From: Steve Grubb <sgrubb@redhat.com>
To: Jan Kara <jack@suse.cz>
Cc: Matthew Bobrowski <mbobrowski@mbobrowski.org>,
amir73il@gmail.com, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] fanotify: introduce event flags FAN_EXEC and FAN_EXEC_PERM
Date: Tue, 17 Jul 2018 09:36:05 -0400 [thread overview]
Message-ID: <1721620.3FLQC43Mye@x2> (raw)
In-Reply-To: <20180717124423.fwzhgoa2ndtbjhgc@quack2.suse.cz>
On Tuesday, July 17, 2018 8:44:23 AM EDT Jan Kara wrote:
> On Mon 16-07-18 16:29:42, Steve Grubb wrote:
> > Hello,
> >
> > On Monday, July 16, 2018 11:26:53 AM EDT Jan Kara wrote:
> > > On Mon 16-07-18 18:50:11, Matthew Bobrowski wrote:
> > > > Currently, the fanotify API does not provide a means for user space
> > > > programs to register and receive events specifically when a file has
> > > > been
> > > > opened with the intent to be executed. Two new event flags FAN_EXEC
> > > > and
> > > > FAN_EXEC_PERM have been introduced to the fanotify API along with
> > > > updates
> > > > to the generic filesystem notification hooks fsnotify_open and
> > > > fsnotify_perm in order to support this capability.
> > > >
> > > > Signed-off-by: Matthew Bobrowski <mbobrowski@mbobrowski.org>
> > >
> > > I miss one important part in this changelog: Why do you need this
> > > feature?
> > > Monitoring for read would be enough after all...
> >
> > There are several reasons that I can think of. There are lots of file
> > accesses. It is possible to guess which one is the beginning of an
> > execve, but you really don't know. Apps can be started in so many ways.
> > They can be run from the runtime linker, they have LD_PRELOAD, they can
> > have an unexpected interpreter, they can be statically linked, they can
> > be a script which may present a new pattern of file accesses. With all
> > the variations in how programs can start up, it would be nice to have one
> > anchor that unambiguously says we are overlaying this pid with a whole
> > new app and forget everything you knew about the pid. And the access
> > pattern can be accurately watched because we always have a marker to
> > start the sequence.
>
> I don't quite buy your "marker that pid is starting from scratch" argument.
> Firstly, you'd have to place fanotify watches on all executables in your
> system to even have a chance to tell that,
True and we do.
> secondly, the process does not quite start a new - it still inherits some
> stuff from the old process like open file descriptors...
True. But that is not exactly relevant to the issues we're looking at.
> So I understand exec might be interesting for audit purposes but then you
> should watch it using audit and not fanotify which is for handling /
> mediating filesystem accesses.
This is not being used for the audit system. But let me illustrate the issue
that I'm looking at. I have the following sequence of events:
pid=13247 exe=/usr/bin/bash file=/home/sgrubb/test/static/test
pid=13250 exe=/usr/bin/bash file=/usr/bin/sed
pid=13250 exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so
pid=13250 exe=/usr/bin/sed file=/etc/ld.so.cache
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libacl.so.1.1.2253
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libselinux.so.1
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libc-2.27.so
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libattr.so.1.1.2448
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libpcre2-8.so.0.7.0
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libdl-2.27.so
pid=13250 exe=/usr/bin/sed file=/usr/lib64/libpthread-2.27.so
pid=13250 exe=/usr/bin/sed file=/usr/lib/locale/locale-archive
pid=13259 exe=/usr/bin/bash file=/home/sgrubb/test/static/wc
pid=13259 exe=/usr/bin/bash file=/home/sgrubb/test/static/test2
There is a clear pattern for sed. But what was bash doing to test? There is
no pattern. Was it an execution or echo "blah" > test? How can you tell? Then
what happened to test2? (The first was execution of static app, last was
piping the program to wc -c. They pretty much leave the same footprint but
what is happening is very different.)
> And when you are looking at filesystem accesses, then there's no real
> difference between exec and read which is exactly why I'm not sure why the
> new feature is being added.
Its about intention to do something different with the data after the read.
That intention is important and just out of reach. But I otherwise agree that
read and execute do pretty much the same thing.
-Steve
next prev parent reply other threads:[~2018-07-17 14:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-16 8:50 [PATCH] fanotify: introduce event flags FAN_EXEC and FAN_EXEC_PERM Matthew Bobrowski
2018-07-16 9:53 ` Marko Rauhamaa
2018-07-16 15:26 ` Jan Kara
2018-07-16 20:29 ` Steve Grubb
2018-07-17 12:44 ` Jan Kara
2018-07-17 13:36 ` Steve Grubb [this message]
2018-07-19 9:33 ` Jan Kara
2018-07-19 12:39 ` Steve Grubb
2018-07-19 13:06 ` Steve Grubb
2018-07-18 11:17 ` Matthew Bobrowski
2018-07-19 10:17 ` Jan Kara
2018-07-19 14:18 ` Marko Rauhamaa
2018-07-19 14:59 ` Steve Grubb
2018-07-17 12:21 ` Amir Goldstein
2018-07-17 12:48 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1721620.3FLQC43Mye@x2 \
--to=sgrubb@redhat.com \
--cc=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mbobrowski@mbobrowski.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.