From: Matthew Bobrowski <mbobrowski@mbobrowski.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Jan Kara <jack@suse.cz>, Amir Goldstein <amir73il@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH v7 2/4] fanotify: introduce new event mask FAN_OPEN_EXEC
Date: Fri, 9 Nov 2018 16:41:35 +1100 [thread overview]
Message-ID: <20181109054133.GC4202@workstation.internal.lab> (raw)
In-Reply-To: <CALCETrUSq+a=8bFp4+8ZZYO3Jw6xzPrnQppbTQM6jPk9u25amA@mail.gmail.com>
On Thu, Nov 08, 2018 at 10:22:50AM -0800, Andy Lutomirski wrote:
> On Wed, Nov 7, 2018 at 7:07 PM Matthew Bobrowski
> <mbobrowski@mbobrowski.org> wrote:
> >
> > A new event mask FAN_OPEN_EXEC has been defined so that users have the
> > ability to receive events specifically when a file has been opened with
> > the intent to be executed. Events of FAN_OPEN_EXEC type will be
> > generated when a file has been opened using either execve(), execveat()
> > or uselib() system calls.
> >
> > The feature is implemented within fsnotify_open() by generating the
> > FAN_OPEN_EXEC event type if __FMODE_EXEC is set within file->f_flags.
> >
>
> I think this needs some clarification. In particular:
OK, sure.
> Do current kernels generate some other fanotify on execve or do they
> generate no event at all?
Yes, it does currently generate events on execve. Due to the nature of
how this particular system call works, the API, as is, will generate a
number of FAN_OPEN and FAN_ACCESS events.
> What is the intended use case?
For our particular use case, this is to greatly assist with an auditing
application that we're in the midst of developing. More specifically
though, it is to aid with providing additional context around why the
marked object(s) is being opened. We're interested to understand when
the direct execution of a file occurs via execve() or execveat(), for
example. This becomes exceptionally helpful on a busy filesystem when
you're trying to sift through and correlate FAN_OPEN and FAN_ACCESS
events while having marks placed on either a mount(s) or superblock(s).
> What semantics do you provide for the opening of the ELF loader? Are
> those semantics useful?
I don't exactly understand what you mean by providing semantics around
the opening of the ELF loader. However, I'm going to work with the
assumption that you're referring to how this particular event mask works
with the implicit invocation of the ELF loader when an ELF program is
being prepared for execution? If that's the case, it's quite simple. If
the ELF loader has been marked to receive events of this type, then an
event will also be generated for the ELF loader when an ELF program is
invoked via execve. If the ELF loader has not been marked, then only the
event for the ELF program itself will be generated.
If I've misunderstood what you're referring to, please kindly elaborate.
> How are users of this mechanism expected to handle DSOs?
Well, if they're concerned about the direct execution of a shared
library, then they'd just place a mark on it using this mask. Generally
speaking though, I can't see that being particularly useful seeing as
though DSOs in most cases are not actually directly executed per se, but
rather opened, read and then mapped into the process address space. So,
if they're concerned with handling DSOs, then it's the users discretion
about whether they mark it and what type of mark is to be placed on the
DSO object itself.
--
Matthew Bobrowski
next prev parent reply other threads:[~2018-11-09 15:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 3:04 [PATCH v7 0/4] fanotify: introduce new event mask FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM Matthew Bobrowski
2018-11-08 3:05 ` [PATCH v7 1/4] fanotify: return only user requested event types in event mask Matthew Bobrowski
2018-11-13 17:38 ` Jan Kara
2018-11-13 17:53 ` Amir Goldstein
2018-11-13 23:54 ` Matthew Bobrowski
2018-11-14 12:04 ` Jan Kara
2018-11-08 3:07 ` [PATCH v7 2/4] fanotify: introduce new event mask FAN_OPEN_EXEC Matthew Bobrowski
2018-11-08 18:22 ` Andy Lutomirski
2018-11-09 5:41 ` Matthew Bobrowski [this message]
2018-11-09 6:04 ` Andy Lutomirski
2018-11-09 7:27 ` Matthew Bobrowski
2018-11-12 16:14 ` Jan Kara
2018-11-12 16:37 ` Andy Lutomirski
2018-11-13 11:45 ` Matthew Bobrowski
2018-11-13 17:35 ` Jan Kara
2018-11-13 23:26 ` Matthew Bobrowski
2018-11-08 3:10 ` [PATCH v7 3/4] fsnotify: refactor fsnotify_parent()/fsnotify() paired calls when event is on path Matthew Bobrowski
2018-11-08 3:12 ` [PATCH v7 4/4] fanotify: introduce new event mask FAN_OPEN_EXEC_PERM Matthew Bobrowski
2018-11-13 17:53 ` [PATCH v7 0/4] fanotify: introduce new event mask FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM Jan Kara
2018-11-13 18:01 ` Amir Goldstein
2018-11-14 3:43 ` Amir Goldstein
2018-11-14 12:02 ` Jan Kara
2018-11-14 15:54 ` Amir Goldstein
2018-11-19 10:27 ` Matthew Bobrowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181109054133.GC4202@workstation.internal.lab \
--to=mbobrowski@mbobrowski.org \
--cc=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).