Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp105415iob; Tue, 17 May 2022 20:20:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJlkC0vFc5xtz41+inWykXTq987pOR/67A6Vcz1O6LZke7DWQufqb8EktbNEtzfuqbNb9x X-Received: by 2002:a63:6808:0:b0:3c5:7405:1cd4 with SMTP id d8-20020a636808000000b003c574051cd4mr22260146pgc.444.1652844028412; Tue, 17 May 2022 20:20:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652844028; cv=none; d=google.com; s=arc-20160816; b=SfHDc3DbBeqoRtHeo4mWrke/oGg93ato+9oH4jIAUTeRy67WPplsv1VS8X914oIREn ePWmMQGtmPPj/OM8GFX5D37OGPuO5FD7a3+O9RcTfSXDGkwl6ijVhHo5Yns1QsPBHeA4 GuFpfOX5cnhV8oOR6Ou5y0TEMXNGBpaZOkZz+b6i1OeNyn92Ilnjhcwr6BwdIn8cef6v 6z63lQYAtly5jThX6rgVkcGYNTaBWRg+iJmait/BS6I6lFTSnWzjLSSYTxSrK9cPojNi GaFJ6GDtdq07rcYOM3FsgGunib917JmiP8Lc1Bl9YlrqWCyb03P/B7Bbcz9YBaNGVrGj kvZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=qHCPn/5+IVbOfCi9iuEGhFmI1sfcIXa1/Qs52bDuAk0=; b=w2YkiNL3cIrY/c6sL6Q7BPCPa0FNpzhp0UolbGvvlFVAIiCPZ7Tq0sv0ZSC23zy7fM O63+2bgw/IQl6m+eGkzk+u49avMqmRcW+nUHb35cpl4BXmROgTOAzdUBaQrk6NTXpqtF RJY7EiObXXVo+QadxVobekfyd/qCncOBY2CkO4q/3iWcziy5iSaQ+4XddBr+Z9rgO8rS cVLX5Uzu8Ec2AJHrABv78kftu4FqN2Q2qaiydGzk4ofOBZui6LLNXWgFmQiQNkvTKnXw g3zlgP3r5JoLgNKaSoQq6TmIN344Bav/mcxqS57l7q/vOqL5fjJpU9dL9A1P48rzjKli EC/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=SOh6EcMW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id p5-20020a170902e74500b001586f9a109fsi1478154plf.0.2022.05.17.20.20.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 20:20:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=SOh6EcMW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0A79850E16; Tue, 17 May 2022 20:17:57 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243855AbiEQMHG (ORCPT + 99 others); Tue, 17 May 2022 08:07:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231470AbiEQMHE (ORCPT ); Tue, 17 May 2022 08:07:04 -0400 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8290444746; Tue, 17 May 2022 05:07:03 -0700 (PDT) Received: by mail-qt1-x82a.google.com with SMTP id k2so14125433qtp.1; Tue, 17 May 2022 05:07:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qHCPn/5+IVbOfCi9iuEGhFmI1sfcIXa1/Qs52bDuAk0=; b=SOh6EcMWhqj1rRTK+fVaTib5Wo+a7e/L9Fs8VOuS9uF1/qtWusul3kpCrScepzF0wP 6u8IaM+JgyJNaF4JOnrKqjNPudVUU8bzHESYxMNGKef9q+ECsd+AIcyTtNDjIsDZLIQb RP7LLWwYVugwykCD8aIqaMsP0CR8xHLb45qGeVYvfTVDhcItNfr96GDxKCoM8RjyTSJm l6ym8XXJxqfr68fKvDn7yxJWm/NrTO7XcRq93griWlVnMV3QnQvhSSQLeWSFI8AbSyfW YbRKy9/2tmwySLVlmeIK36sY0yEQmWfGkMkLi5Re2g4hdKdx8yXY9lUrqWTdFJuwb3L/ hhIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qHCPn/5+IVbOfCi9iuEGhFmI1sfcIXa1/Qs52bDuAk0=; b=3urMK9tpfciF5ZD7kcw4PW+Ar1mljXioRPn3z0xjIMaMg6JVSG0xiyqbkXL4ViNl0O O94z8Nweb18YvJv3BsQu6FlMedOPExmumcqHkyA/TQaTZpw15QltgUjPicgST2Cp9QTk 4ZD6DfJKv3MX/4XreP+UkmLUFfuCLXX1LLR5aDX9Rx2iuAYl9fNyN1S+YCjiAx4cSdnu M9C7IfDQ/64R40J+QtJzbQ4Io2S736XCzoQ8Enj9X9VofeJMHPWanzo1eDj5ZSR/9amQ czQPMxBPabsq041Of4Zj8snpjkqIQBXw2Wp5j0WnWvSP6Oc3//4h8FyUYq7S4oOoA1Rp ie6Q== X-Gm-Message-State: AOAM533qi068TI/B/MyGRNMYjN37MpvAEAAHn2KiqznhK3LZ8xPLgSFU ruSDUhCiYPxx+Nmp6nnO9hPUkF1ULpSjWUTPmdA= X-Received: by 2002:ac8:4e42:0:b0:2f4:fc3c:b0c8 with SMTP id e2-20020ac84e42000000b002f4fc3cb0c8mr19509798qtw.684.1652789222633; Tue, 17 May 2022 05:07:02 -0700 (PDT) MIME-Version: 1.0 References: <1520f08c023d1e919b1a2af161d5a19367b6b4bf.1652730821.git.rgb@redhat.com> <20220517103236.i7gtsw7akiikqwam@quack3.lan> In-Reply-To: From: Amir Goldstein Date: Tue, 17 May 2022 15:06:51 +0300 Message-ID: Subject: Re: [PATCH v3 2/3] fanotify: define struct members to hold response decision context To: Jan Kara Cc: Richard Guy Briggs , Linux-Audit Mailing List , LKML , linux-fsdevel , Paul Moore , Eric Paris , Steve Grubb Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 17, 2022 at 2:31 PM Amir Goldstein wrote: > > On Tue, May 17, 2022 at 1:32 PM Jan Kara wrote: > > > > On Tue 17-05-22 08:37:28, Amir Goldstein wrote: > > > On Mon, May 16, 2022 at 11:22 PM Richard Guy Briggs wrote: > > > > > > > > This patch adds 2 structure members to the response returned from user > > > > space on a permission event. The first field is 32 bits for the context > > > > type. The context type will describe what the meaning is of the second > > > > field. The default is none. The patch defines one additional context > > > > type which means that the second field is a union containing a 32-bit > > > > rule number. This will allow for the creation of other context types in > > > > the future if other users of the API identify different needs. The > > > > second field size is defined by the context type and can be used to pass > > > > along the data described by the context. > > > > > > > > To support this, there is a macro for user space to check that the data > > > > being sent is valid. Of course, without this check, anything that > > > > overflows the bit field will trigger an EINVAL based on the use of > > > > FAN_INVALID_RESPONSE_MASK in process_access_response(). > > > > > > > > Suggested-by: Steve Grubb > > > > Link: https://lore.kernel.org/r/2745105.e9J7NaK4W3@x2 > > > > Suggested-by: Jan Kara > > > > Link: https://lore.kernel.org/r/20201001101219.GE17860@quack2.suse.cz > > > > Signed-off-by: Richard Guy Briggs > > > > ... > > > > static int process_access_response(struct fsnotify_group *group, > > > > - struct fanotify_response *response_struct) > > > > + struct fanotify_response *response_struct, > > > > + size_t count) > > > > { > > > > struct fanotify_perm_event *event; > > > > int fd = response_struct->fd; > > > > u32 response = response_struct->response; > > > > > > > > - pr_debug("%s: group=%p fd=%d response=%u\n", __func__, group, > > > > - fd, response); > > > > + pr_debug("%s: group=%p fd=%d response=%u type=%u size=%lu\n", __func__, > > > > + group, fd, response, response_struct->extra_info_type, count); > > > > + if (fd < 0) > > > > + return -EINVAL; > > > > /* > > > > * make sure the response is valid, if invalid we do nothing and either > > > > * userspace can send a valid response or we will clean it up after the > > > > * timeout > > > > */ > > > > - switch (response & ~FAN_AUDIT) { > > > > - case FAN_ALLOW: > > > > - case FAN_DENY: > > > > - break; > > > > - default: > > > > - return -EINVAL; > > > > - } > > > > - > > > > - if (fd < 0) > > > > + if (FAN_INVALID_RESPONSE_MASK(response)) > > > > > > That is a logic change, because now the response value of 0 becomes valid. > > > > > > Since you did not document this change in the commit message I assume this was > > > non intentional? > > > However, this behavior change is something that I did ask for, but it should be > > > done is a separate commit: > > > > > > /* These are NOT bitwise flags. Both bits can be used together. */ > > > #define FAN_TEST 0x00 > > > #define FAN_ALLOW 0x01 > > > #define FAN_DENY 0x02 > > > #define FANOTIFY_RESPONSE_ACCESS \ > > > (FAN_TEST|FAN_ALLOW | FAN_DENY) > > > > > > ... > > > int access = response & FANOTIFY_RESPONSE_ACCESS; > > > > > > 1. Do return EINVAL for access == 0 > > > 2. Let all the rest of the EINVAL checks run (including extra type) > > > 3. Move if (fd < 0) to last check > > > 4. Add if (!access) return 0 before if (fd < 0) > > > > > > That will provide a mechanism for userspace to probe the > > > kernel support for extra types in general and specific types > > > that it may respond with. > > > > I have to admit I didn't quite grok your suggestion here although I > > understand (and agree with) the general direction of the proposal :). Maybe > > code would explain it better what you have in mind? > > > > +/* These are NOT bitwise flags. Both bits can be used together. */ I realize when reading this that this comment is weird, because 0x01 and 0x02 cannot currently be used together. The comment was copied from above FAN_MARK_INODE where it has the same weirdness. The meaning is that (response & FANOTIFY_RESPONSE_ACCESS) is an enum. I am sure that a less confusing phrasing for this comment can be found. > +#define FAN_TEST 0x00 > #define FAN_ALLOW 0x01 > #define FAN_DENY 0x02 > #define FAN_AUDIT 0x10 /* Bit mask to create audit record for result */ > +#define FANOTIFY_RESPONSE_ACCESS \ > + (FAN_TEST|FAN_ALLOW | FAN_DENY) Thanks, Amir.