[Patch][RFC] fcntl: add ability to stop monitored processes

[Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

[-- Attachment #1: Type: text/plain, Size: 2293 bytes --]

Hey there!
	I've recently developed this patch in pursuit of an ability to trap
proceses making modifcations to monitored directories, and I thought It would be
a nice feature to add to the mainline kernel.  It basically adds a flag to the
F_NOTIFY fcntl which optionally sends a SIGSTOP to the process making the
flagged modifications to the monitored directories, and passes the pid of the
stopped process to the monitoring process.  I've tested it, and it works quite
well for me.  Looking for comments/approvial/incorporation.

Thanks and Regards
Neil

Signed-off-by: Neil Horman <nhorman@redhat.com>

 fs/dnotify.c          |    2 ++
 fs/fcntl.c            |    1 +
 include/linux/fcntl.h |    1 +
 3 files changed, 4 insertions(+)


--- linux-2.6/include/linux/fcntl.h.orig	2005-06-10 16:04:48.000000000 -0400
+++ linux-2.6/include/linux/fcntl.h	2005-06-10 16:02:16.000000000 -0400
@@ -21,6 +21,7 @@
 #define DN_DELETE	0x00000008	/* File removed */
 #define DN_RENAME	0x00000010	/* File renamed */
 #define DN_ATTRIB	0x00000020	/* File changed attibutes */
+#define DN_STOPSND	0x40000000	/* Send a SIGSTOP to the sender */
 #define DN_MULTISHOT	0x80000000	/* Don't remove notifier */
 
 #ifdef __KERNEL__
--- linux-2.6/fs/dnotify.c.orig	2005-05-04 21:47:58.000000000 -0400
+++ linux-2.6/fs/dnotify.c	2005-06-10 16:02:16.000000000 -0400
@@ -138,6 +138,8 @@ void __inode_dir_notify(struct inode *in
 			changed = 1;
 			kmem_cache_free(dn_cache, dn);
 		}
+		if (dn->dn_mask & DN_STOPSND)
+			send_sig(SIGSTOP,current,1);
 	}
 	if (changed)
 		redo_inode_mask(inode);
--- linux-2.6/fs/fcntl.c.orig	2005-05-04 21:47:58.000000000 -0400
+++ linux-2.6/fs/fcntl.c	2005-06-10 16:05:17.000000000 -0400
@@ -438,6 +438,7 @@ static void send_sigio_to_task(struct ta
 			else
 				si.si_band = band_table[reason - POLL_IN];
 			si.si_fd    = fd;
+			si.si_pid   = current->pid;
 			if (!send_group_sig_info(fown->signum, &si, p))
 				break;
 		/* fall-through: fall back on the old plain SIGIO signal */
-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Matthew Wilcox]

On Fri, Jun 10, 2005 at 08:05:48PM -0400, Neil Horman wrote:
> Hey there!
> 	I've recently developed this patch in pursuit of an ability to trap
> proceses making modifcations to monitored directories, and I thought It would be
> a nice feature to add to the mainline kernel.  It basically adds a flag to the
> F_NOTIFY fcntl which optionally sends a SIGSTOP to the process making the
> flagged modifications to the monitored directories, and passes the pid of the
> stopped process to the monitoring process.  I've tested it, and it works quite
> well for me.  Looking for comments/approvial/incorporation.

What stops me from setting a DN_STOPSND on /lib and preventing any new
tasks from starting up?

-- 
"Next the statesmen will invent cheap lies, putting the blame upon 
the nation that is attacked, and every man will be glad of those
conscience-soothing falsities, and will diligently study them, and refuse
to examine any refutations of them; and thus he will by and by convince 
himself that the war is just, and will thank God for the better sleep 
he enjoys after this process of grotesque self-deception." -- Mark Twain

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

On Sat, Jun 11, 2005 at 07:07:15PM +0100, Matthew Wilcox wrote:
> On Fri, Jun 10, 2005 at 08:05:48PM -0400, Neil Horman wrote:
> > Hey there!
> > 	I've recently developed this patch in pursuit of an ability to trap
> > proceses making modifcations to monitored directories, and I thought It would be
> > a nice feature to add to the mainline kernel.  It basically adds a flag to the
> > F_NOTIFY fcntl which optionally sends a SIGSTOP to the process making the
> > flagged modifications to the monitored directories, and passes the pid of the
> > stopped process to the monitoring process.  I've tested it, and it works quite
> > well for me.  Looking for comments/approvial/incorporation.
> 
> What stops me from setting a DN_STOPSND on /lib and preventing any new
> tasks from starting up?
> 
Good point.  Would it be sufficient to limit this ability to root owned
processes only?  Does it seem like a beneficial feature otherwise?

Thanks and Regards
Neil

> -- 
> "Next the statesmen will invent cheap lies, putting the blame upon 
> the nation that is attacked, and every man will be glad of those
> conscience-soothing falsities, and will diligently study them, and refuse
> to examine any refutations of them; and thus he will by and by convince 
> himself that the war is just, and will thank God for the better sleep 
> he enjoys after this process of grotesque self-deception." -- Mark Twain

-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

How about this?  Its the same feature, with an added check in fcntl_dirnotify to
ensure that only processes with CAP_SYS_ADMIN set can tell processes preforming
the monitored actions to stop.

Signed-off-by: Neil Horman <nhorman@redhat.com>


 fs/dnotify.c          |    4 ++++
 fs/fcntl.c            |    1 +
 include/linux/fcntl.h |    1 +
 3 files changed, 6 insertions(+)


--- linux-2.6/include/linux/fcntl.h.orig	2005-06-10 16:04:48.000000000 -0400
+++ linux-2.6/include/linux/fcntl.h	2005-06-10 16:02:16.000000000 -0400
@@ -21,6 +21,7 @@
 #define DN_DELETE	0x00000008	/* File removed */
 #define DN_RENAME	0x00000010	/* File renamed */
 #define DN_ATTRIB	0x00000020	/* File changed attibutes */
+#define DN_STOPSND	0x40000000	/* Send a SIGSTOP to the sender */
 #define DN_MULTISHOT	0x80000000	/* Don't remove notifier */
 
 #ifdef __KERNEL__
--- linux-2.6/fs/dnotify.c.orig	2005-05-04 21:47:58.000000000 -0400
+++ linux-2.6/fs/dnotify.c	2005-06-11 21:27:37.000000000 -0400
@@ -74,6 +74,8 @@ int fcntl_dirnotify(int fd, struct file 
 	}
 	if (!dir_notify_enable)
 		return -EINVAL;
+	if(!capable(CAP_SYS_ADMIN) && (arg & DN_STOPSND))
+		return -EPERM;
 	inode = filp->f_dentry->d_inode;
 	if (!S_ISDIR(inode->i_mode))
 		return -ENOTDIR;
@@ -138,6 +140,8 @@ void __inode_dir_notify(struct inode *in
 			changed = 1;
 			kmem_cache_free(dn_cache, dn);
 		}
+		if (dn->dn_mask & DN_STOPSND)
+			send_sig(SIGSTOP,current,1);
 	}
 	if (changed)
 		redo_inode_mask(inode);
--- linux-2.6/fs/fcntl.c.orig	2005-05-04 21:47:58.000000000 -0400
+++ linux-2.6/fs/fcntl.c	2005-06-10 16:05:17.000000000 -0400
@@ -438,6 +438,7 @@ static void send_sigio_to_task(struct ta
 			else
 				si.si_band = band_table[reason - POLL_IN];
 			si.si_fd    = fd;
+			si.si_pid   = current->pid;
 			if (!send_group_sig_info(fown->signum, &si, p))
 				break;
 		/* fall-through: fall back on the old plain SIGIO signal */
-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Arjan van de Ven]

On Sun, 2005-06-12 at 14:10 -0400, Neil Horman wrote:
> How about this?  Its the same feature, with an added check in fcntl_dirnotify to
> ensure that only processes with CAP_SYS_ADMIN set can tell processes preforming
> the monitored actions to stop.

SIGSTOP is kinda rude I think though..... I mean, how do you suppose you
restart said processes again? manual sysadmin work?

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

On Mon, Jun 13, 2005 at 08:13:04AM +0200, Arjan van de Ven wrote:
> On Sun, 2005-06-12 at 14:10 -0400, Neil Horman wrote:
> > How about this?  Its the same feature, with an added check in fcntl_dirnotify to
> > ensure that only processes with CAP_SYS_ADMIN set can tell processes preforming
> > the monitored actions to stop.
> 
> SIGSTOP is kinda rude I think though..... I mean, how do you suppose you
> restart said processes again? manual sysadmin work?
> 
The idea I had was to catch processes which are preforming ostensibly
undesireable filesystem operations (as defined by the actions that F_NOTIFY can
monitor).  I'm not sure how else to avoid the race condition that can arise
between the delivery of the F_NOTIFY signal to the monitoring process, and the
exiting of the monitored process. If you have another thought, I'm certainly
open to it.

Re: restarting processes.  If a sysadmin wants to manually resart stopped
processes, that would certainly be an option.  My thought was that the
monitoring process could do it in code.  notice this patch also delivers the pid
of the stopped process in si_pid to the process receiving the signal.

Regards
Neil

-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Alan Cox]

On Llu, 2005-06-13 at 14:48, Neil Horman wrote:
> The idea I had was to catch processes which are preforming ostensibly
> undesireable filesystem operations (as defined by the actions that F_NOTIFY can
> monitor).  I'm not sure how else to avoid the race condition that can arise
> between the delivery of the F_NOTIFY signal to the monitoring process, and the
> exiting of the monitored process. If you have another thought, I'm certainly
> open to it.

I'm more worried you will make things worse not better. My first thought
was what stops me just filling up the file table with admin work
possibly also involving setuid processes so the end user cannot rescue
the situation.

If its trying to do debugging then ptrace makes sense and the parent
would be notified. Ptrace deals with exit of tracer and security for
you. If you are trying to implement a security policy then the selinux
hooks already allow you to block access to those files by selected
processes anyway just as your F_NOTIFY hook would do, and you could even
write a new security layer with a daemon that decided for the F_NOTIFY
equivalents.

Alan

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

On Mon, Jun 13, 2005 at 03:03:32PM +0100, Alan Cox wrote:
> On Llu, 2005-06-13 at 14:48, Neil Horman wrote:
> > The idea I had was to catch processes which are preforming ostensibly
> > undesireable filesystem operations (as defined by the actions that F_NOTIFY can
> > monitor).  I'm not sure how else to avoid the race condition that can arise
> > between the delivery of the F_NOTIFY signal to the monitoring process, and the
> > exiting of the monitored process. If you have another thought, I'm certainly
> > open to it.
> 
> I'm more worried you will make things worse not better. My first thought
> was what stops me just filling up the file table with admin work
> possibly also involving setuid processes so the end user cannot rescue
> the situation.
> 
I understand the concern here, but can't root always do desructive things to the
system?

> If its trying to do debugging then ptrace makes sense and the parent
> would be notified. Ptrace deals with exit of tracer and security for
> you. If you are trying to implement a security policy then the selinux
> hooks already allow you to block access to those files by selected
> processes anyway just as your F_NOTIFY hook would do, and you could even
> write a new security layer with a daemon that decided for the F_NOTIFY
> equivalents.
> 
I'll certainly try this again using the ptrace interface, rather than fcntl.  Do
you think the whole F_NOTIFY function should move over, or just this particular
feature?

Neil
> Alan
> 

-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Alan Cox]

On Sul, 2005-06-12 at 19:10, Neil Horman wrote:
> How about this?  Its the same feature, with an added check in fcntl_dirnotify to
> ensure that only processes with CAP_SYS_ADMIN set can tell processes preforming

Once you are monitoring and sending signals I think its time to ask if
the interface is in totally the wrong place. Would it not be better if
it was part of the ptrace interface to the monitored process ?

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Neil Horman]

On Mon, Jun 13, 2005 at 02:42:43PM +0100, Alan Cox wrote:
> On Sul, 2005-06-12 at 19:10, Neil Horman wrote:
> > How about this?  Its the same feature, with an added check in fcntl_dirnotify to
> > ensure that only processes with CAP_SYS_ADMIN set can tell processes preforming
> 
> Once you are monitoring and sending signals I think its time to ask if
> the interface is in totally the wrong place. Would it not be better if
> it was part of the ptrace interface to the monitored process ?
> 

You mean add the ability to monitor directories for changes to the ptrace
interface entirely?

Regards
Neil

-- 
/***************************************************
 *Neil Horman
 *Software Engineer
 *Red Hat, Inc.
 *nhorman@redhat.com
 *gpg keyid: 1024D / 0x92A74FA1
 *http://pgp.mit.edu
 ***************************************************/

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Alan Cox]

On Llu, 2005-06-13 at 14:50, Neil Horman wrote:
> You mean add the ability to monitor directories for changes to the ptrace
> interface entirely?

If you are using it for debugging and tracking file accesses then ptrace
seems to be the right interface. 

Alan

Re: [Patch][RFC] fcntl: add ability to stop monitored processes

[Matthew Wilcox]

On Mon, Jun 13, 2005 at 04:10:23PM +0100, Alan Cox wrote:
> On Llu, 2005-06-13 at 14:50, Neil Horman wrote:
> > You mean add the ability to monitor directories for changes to the ptrace
> > interface entirely?
> 
> If you are using it for debugging and tracking file accesses then ptrace
> seems to be the right interface. 

It all depends what you're trying to track.  If you want to ask what
"this task" is accessing, then yes, ptrace.  But if you want to know
who's chmod'ing /dev/null to 600 you really want a file- or directory-
based scheme.  Rather than extending F_NOTIFY, it might be better to
look at selinux policies?

-- 
"Next the statesmen will invent cheap lies, putting the blame upon 
the nation that is attacked, and every man will be glad of those
conscience-soothing falsities, and will diligently study them, and refuse
to examine any refutations of them; and thus he will by and by convince 
himself that the war is just, and will thank God for the better sleep 
he enjoys after this process of grotesque self-deception." -- Mark Twain