From: Amir Goldstein <amir73il@gmail.com>
To: Jan Kara <jack@suse.cz>
Cc: Matthew Bobrowski <mbobrowski@mbobrowski.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [RFC][PATCH 2/2] fanotify: support limited functionality for unprivileged users
Date: Fri, 19 Feb 2021 18:16:35 +0200 [thread overview]
Message-ID: <CAOQ4uxhnrZu0phZniiBEqPJJZwWfs3UbCJt0atkHirdHQVCWgw@mail.gmail.com> (raw)
In-Reply-To: <CAOQ4uxhwZG=aC+ZpB90Gn_5aNmQrwsJUnniWVhFXoq454vuyHA@mail.gmail.com>
On Tue, Feb 16, 2021 at 8:12 PM Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Tue, Feb 16, 2021 at 7:01 PM Jan Kara <jack@suse.cz> wrote:
> >
> > On Sun 24-01-21 20:42:04, Amir Goldstein wrote:
> > > Add limited support for unprivileged fanotify event listener.
> > > An unprivileged event listener does not get an open file descriptor in
> > > the event nor the process pid of another process. An unprivileged event
> > > listener cannot request permission events, cannot set mount/filesystem
> > > marks and cannot request unlimited queue/marks.
> > >
> > > This enables the limited functionality similar to inotify when watching a
> > > set of files and directories for OPEN/ACCESS/MODIFY/CLOSE events, without
> > > requiring SYS_CAP_ADMIN privileges.
> > >
> > > The FAN_REPORT_DFID_NAME init flag, provide a method for an unprivileged
> > > event listener watching a set of directories (with FAN_EVENT_ON_CHILD)
> > > to monitor all changes inside those directories.
> > >
> > > This typically requires that the listener keeps a map of watched directory
> > > fid to dirfd (O_PATH), where fid is obtained with name_to_handle_at()
> > > before starting to watch for changes.
> > >
> > > When getting an event, the reported fid of the parent should be resolved
> > > to dirfd and fstatsat(2) with dirfd and name should be used to query the
> > > state of the filesystem entry.
> > >
> > > Note that even though events do not report the event creator pid,
> > > fanotify does not merge similar events on the same object that were
> > > generated by different processes. This is aligned with exiting behavior
> > > when generating processes are outside of the listener pidns (which
> > > results in reporting 0 pid to listener).
> > >
> > > Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> >
> > The patch looks mostly good to me. Just two questions:
> >
> > a) Remind me please, why did we decide pid isn't safe to report to
> > unpriviledged listeners?
>
> Just because the information that process X modified file Y is not an
> information that user can generally obtain without extra capabilities(?)
> I can add a flag FAN_REPORT_OWN_PID to make that behavior
> explicit and then we can relax reporting pids later.
>
FYI a patch for flag FAN_REPORT_SELF_PID is pushed to branch
fanotify_unpriv.
The UAPI feels a bit awkward with this flag, but that is the easiest way
to start without worrying about disclosing pids.
I guess we can require that unprivileged listener has pid 1 in its own
pid ns. The outcome is similar to FAN_REPORT_SELF_PID, except
it can also get pids of its children which is probably fine.
I am not sure if this is a reasonable option from users POV.
> >
> > b) Why did we decide returning open file descriptors isn't safe for
> > unpriviledged listeners? Is it about FMODE_NONOTIFY?
> >
>
> Don't remember something in particular. I feels risky.
>
> > I'm not opposed to either but I'm wondering. Also with b) old style
> > fanotify events are not very useful so maybe we could just disallow all
> > notification groups without FID/DFID reporting? In the future if we ever
> > decide returning open fds is safe or how to do it, we can enable that group
> > type for unpriviledged users. However just starting to return open fds
> > later won't fly because listener has to close these fds when receiving
> > events.
> >
>
> I like this option better.
>
This is also pushed to branch fanotify_unpriv.
With all the behavior specified explicitly in fanotify_init() and
fanotify_mark() flags, there is no need for the internal
FANOTIFY_UNPRIV group flag, which looks better IMO.
Thanks,
Amir.
next prev parent reply other threads:[~2021-02-19 16:17 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-24 18:42 [RFC][PATCH 0/2] unprivileged fanotify listener Amir Goldstein
2021-01-24 18:42 ` [RFC][PATCH 1/2] fanotify: configurable limits via sysfs Amir Goldstein
2021-02-16 16:27 ` Jan Kara
2021-02-16 18:02 ` Amir Goldstein
2021-02-17 10:25 ` Jan Kara
2021-02-18 18:57 ` Amir Goldstein
2021-02-19 9:01 ` Amir Goldstein
2021-01-24 18:42 ` [RFC][PATCH 2/2] fanotify: support limited functionality for unprivileged users Amir Goldstein
2021-02-16 17:01 ` Jan Kara
2021-02-16 18:12 ` Amir Goldstein
2021-02-19 16:16 ` Amir Goldstein [this message]
2021-02-23 17:16 ` Amir Goldstein
2021-02-24 10:52 ` Jan Kara
2021-02-24 12:58 ` Amir Goldstein
2021-02-24 13:37 ` Amir Goldstein
2021-02-24 17:29 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOQ4uxhnrZu0phZniiBEqPJJZwWfs3UbCJt0atkHirdHQVCWgw@mail.gmail.com \
--to=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mbobrowski@mbobrowski.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).