lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Oct 2014 09:50:46 +0300 From: Mihai Donțu <mihai.dontu@...il.com> To: Yann Droneaud <ydroneaud@...eya.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Heinrich Schuchardt <xypron.glpk@....de>, Eric Paris <eparis@...hat.com>, Richard Guy Briggs <rgb@...hat.com>, Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, stable@...r.kernel.org, linux-api@...r.kernel.org, Jan Kara <jack@...e.cz>, Lino Sanfilippo <LinoSanfilippo@....de>, Valdis Kletnieks <Valdis.Kletnieks@...edu>, Michael Kerrisk-manpages <mtk.manpages@...il.com> Subject: Re: [PATCHv8.1] fanotify: enable close-on-exec on events' fd when requested in fanotify_init() On Thu, 02 Oct 2014 08:20:55 +0200 Yann Droneaud wrote: > Hi, > > Le mercredi 01 octobre 2014 à 15:36 -0700, Andrew Morton a écrit : > > On Mon, 29 Sep 2014 10:49:15 +0200 Yann Droneaud <ydroneaud@...eya.com> wrote: > > > > > According to commit 80af258867648 ('fanotify: groups can specify > > > their f_flags for new fd'), file descriptors created as part of > > > file access notification events inherit flags from the > > > event_f_flags argument passed to syscall fanotify_init(2). > > > > > > So while it is legal for userspace to call fanotify_init() with > > > O_CLOEXEC as part of its second argument, O_CLOEXEC is currently > > > silently ignored. > > > > > > Indeed event_f_flags are only given to dentry_open(), which only > > > seems to care about O_ACCMODE and O_PATH in do_dentry_open(), > > > O_DIRECT in open_check_o_direct() and O_LARGEFILE in > > > generic_file_open(). > > > > > > But it seems logical to set close-on-exec flag on the file > > > descriptor if userspace is allowed to request it with O_CLOEXEC. > > > > > > In fact, according to some lookup on http://codesearch.debian.net/ > > > and various search engine, there's already some userspace code > > > requesting it: > > > > > > - in systemd's readahead[2]: > > > > > > fanotify_fd = fanotify_init(FAN_CLOEXEC|FAN_NONBLOCK, O_RDONLY|O_LARGEFILE|O_CLOEXEC|O_NOATIME); > > > > > > - in clsync[3]: > > > > > > #define FANOTIFY_EVFLAGS (O_LARGEFILE|O_RDONLY|O_CLOEXEC) > > > > > > int fanotify_d = fanotify_init(FANOTIFY_FLAGS, FANOTIFY_EVFLAGS); > > > > > > - in examples [4] from "Filesystem monitoring in the Linux > > > kernel" article[5] by Aleksander Morgado: > > > > > > if ((fanotify_fd = fanotify_init (FAN_CLOEXEC, > > > O_RDONLY | O_CLOEXEC | O_LARGEFILE)) < 0) > > > > So we have a number of apps which are setting O_CLOEXEC, but it doesn't > > actually work. With this change it *will* work, so the behaviour of > > those apps might change, possibly breaking them? > > > > In the other hand, not enabling close-on-exec might expose unwanted file > descriptor to childs, creating security issues. YMMV. > As someone who uses fanotify for content introspection, I can say that I am _explicitly_ marking the fd obtained via read() as O_CLOEXEC, because I have encountered a situation where a child managed to create a deadlock because it kept the fd open after the main application responded with FAN_ALLOW. -- Mihai Donțu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists