From: Amir Goldstein <amir73il@gmail.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jan Kara <jack@suse.cz>,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
overlayfs <linux-unionfs@vger.kernel.org>,
Marko Rauhamaa <marko.rauhamaa@f-secure.com>
Subject: Re: fsnotify events for overlayfs real file
Date: Mon, 31 May 2021 21:26:35 +0300 [thread overview]
Message-ID: <CAOQ4uxiYZfQSZN4avfnNmQv1OxB5+Q=9wr-eSRXK+QkostC66w@mail.gmail.com> (raw)
In-Reply-To: <CAJfpegsqqwMgtDKESNVXvtYU=fsu2pZ_nE8UdXQSLudKqK8Xmw@mail.gmail.com>
On Mon, May 31, 2021 at 6:18 PM Miklos Szeredi <miklos@szeredi.hu> wrote:
>
> On Tue, 18 May 2021 at 19:56, Amir Goldstein <amir73il@gmail.com> wrote:
> >
> > On Tue, May 18, 2021 at 5:43 PM Miklos Szeredi <miklos@szeredi.hu> wrote:
> > >
> > > On Mon, 10 May 2021 at 18:32, Amir Goldstein <amir73il@gmail.com> wrote:
>
> > > > My thinking was that we can change d_real() to provide the real path:
> > > >
> > > > static inline struct path d_real_path(struct path *path,
> > > > const struct inode *inode)
> > > > {
> > > > struct realpath = {};
> > > > if (!unlikely(dentry->d_flags & DCACHE_OP_REAL))
> > > > return *path;
> > > > dentry->d_op->d_real(path->dentry, inode, &realpath);
> > > > return realpath;
> > > > }
>
> Real paths are internal, we can't pass them (as fd in permission
> events) to userspace.
>
> > > >
> > > >
> > > > Another option, instead of getting the realpath, just detect the
> > > > mismatch of file_inode(file) != d_inode(path->dentry) in
> > > > fanotify_file() and pass FSNOTIFY_EVENT_DENTRY data type
> > > > with d_real() dentry to backend instead of FSNOTIFY_EVENT_PATH.
> > > >
> > > > For inotify it should be enough and for fanotify it is enough for
> > > > FAN_REPORT_FID and legacy fanotify can report FAN_NOFD,
> > > > so at least permission events listeners can identify the situation and
> > > > be able to block access to unknown paths.
>
> That sounds like a good short term solution.
>
It may be a fine academic solution, but I don't think it solves any real
world problem.
I am not aware of any security oriented solutions that use permission
events on inode or directory (let alone sb).
The security oriented users of fanotify are anti-virus on-access
protection engines and those are using mount marks anyway
(dynamically adding them as far as I know).
[cc Marko who may be able to shed some light]
For those products, creating a bind mount inside a new mount ns
may actually escape the on-access policy or the new mount will
also be marked I am not sure. I suppose cloning mount ns may be
prohibited by another LSM or something(?).
>
> >
> > Is there a reason for the fake path besides the displayed path in
> > /proc/self/maps?
>
> I'm not aware of any.
>
> >
> > Does it make sense to keep one realfile with fake path for mmaped
> > files along side a realfile with private/detached path used for all the
> > other operations?
>
> This should work, but it would add more open files,
True, but only for the mmaped files.
> so needs some good justifications.
>
I'm afraid I don't have one yet..
Let's see what the AV vendors have to say.
Thanks,
Amir.
next prev parent reply other threads:[~2021-05-31 18:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-10 16:31 fsnotify events for overlayfs real file Amir Goldstein
2021-05-18 14:43 ` Miklos Szeredi
2021-05-18 17:56 ` Amir Goldstein
2021-05-31 15:18 ` Miklos Szeredi
2021-05-31 18:26 ` Amir Goldstein [this message]
2021-06-01 9:08 ` Christian Brauner
2021-06-08 12:05 ` Marko Rauhamaa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOQ4uxiYZfQSZN4avfnNmQv1OxB5+Q=9wr-eSRXK+QkostC66w@mail.gmail.com' \
--to=amir73il@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=marko.rauhamaa@f-secure.com \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).