Re: [PATCH v2 1/1] fanotify: introduce new event flag FAN_EXEC

[Jan Kara <jack@suse.cz>]

On Thu 27-09-18 23:05:14, Matthew Bobrowski wrote:
> This is a reduced version of a patch that I originally submitted a while ago.
> 
> In short, the fanotify API currently does not provide any means for user space
> programs to receive events specifically when a file has been opened with the
> intent to be executed. The FAN_EXEC flag will be set within the event mask when
> a object has been opened with one of the open flags being __FMODE_EXEC.
> 
> Linux is used as an Operating System in some products, with an environment that
> can be certified under the Common Criteria Operating System Protection Profile
> (OSPP). This is a formal threat model for a class of technology. It requires
> specific countermeasures to mitigate threats. It requires documentation to
> explain how a product implements these countermeasures. It requires proof via a
> test suite to demonstrate that the requirements are met, observed and checked by
> an independent qualified third party. The latest set of requirements for OSPP
> v4.2 can be found here:
> 
> https://www.niap-ccevs.org/Profile/Info.cfm?PPID=424&id=424
> 
> If you look on page 58, you will see the following requirement:
> 
> FPT_SRP_EXT.1 Software Restriction Policies   FPT_SRP_EXT.1.1
> 
> The OS shall restrict execution to only programs which match an administrator
> specified [selection:
>         file path,
>         file digital signature,
>         version,
>         hash,
>         [assignment: other characteristics]
> ]
> 
> This patch is to help aid in meeting this requirement.
> 
> Signed-off-by: Matthew Bobrowski <mbobrowski@mbobrowski.org>

I agree with Amir's points wrt API so I won't repeat those. But I have one
more API question:

You implement FS_EXEC as a flag that can get set for certain FAN_OPEN
events. That is a new API concept for fanotify. So far you can only request
event of a certain type and then you get the same flag back when the event
happens.  There is also a case of FAN_ONDIR where you can restrict set of
events only to events on a particular inode type but that's again
different. Hence my question: Is there a good reason why we don't create
FAN_OPEN_EXEC event that would trigger only on executable opens?

If someone is interested only in executable opens, he'd have less events to
care about. OTOH additional FS_EXEC flag is probably more flexible (e.g.
you can easily implement equivalent of FAN_OPEN_NOEXEC in userspace if you
wished). Just the inconsistency of the FS_EXEC and e.g. how we handle
FAN_CLOSE_NOWRITE & FAN_CLOSE_WRITE is bothering me...

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR