Ensure FMODE_NONOTIFY is not set by userspace

Ensure FMODE_NONOTIFY is not set by userspace

[Lino Sanfilippo]

    In fsnotify_open() ensure that FMODE_NONOTIFY is never set by userspace.
    Also always call fsnotify_parent and fsnotify.

Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
---
This patch applies against commit 3970d817558a426cc2f53eaa01182eb9452e0cb1
of branch 'origin/for-next' from git.infradead.org/users/eparis/notify.git


diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
index ecb43b3..5c185fa 100644
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -235,10 +235,11 @@ static inline void fsnotify_open(struct file *file)
 	if (S_ISDIR(inode->i_mode))
 		mask |= FS_ISDIR;
 
-	if (!(file->f_mode & FMODE_NONOTIFY)) {
-		fsnotify_parent(path, NULL, mask);
-		fsnotify(inode, mask, path, FSNOTIFY_EVENT_PATH, NULL, 0);
-	}
+	/* FMODE_NONOTIFY must never be set from user */
+	file->f_mode &= ~FMODE_NONOTIFY;
+
+	fsnotify_parent(path, NULL, mask);
+	fsnotify(inode, mask, path, FSNOTIFY_EVENT_PATH, NULL, 0);
 }
 
 /*

Re: Ensure FMODE_NONOTIFY is not set by userspace

[Eric Paris]

On Fri, 2010-10-29 at 12:02 +0200, Lino Sanfilippo wrote:
> In fsnotify_open() ensure that FMODE_NONOTIFY is never set by userspace.
>     Also always call fsnotify_parent and fsnotify.

Did you find a place where the user was able to set FMODE_NONOTIFY?
That would be a problem.  But that's not what is happening here and
that's not what you are fixing.

This is a test if FMODE_NONOTIFY was already set then we do not send
notification about that file.  The current code is correct and your
patch breaks it....

-Eric

Re: Ensure FMODE_NONOTIFY is not set by userspace

[Lino Sanfilippo]

On Fri, Oct 29, 2010 at 09:52:50AM -0400, Eric Paris wrote:
> 
> Did you find a place where the user was able to set FMODE_NONOTIFY?
> That would be a problem.  But that's not what is happening here and
> that's not what you are fixing.

I know its not happening here, but doing something like

#define MY_FLAG 0x1000000

 open("file/within/fanotify_protection", O_RDONLY | MY_FLAG);

from userspace is all that is needed to be ignored by fanotify :)
There is nothing that checks if this flag has been set by userspace (or 
did I miss something?)

Beside this since the flag should only be set within create_fd() or
fanotify_init() there should never be a situation where 
fsnotify_open() is called with a FMODE_NONOTIFY set (by the kernel).

Regards,
Lino 

Re: Ensure FMODE_NONOTIFY is not set by userspace

[Eric Paris]

On Fri, 2010-10-29 at 16:27 +0200, Lino Sanfilippo wrote:
> On Fri, Oct 29, 2010 at 09:52:50AM -0400, Eric Paris wrote:
> > 
> > Did you find a place where the user was able to set FMODE_NONOTIFY?
> > That would be a problem.  But that's not what is happening here and
> > that's not what you are fixing.
> 
> I know its not happening here, but doing something like
> 
> #define MY_FLAG 0x1000000
> 
>  open("file/within/fanotify_protection", O_RDONLY | MY_FLAG);
> 
> from userspace is all that is needed to be ignored by fanotify :)
> There is nothing that checks if this flag has been set by userspace (or 
> did I miss something?)
> 
> Beside this since the flag should only be set within create_fd() or
> fanotify_init() there should never be a situation where 
> fsnotify_open() is called with a FMODE_NONOTIFY set (by the kernel).

You're right, I'm still not sure this is the best way to fix it, but
it's very broken.  I'll either commit your patch or post my own
today....

-Eric