fanotify: introduce new event mask FAN_OPEN_EXEC_PERM

A new event mask FAN_OPEN_EXEC_PERM has been defined. This allows users
to receive events and grant access to files that are intending to be
opened for execution. Events of FAN_OPEN_EXEC_PERM type will be
generated when a file has been opened by using either execve(),
execveat() or uselib() system calls.

This acts in the same manner as previous permission event mask, meaning
that an access response is required from the user application in order
to permit any further operations on the file.

Signed-off-by: Matthew Bobrowski <mbobrowski@mbobrowski.org>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 5a1a15f646bae0cb1f669ea303cd51dcbef5aff4..3723f3d18d2072dabc85c2c66d1afe8a4df3dc7e 100644 (file)
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -211,8 +211,9 @@ static int fanotify_handle_event(struct fsnotify_group *group,
        BUILD_BUG_ON(FAN_ACCESS_PERM != FS_ACCESS_PERM);
        BUILD_BUG_ON(FAN_ONDIR != FS_ISDIR);
        BUILD_BUG_ON(FAN_OPEN_EXEC != FS_OPEN_EXEC);
+       BUILD_BUG_ON(FAN_OPEN_EXEC_PERM != FS_OPEN_EXEC_PERM);
 
-       BUILD_BUG_ON(HWEIGHT32(ALL_FANOTIFY_EVENT_BITS) != 11);
+       BUILD_BUG_ON(HWEIGHT32(ALL_FANOTIFY_EVENT_BITS) != 12);
 
        mask = fanotify_group_event_mask(iter_info, mask, data, data_type);
        if (!mask)

diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
index b3f58f36a0ab14194a0e4ba1735476bc2373f242..ecf09b6243d926b6ed7f6f474aca69f526c3824a 100644 (file)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -401,7 +401,7 @@ static __init int fsnotify_init(void)
 {
        int ret;
 
-       BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 24);
+       BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 25);
 
        ret = init_srcu_struct(&fsnotify_mark_srcu);
        if (ret)

diff --git a/include/linux/fanotify.h b/include/linux/fanotify.h
index c521e4264f2b5ed3ca686e0cb11db4f64f455bb1..9e21427953351274892c5190056e250517ffcc20 100644 (file)
--- a/include/linux/fanotify.h
+++ b/include/linux/fanotify.h
@@ -40,7 +40,8 @@
                                 FAN_CLOSE | FAN_OPEN | FAN_OPEN_EXEC)
 
 /* Events that require a permission response from user */
-#define FANOTIFY_PERM_EVENTS   (FAN_OPEN_PERM | FAN_ACCESS_PERM)
+#define FANOTIFY_PERM_EVENTS   (FAN_OPEN_PERM | FAN_ACCESS_PERM | \
+                                FAN_OPEN_EXEC_PERM)
 
 /* Extra flags that may be reported with event or control handling of events */
 #define FANOTIFY_EVENT_FLAGS   (FAN_EVENT_ON_CHILD | FAN_ONDIR)

diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
index c29f2f072c2ceb8fad1580670447c18e02d7e38a..2ccb08cb5d6a3ca97ec133f0fabc502035d5dc8b 100644 (file)
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -40,9 +40,10 @@ static inline int fsnotify_path(struct inode *inode, const struct path *path,
        return fsnotify(inode, mask, path, FSNOTIFY_EVENT_PATH, NULL, 0);
 }
 
-/* simple call site for access decisions */
+/* Simple call site for access decisions */
 static inline int fsnotify_perm(struct file *file, int mask)
 {
+       int ret;
        const struct path *path = &file->f_path;
        struct inode *inode = file_inode(file);
        __u32 fsnotify_mask = 0;
@@ -51,12 +52,18 @@ static inline int fsnotify_perm(struct file *file, int mask)
                return 0;
        if (!(mask & (MAY_READ | MAY_OPEN)))
                return 0;
-       if (mask & MAY_OPEN)
+       if (mask & MAY_OPEN) {
                fsnotify_mask = FS_OPEN_PERM;
-       else if (mask & MAY_READ)
+
+               if (file->f_flags & __FMODE_EXEC) {
+                       ret = fsnotify_path(inode, path, FS_OPEN_EXEC_PERM);
+
+                       if (ret)
+                               return ret;
+               }
+       } else if (mask & MAY_READ) {
                fsnotify_mask = FS_ACCESS_PERM;
-       else
-               BUG();
+       }
 
        return fsnotify_path(inode, path, fsnotify_mask);
 }

diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
index 39d94e62a8369a4328a6085f4338759a04ccd3fc..7639774e7475d590ba39aef7327e4db37abdb754 100644 (file)
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -46,6 +46,7 @@
 
 #define FS_OPEN_PERM           0x00010000      /* open event in an permission hook */
 #define FS_ACCESS_PERM         0x00020000      /* access event in a permissions hook */
+#define FS_OPEN_EXEC_PERM      0x00040000      /* open/exec event in a permission hook */
 
 #define FS_EXCL_UNLINK         0x04000000      /* do not send events if object is unlinked */
 #define FS_ISDIR               0x40000000      /* event occurred against dir */
@@ -64,11 +65,12 @@
                                   FS_CLOSE_WRITE | FS_CLOSE_NOWRITE | FS_OPEN |\
                                   FS_MOVED_FROM | FS_MOVED_TO | FS_CREATE |\
                                   FS_DELETE | FS_OPEN_PERM | FS_ACCESS_PERM | \
-                                  FS_OPEN_EXEC)
+                                  FS_OPEN_EXEC | FS_OPEN_EXEC_PERM)
 
 #define FS_MOVE                        (FS_MOVED_FROM | FS_MOVED_TO)
 
-#define ALL_FSNOTIFY_PERM_EVENTS (FS_OPEN_PERM | FS_ACCESS_PERM)
+#define ALL_FSNOTIFY_PERM_EVENTS (FS_OPEN_PERM | FS_ACCESS_PERM | \
+                                 FS_OPEN_EXEC_PERM)
 
 /* Events that can be reported to backends */
 #define ALL_FSNOTIFY_EVENTS (FS_ACCESS | FS_MODIFY | FS_ATTRIB | \
@@ -77,7 +79,7 @@
                             FS_DELETE | FS_DELETE_SELF | FS_MOVE_SELF | \
                             FS_UNMOUNT | FS_Q_OVERFLOW | FS_IN_IGNORED | \
                             FS_OPEN_PERM | FS_ACCESS_PERM | FS_DN_RENAME | \
-                            FS_OPEN_EXEC)
+                            FS_OPEN_EXEC | FS_OPEN_EXEC_PERM)
 
 /* Extra flags that may be reported with event or control handling of events */
 #define ALL_FSNOTIFY_FLAGS  (FS_EXCL_UNLINK | FS_ISDIR | FS_IN_ONESHOT | \

diff --git a/include/uapi/linux/fanotify.h b/include/uapi/linux/fanotify.h
index d9664fbc905b62a7770e16da8c124d4af151cc26..909c98fcace2e48fdc12d7c7716314b85a5dcfd1 100644 (file)
--- a/include/uapi/linux/fanotify.h
+++ b/include/uapi/linux/fanotify.h
@@ -16,6 +16,7 @@
 
 #define FAN_OPEN_PERM          0x00010000      /* File open in perm check */
 #define FAN_ACCESS_PERM                0x00020000      /* File accessed in perm check */
+#define FAN_OPEN_EXEC_PERM     0x00040000      /* File open/exec in perm check */
 
 #define FAN_ONDIR              0x40000000      /* event occurred against dir */