Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp835127iob; Wed, 4 May 2022 08:55:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylXAab5+VSG/QhcGGw99kv5goyTJQjMlBI8LWtUU0vAoRgB+yQ5Jkc/H/Zs068DH+28ys/ X-Received: by 2002:a17:907:6e1c:b0:6f4:487c:5ec3 with SMTP id sd28-20020a1709076e1c00b006f4487c5ec3mr13900849ejc.210.1651679747732; Wed, 04 May 2022 08:55:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651679747; cv=none; d=google.com; s=arc-20160816; b=L+uRwqJx1maikrCfGQKcBuedEEh40q1prniIOyx5FYjY8FqDUp3f7YJY/y8OcMVixu 01bOIdlITPdfqw/O5jEZdr4mzBLGfyd2xiIAwRZKb9GFYnLH6Vsi4idM6IHAhnxE4qqD CNIDXj14HIaNAAn6aeqxHT6GPAOeXFTi+iLbOTH/lDgQ5CvxzeYnWJqPNo478N3QWCEy 8fkq969bPlYHNIeH1Q08IUkISJAPUXg1JTrjPZSDbZRmj4qkH5uVgg9UnYaavo/V7ftC R8FFqYEP+MnpCZtqvb8f1OSzpECXs8/8c5lMmlG1Op5+41X4V96nkNHnXuXzArlTCqyD JHvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=pzZYtAWqOK0x1bSyjKyxPqiIg9Fcdav21K/7m+CpVfI=; b=eD4NwFgkoLZLXaS36LcfJHQapprwTWAJqU343TwxjRr+GhZcnjG6VYAYGPoF2L8ZWL pg+lEU+QvylrDNr76tASNJGfxuxGgmFQ5o4w3KPCthr1b5l/QzQfjjcbWSR4yGZQOcEn 0ZERVlsgDAGu0oeIrPtnpCXjSpU2I4AIud0TKKhDoUXF5GM0aW5avAHowum7DRWHiX14 lqVDx/S83ktFuSaDO29TBSz2bDPx4dg4MzY0nLHDJMK+S5z+cp4Y5QxvjVJep2KcPB5w 1jGfnvLH1MqUkCbpKIou/AWNV6qnjlD6jhEVWfgD5eqtU32IaIlOduSKq1UQQZLUPiDr BlBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=nbktz7u6; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b="txd/qOvm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s24-20020a170906285800b006f4697bd253si5581109ejc.364.2022.05.04.08.55.23; Wed, 04 May 2022 08:55:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=nbktz7u6; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b="txd/qOvm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352758AbiEDPxl (ORCPT + 99 others); Wed, 4 May 2022 11:53:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237205AbiEDPxk (ORCPT ); Wed, 4 May 2022 11:53:40 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 223A740E55; Wed, 4 May 2022 08:50:01 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 882461F38D; Wed, 4 May 2022 15:50:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1651679400; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pzZYtAWqOK0x1bSyjKyxPqiIg9Fcdav21K/7m+CpVfI=; b=nbktz7u6eEaio1WfVT0QxWoaaEy+CZrGEGVR4d92gPZQIffDVi7oRxfPHukHGEfd1LTqsa gKHZBdiINI8+YI8Wb0+dYMc3NG/ugKVPfWZLqdTEHqVWtojPnc+zujn4TIFwcEtdn+K7e8 ZObvRRMNDYaTLvnodYDN66RRhon/cNY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1651679400; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pzZYtAWqOK0x1bSyjKyxPqiIg9Fcdav21K/7m+CpVfI=; b=txd/qOvmCUnW5d1S8GXNeHvBc6OD0LaoLQiFXYUco0/UgoF5iwrWeH7kyxXV+u9btcig+i X5vmWtZZuPxuDgDw== Received: from quack3.suse.cz (unknown [10.100.224.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 3673E2C141; Wed, 4 May 2022 15:49:59 +0000 (UTC) Received: by quack3.suse.cz (Postfix, from userid 1000) id D2BFAA061E; Wed, 4 May 2022 17:49:58 +0200 (CEST) Date: Wed, 4 May 2022 17:49:58 +0200 From: Jan Kara To: Amir Goldstein Cc: Jan Kara , Guowei Du , linux-fsdevel , linux-kernel , Al Viro , James Morris , "Serge E. Hallyn" , ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, LSM List , Netdev , bpf@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , Kees Cook , anton@enomsg.org, ccross@android.com, tony.luck@intel.com, selinux@vger.kernel.org, duguowei Subject: Re: [PATCH] fsnotify: add generic perm check for unlink/rmdir Message-ID: <20220504154958.cnagolihr65vkmjf@quack3.lan> References: <20220503183750.1977-1-duguoweisz@gmail.com> <20220503194943.6bcmsxjvinfjrqxa@quack3.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 04-05-22 17:12:16, Amir Goldstein wrote: > On Tue, May 3, 2022 at 10:49 PM Jan Kara wrote: > > > > On Wed 04-05-22 02:37:50, Guowei Du wrote: > > > From: duguowei > > > > > > For now, there have been open/access/open_exec perms for file operation, > > > so we add new perms check with unlink/rmdir syscall. if one app deletes > > > any file/dir within pubic area, fsnotify can sends fsnotify_event to > > > listener to deny that, even if the app have right dac/mac permissions. > > > > > > Signed-off-by: duguowei > > > > Before we go into technical details of implementation can you tell me more > > details about the usecase? Why do you need to check specifically for unlink > > / delete? > > > > Also on the design side of things: Do you realize these permission events > > will not be usable together with other permission events like > > FAN_OPEN_PERM? Because these require notification group returning file > > descriptors while your events will return file handles... I guess we should > > somehow fix that. > > > > IMO, regardless of file descriptions vs. file handles, blocking events have > no business with async events in the same group at all. > What is the use case for that? > Sure, we have the legacy permission event, but if we do add new blocking > events to UAPI, IMO they should be added to a group that was initialized with a > different class to indicate "blocking events only". > > And if we do that, we will not need to pollute the event mask namespace > for every permission event. That's an interesting idea. I agree mixing of permission and normal events is not very useful and separating event mask for permission and other events looks like a compelling reason to really forbid that :). It's a pity nobody had this idea when proposing fanotify permission events. > When users request to get FAN_UNLINK/FAN_RMDIR events in a > FAN_CLASS_PERMISSION group, internally, that only captures > events reported from fsnotify_perm()/fsnotify_path_perm(). > > FYI, I do intend to try and upload "pre-modify events" [1]. > I had no intention to expose those in fanotify and my implementation > does not have the granularity of UNLINK/RMDIR, but we do need > to think about not duplicating too much code with those overlapping > features. Definitely. Honza > [1] https://github.com/amir73il/linux/commits/fsnotify_pre_modify -- Jan Kara SUSE Labs, CR