From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from helmsgagent01.f-secure.com ([193.110.108.21]:53996 "EHLO
        helmsgagent01.f-secure.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727575AbeGSPBv (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 19 Jul 2018 11:01:51 -0400
Received: from pps.filterd (helmsgagent01.f-secure.com [127.0.0.1])
        by helmsgagent01.f-secure.com (8.16.0.21/8.16.0.21) with SMTP id w6JEFw9k009759
        for <linux-fsdevel@vger.kernel.org>; Thu, 19 Jul 2018 17:18:26 +0300
Received: from helex01.fi.f-secure.com ([10.190.48.70])
        by helmsgagent01.f-secure.com with ESMTP id 2kajgsrqk6-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
        for <linux-fsdevel@vger.kernel.org>; Thu, 19 Jul 2018 17:18:26 +0300
From: Marko Rauhamaa <marko.rauhamaa@f-secure.com>
To: <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] fanotify: introduce event flags FAN_EXEC and FAN_EXEC_PERM
References: <1531731011.19075.11.camel@mbobrowski.org>
        <20180716152653.odfm7tqagqi3wsuo@quack2.suse.cz>
        <7077707.M30l5tS7I4@x2>
        <20180717124423.fwzhgoa2ndtbjhgc@quack2.suse.cz>
        <1531912664.19075.19.camel@mbobrowski.org>
        <20180719101708.ad754qhekwoyanps@quack2.suse.cz>
Date: Thu, 19 Jul 2018 17:18:26 +0300
In-Reply-To: <20180719101708.ad754qhekwoyanps@quack2.suse.cz> (Jan Kara's
        message of "Thu, 19 Jul 2018 12:17:08 +0200")
Message-ID: <871sbz9uml.fsf@drapion.f-secure.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Jan Kara <jack@suse.cz>:
> So fanotify is a filesystem event notification API. For filesystem,
> open and read are fundamentally different events and as such we have
> different FAN_OPEN and FAN_ACCESS events in the API. The only
> disputable events we have in the API are FAN_CLOSE_WRITE vs
> FAN_CLOSE_NOWRITE - from fs POV there's no big difference. But at
> least this is 100% reliably (unlike FMODE_EXEC) telling you whether
> the user was able to modify the file or not and it caters to one of
> the use cases this API has been created for - virus scanners, file
> caching daemons, ... - i.e., triggering specific actions based on file
> contents.

As a side note from the virus scanner point of view,
FAN_CLOSE_WRITE_PERM would be really useful because it would prevent the
hit-and-run corruption of a file. As it stands, fanotify communicates
the pid of the culprit but the process is long gone by the time you get
to analyze it...


Marko