Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp8670523ybi; Thu, 6 Jun 2019 17:13:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqwPHMuaVqeQ1NYFDTIRxUgGZGRziRO2WX/Qlcw8qk6E9WkMK130wQXiNzDsSmrRqjspYSj8 X-Received: by 2002:a17:90a:20c4:: with SMTP id f62mr2551541pjg.16.1559866428916; Thu, 06 Jun 2019 17:13:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559866428; cv=none; d=google.com; s=arc-20160816; b=DQRP7eUTl/eTjocBpGVv3PfknAy1VNI4omHMnsgZJ0F6UsSfzS+JA4Ih88rKxPRd30 E/s4VmAYIFDsu4nVGo0VbwPYBzC6NI3bDMMOnxUmtrdpOi9c6Ac6/mAEt6HTRTRIvAzo lnRM7qY4vn5i/D8eXwh4WlscqdZvMARw6HerTuiRGEE7gkKQFQWU7Oxl7VpaId/0XjYt jgRYDxDMuULAQL+RQcVopifW3cnbTwDuTKb9qIp34bFVfClbQ8YvNMh95ukdtSp2fFgm E4toOzc+eqadL/D1Zu1miIvhMQIatRj/X1ri7KwfJpoHDGavSkSIkc/3R/cwmHCBttGg 4EIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=nRTOxuA/Gwk436wjdRLZFFI2IWjHeK4nxXXVH9+gvJE=; b=mi/FCeXe+lCThYmzgtbGMiRB4ZnSmikY3xfKBnZEBZ2prMh0+Sx2f0BMqC5ZAQ4lfY S2KIOEptsqHNCNdgHIaZf475G5iXnwQwBnIYppuviicrEyF1uBaztZ5hR8KLa3727LTN ygYl7y0YwPv3wenz78Jg1LPE1kYXRnIxvmlihvrPIfti3kB8BQSCxKAU+lyoakuoiIzN mv2DQqlEy/udH84IXL00KweYDQApqQfNcZpHYkCNlzChP0djMOS1BOC1+mNeBufJgiqC u1AUwev69wGyoSZ+eOKIDL17xGaXjeZDRVH9Jw/jSC3lDAw5rCIqEQME4K/II3YYzv+U 7BQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=EGncbImd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u126si488920pgu.117.2019.06.06.17.13.31; Thu, 06 Jun 2019 17:13:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=EGncbImd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728795AbfFFVyb (ORCPT + 99 others); Thu, 6 Jun 2019 17:54:31 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:34686 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728767AbfFFVya (ORCPT ); Thu, 6 Jun 2019 17:54:30 -0400 Received: by mail-pg1-f194.google.com with SMTP id h2so2106933pgg.1 for ; Thu, 06 Jun 2019 14:54:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nRTOxuA/Gwk436wjdRLZFFI2IWjHeK4nxXXVH9+gvJE=; b=EGncbImdzKfDyyHC/wGTZ/hfrEnzQxuTOp2J1Y0gY1VpXSC9Md3ikeKaFw/Z3B22v7 0DNodTI71qmiSKyhcOcGu+kQr8Xu0pMtEttTsx96lJ6bMriq7jNWzBs9Y+FEnRfLOpYZ qz8wRnKzKQ/VpDiQMqXU5ddM+QmOqL0WbO7UAMFLeVZf/ZN5YPfFzeJx1xGjcCAya2fh dZWvMCYQhQ+zwgrcrrAc3oohAIXvEeBEVJRMsTPMM3Mg8+24b3tPfpaFLAnoONbYwo3M bJ862/yfW4n5Z66MhmTBXgNY7GFN7zknPozfRMiFJXfEWmnKk6ZewdvLUz9dDYBeAWlR IGSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nRTOxuA/Gwk436wjdRLZFFI2IWjHeK4nxXXVH9+gvJE=; b=ONWGE4Q+OhrO5v6HvX+qJ3NdJiu2QiWalRo5BWHsjjh1i4Qy/Z6exaIvxEG5lvY6Vv L68ojKX2jDNdM6srTW8RO8vXxR+bBnw7A4Yd7bNDVCfpcKBi8iEQ3YHN1XXGYLoDNU4r sbH23bvr0Sjmsd+72PJZnRUZh83mNe4h6i9G7IVyb+y8KN3D+BTii/B4M7YXJdeYCQhL 991rELXs31TfL6SJLmDxBM08YsVOuNy9Msn+FuF4glnhMJ0BlM/kI9s3VFlxqUWQkKTM Qh8MVEp/qZj6cr4VqvXpkkd5AI5tTO9in4yPDbcf3gwh6JftcO3SU/yIG1aJGDvxbIwA twhA== X-Gm-Message-State: APjAAAXmDm1fXyhDAlIQ2V6nh0qlXLR0kzxFWToztwq/bC7/0IZfATpb 9g9TZdqZ1qmll1YofIRyyFmOxw== X-Received: by 2002:a62:1483:: with SMTP id 125mr55452892pfu.137.1559858070049; Thu, 06 Jun 2019 14:54:30 -0700 (PDT) Received: from ?IPv6:2601:646:c200:1ef2:f1c4:94fc:993:1923? ([2601:646:c200:1ef2:f1c4:94fc:993:1923]) by smtp.gmail.com with ESMTPSA id h62sm126764pgc.77.2019.06.06.14.54.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jun 2019 14:54:28 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3] From: Andy Lutomirski X-Mailer: iPhone Mail (16F203) In-Reply-To: <23611.1559855827@warthog.procyon.org.uk> Date: Thu, 6 Jun 2019 14:54:27 -0700 Cc: Andy Lutomirski , Casey Schaufler , Stephen Smalley , Al Viro , Greg Kroah-Hartman , USB list , raven@themaw.net, Linux FS Devel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, LSM List , LKML , Paul Moore Content-Transfer-Encoding: quoted-printable Message-Id: References: <155981411940.17513.7137844619951358374.stgit@warthog.procyon.org.uk> <3813.1559827003@warthog.procyon.org.uk> <8382af23-548c-f162-0e82-11e308049735@tycho.nsa.gov> <0eb007c5-b4a0-9384-d915-37b0e5a158bf@schaufler-ca.com> <07e92045-2d80-8573-4d36-643deeaff9ec@schaufler-ca.com> <23611.1559855827@warthog.procyon.org.uk> To: David Howells Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jun 6, 2019, at 2:17 PM, David Howells wrote: >=20 > Andy Lutomirski wrote: >=20 >>>> You are allowing arbitrary information flow between T and W above. Who= >>>> cares about notifications? >>>=20 >>> I do. If Watched object is /dev/null no data flow is possible. >>> There are many objects on a modern Linux system for which this >>> is true. Even if it's "just a file" the existence of one path >>> for data to flow does not justify ignoring the rules for other >>> data paths. >>=20 >> Aha! >>=20 >> Even ignoring security, writes to things like /dev/null should >> probably not trigger notifications to people who are watching >> /dev/null. (There are probably lots of things like this: /dev/zero, >> /dev/urandom, etc.) >=20 > Even writes to /dev/null might generate access notifications; leastways, > vfs_read() will call fsnotify_access() afterwards on success. Hmm. I can see this being an issue, but I guess not with your patch set. >=20 > Whether or not you can set marks on open device files is another matter. >=20 >> David, are there any notification types that have this issue in your >> patchset? If so, is there a straightforward way to fix it? >=20 > I'm not sure what issue you're referring to specifically. Do you mean whe= ther > writes to device files generate notifications? I mean: are there cases where some action generates a notification but does n= ot otherwise have an effect visible to the users who can receive the notific= ation. It looks like the answer is probably =E2=80=9Cno=E2=80=9D, which is g= ood. Casey, is this good enough for you, or is there still an issue?=