From: Mete Durlu <meted@linux.ibm.com>
To: jack@suse.cz
Cc: amir73il@gmail.com, repnop@google.com, linux-fsdevel@vger.kernel.org
Subject: [PATCH] fanotify: move path permission and security check
Date: Thu, 29 Feb 2024 18:41:45 +0100 [thread overview]
Message-ID: <20240229174145.3405638-1-meted@linux.ibm.com> (raw)
In current state do_fanotify_mark() does path permission and security
checking before doing the event configuration checks. In the case
where user configures mount and sb marks with kernel internal pseudo
fs, security_path_notify() yields an EACESS and causes an earlier
exit. Instead, this particular case should have been handled by
fanotify_events_supported() and exited with an EINVAL.
Move path perm and security checks under the event validation to
prevent this from happening.
Simple reproducer;
fan_d = fanotify_init(FAN_CLASS_NOTIF, O_RDONLY);
pipe2(pipes, O_CLOEXEC);
fanotify_mark(fan_d,
FAN_MARK_ADD |
FAN_MARK_MOUNT,
FAN_ACCESS,
pipes[0],
NULL);
// expected: EINVAL (22), produces: EACCES (13)
printf("mark errno: %d\n", errno);
Another reproducer;
ltp/testcases/kernel/syscalls/fanotify/fanotify14
Fixes: 69562eb0bd3e ("fanotify: disallow mount/sb marks on kernel internal pseudo fs")
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
---
fs/notify/fanotify/fanotify_user.c | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index fbdc63cc10d9..14121ad0e10d 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1015,7 +1015,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
fdput(f);
goto out;
}
-
+ ret = 0;
*path = f.file->f_path;
path_get(path);
fdput(f);
@@ -1028,21 +1028,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
lookup_flags |= LOOKUP_DIRECTORY;
ret = user_path_at(dfd, filename, lookup_flags, path);
- if (ret)
- goto out;
}
-
- /* you can only watch an inode if you have read permissions on it */
- ret = path_permission(path, MAY_READ);
- if (ret) {
- path_put(path);
- goto out;
- }
-
- ret = security_path_notify(path, mask, obj_type);
- if (ret)
- path_put(path);
-
out:
return ret;
}
@@ -1894,6 +1880,14 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
if (ret)
goto path_put_and_out;
}
+ /* you can only watch an inode if you have read permissions on it */
+ ret = path_permission(&path, MAY_READ);
+ if (ret)
+ goto path_put_and_out;
+
+ ret = security_path_notify(&path, mask, obj_type);
+ if (ret)
+ goto path_put_and_out;
if (fid_mode) {
ret = fanotify_test_fsid(path.dentry, flags, &__fsid);
--
2.40.1
next reply other threads:[~2024-02-29 17:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-29 17:41 Mete Durlu [this message]
2024-03-01 9:52 ` [PATCH] fanotify: move path permission and security check Amir Goldstein
2024-03-01 13:16 ` Mete Durlu
2024-03-02 9:58 ` Amir Goldstein
2024-03-05 13:57 ` Mete Durlu
2024-03-05 17:14 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240229174145.3405638-1-meted@linux.ibm.com \
--to=meted@linux.ibm.com \
--cc=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).