker via duping the fd?


Marko

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-07 15:47 Can fanotify OPEN_PERM work with CIFS? Marko Rauhamaa

Linux-Fsdevel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \
		linux-fsdevel@vger.kernel.org
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git