From: Vasily Novikov <vasily.novikov@kaspersky.com>
To: Tvrtko Ursulin <tvrtko.ursulin@sophos.com>
Cc: "malware-list@dmesg.printk.net" <malware-list@dmesg.printk.net>,
"eparis@redhat.com" <eparis@redhat.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [malware-list] A few concerns about fanotify implementation.
Date: Tue, 26 Oct 2010 17:58:34 +0400 [thread overview]
Message-ID: <1288101514.7715.46.camel@novikov-v> (raw)
In-Reply-To: <201010261358.46974.tvrtko.ursulin@sophos.com>
Hi Tvrtko,
> > 1. Race in cache implementation.
>
> [snip]
>
> > I be believe it could be solved by introducing two more ignore mark
> > flags. The fist one to set before the scan starts. It could be cleaned
> > by write operation. The second one to ask fanotify to set ignore flags
> > only if the first flag is still set. In this case we will never have
> > file with not scanned file changes in cache.
>
> Interesting that you have also found this - I suspected it but did not
> actually got round verifying it.
>
> Another possible (and simpler) solution is to refuse (ignore) adding ignore
> marks if file (well inode) is opened for writing (inode->i_writecount > 0)?
> More or less this is the approach we use in Talpa.
I agree. It's simpler and more clear and doesn't require changing the
interface.
> > 2. As I understood it was intended to flush cache via FAN_MARK_FLUSH
> > flag but it is currently disabled and there is no notion about it in the
> > man page. There are cases when it is necessary to flush all cache, for
> > example on anti-malware bases update.
>
> Where do you see this as disabled?
In fanotify_mark syscall flags argument is checked and if FAN_MARK_FLUSH
bit is set then EINVAL error is returned.
include/linux/fanotify.h:
31 #define FAN_MARK_ADD 0x00000001
32 #define FAN_MARK_REMOVE 0x00000002
33 #define FAN_MARK_DONT_FOLLOW 0x00000004
34 #define FAN_MARK_ONLYDIR 0x00000008
35 #define FAN_MARK_MOUNT 0x00000010
36 #define FAN_MARK_IGNORED_MASK 0x00000020
37 #define FAN_MARK_IGNORED_SURV_MODIFY 0x00000040
38 #define FAN_MARK_FLUSH 0x00000080
39
40 #define FAN_ALL_MARK_FLAGS (FAN_MARK_ADD |\
41 FAN_MARK_REMOVE |\
42 FAN_MARK_DONT_FOLLOW |\
43 FAN_MARK_ONLYDIR |\
44 FAN_MARK_MOUNT |\
45 FAN_MARK_IGNORED_MASK |\
46 FAN_MARK_IGNORED_SURV_MODIFY)
fs/notify/fanotify/fanotify_user.c:
678 SYSCALL_DEFINE(fanotify_mark)(int fanotify_fd, unsigned int
flags,
679 __u64 mask, int dfd,
680 const char __user * pathname)
...
696 if (flags & ~FAN_ALL_MARK_FLAGS)
697 return -EINVAL;
Regards,
Vasily
next prev parent reply other threads:[~2010-10-26 13:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-26 12:13 A few concerns about fanotify implementation Vasily Novikov
2010-10-26 12:58 ` [malware-list] " Tvrtko Ursulin
2010-10-26 13:58 ` Vasily Novikov [this message]
2010-10-26 14:22 ` Tvrtko Ursulin
[not found] ` <201010261522.34157.tvrtko.ursulin-j34lQMj1tz/QT0dZR+AlfA@public.gmane.org>
2010-10-26 14:58 ` Eric Paris
2010-10-27 8:54 ` [malware-list] " Vasily Novikov
2010-10-27 15:58 ` Eric Paris
[not found] ` <1288195134.2655.202.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2011-06-03 9:43 ` Vasily Novikov
[not found] ` <4DE8ACAD.2080003-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 9:02 ` Douglas Leeder
2011-06-06 9:19 ` [malware-list] " Vasily Novikov
[not found] ` <4DEC9B86.6060506-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 13:43 ` Eric Paris
2011-06-06 14:42 ` [malware-list] " Vasily Novikov
[not found] ` <4DECE76E.4060507-BkmlMuIjteXqlBn2x/YWAg@public.gmane.org>
2011-06-06 15:53 ` Eric Paris
2011-06-07 12:35 ` [malware-list] " Vasily Novikov
[not found] ` <C511438CDC161C41B3C47B91D99ABA8D37B4B42114-u5UUZ0l8pcxUerCGrXd8jcc3qqyFMPEu@public.gmane.org>
2011-06-06 9:42 ` Vasily Novikov
2011-06-06 10:27 ` [malware-list] " Lino Sanfilippo
2011-06-06 11:17 ` [malware-list] A few concerns about fanotify implementation ([PATCH] inside) Lino Sanfilippo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1288101514.7715.46.camel@novikov-v \
--to=vasily.novikov@kaspersky.com \
--cc=eparis@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=malware-list@dmesg.printk.net \
--cc=tvrtko.ursulin@sophos.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).