From: Vasily Novikov <vasily.novikov-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
To: <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Novikov <Vasily.Novikov-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>,
Vasily, malware-list-h+Im9A44IAFcMpApZELgcQ@public.gmane.org
Subject: A few concerns about fanotify implementation.
Date: Tue, 26 Oct 2010 16:13:15 +0400 [thread overview]
Message-ID: <1288095195.29745.4010.camel@novikov-v> (raw)
Hi Eric,
We are interested in using fanotify in anti-malware applications. I
found a few concerns in fanotify implementation from the recently
released 2.6.36 kernel:
1. Race in cache implementation.
The cache is implemented as inode ignored mark. I suppose there could be
a race here.
Consider the following scenario with hostile processes A and B, and
victim process C:
1. Process A opens new file for writing. File check request is
generated.
2. File check is performed in userspace. Check result is "file has no
malware".
3. The "permit" response is delivered to kernel space.
4. File ignored mark set.
5. Process A writes dummy bytes to the file. File ignored flags are
cleared.
6. Process B opens the same file for reading. File check request is
generated.
7. File check is performed in userspace. Check result is "file has no
malware".
8. Process A writes malware bytes to the file. There is no cached
response yet.
9. The "permit" response is delivered to kernel space and is cached in
fanotify.
10. File ignored mark set.
11. Now any process C will be permitted to open the malware file.
There is a race between steps 8 and 10.
The race could be easily reproduced by Andreas's fanotify example:
console1# ./fanotify -s1 -o open_perm,modify,close -m /mnt
console2# while :; do echo 123 >> /mnt/123.txt; done
echo command opens, then writes, so write should clean ignore mask and
every open call should be intercepted but actually only every 2-nd call
is intercepted.
I be believe it could be solved by introducing two more ignore mark
flags. The fist one to set before the scan starts. It could be cleaned
by write operation. The second one to ask fanotify to set ignore flags
only if the first flag is still set. In this case we will never have
file with not scanned file changes in cache.
2. As I understood it was intended to flush cache via FAN_MARK_FLUSH
flag but it is currently disabled and there is no notion about it in the
man page. There are cases when it is necessary to flush all cache, for
example on anti-malware bases update.
3. I read the discussion about how to define paths to scan but anyway.
We would prefer to have global listener that was defined in the first
version of the interface and mark unnecessary mount points with
persistent ignore flags.
4. FAN_DENY response has no effect at the moment.
Regards,
Vasily
next reply other threads:[~2010-10-26 12:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-26 12:13 Vasily Novikov [this message]
2010-10-26 12:58 ` [malware-list] A few concerns about fanotify implementation Tvrtko Ursulin
2010-10-26 13:58 ` Vasily Novikov
2010-10-26 14:22 ` Tvrtko Ursulin
[not found] ` <201010261522.34157.tvrtko.ursulin-j34lQMj1tz/QT0dZR+AlfA@public.gmane.org>
2010-10-26 14:58 ` Eric Paris
2010-10-27 8:54 ` [malware-list] " Vasily Novikov
2010-10-27 15:58 ` Eric Paris
[not found] ` <1288195134.2655.202.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2011-06-03 9:43 ` Vasily Novikov
[not found] ` <4DE8ACAD.2080003-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 9:02 ` Douglas Leeder
2011-06-06 9:19 ` [malware-list] " Vasily Novikov
[not found] ` <4DEC9B86.6060506-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 13:43 ` Eric Paris
2011-06-06 14:42 ` [malware-list] " Vasily Novikov
[not found] ` <4DECE76E.4060507-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 15:53 ` Eric Paris
2011-06-07 12:35 ` [malware-list] " Vasily Novikov
[not found] ` <C511438CDC161C41B3C47B91D99ABA8D37B4B42114-u5UUZ0l8pcxUerCGrXd8jcc3qqyFMPEu@public.gmane.org>
2011-06-06 9:42 ` Vasily Novikov
2011-06-06 10:27 ` [malware-list] " Lino Sanfilippo
2011-06-06 11:17 ` [malware-list] A few concerns about fanotify implementation ([PATCH] inside) Lino Sanfilippo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1288095195.29745.4010.camel@novikov-v \
--to=vasily.novikov-bkmlmuijtexqlbn2x/ywag@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=malware-list-h+Im9A44IAFcMpApZELgcQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).