lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A795B07.4070708@sophos.com>
Date:	Wed, 05 Aug 2009 11:12:23 +0100
From:	Douglas Leeder <douglas.leeder@...hos.com>
To:	Tvrtko Ursulin <tvrtko.ursulin@...hos.com>
CC:	Eric Paris <eparis@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
	"malware-list@...sg.printk.net" <malware-list@...sg.printk.net>,
	"Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
	"greg@...ah.com" <greg@...ah.com>,
	"jcm@...hat.com" <jcm@...hat.com>, "tytso@....edu" <tytso@....edu>,
	"arjan@...radead.org" <arjan@...radead.org>,
	"david@...g.hm" <david@...g.hm>,
	"jengelh@...ozas.de" <jengelh@...ozas.de>,
	"aviro@...hat.com" <aviro@...hat.com>,
	"mrkafk@...il.com" <mrkafk@...il.com>,
	"alexl@...hat.com" <alexl@...hat.com>,
	"jack@...e.cz" <jack@...e.cz>,
	"a.p.zijlstra@...llo.nl" <a.p.zijlstra@...llo.nl>,
	"hch@...radead.org" <hch@...radead.org>,
	"alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>,
	"mmorley@....in" <mmorley@....in>, "pavel@...e.cz" <pavel@...e.cz>
Subject: Re: fanotify - overall design before I start sending patches

Tvrtko Ursulin wrote:
> On Friday 24 July 2009 21:13:49 Eric Paris wrote:
>> After the socket is bound events are attained using the read() syscall
>> (recv* probably also works haven't tested).  This will result in the
>> buffer being filled with one or more events like this:
>>
>> struct fanotify_event_metadata {
>>         __u32 event_len;
>>         __s32 fd;
>>         __u32 mask;
>>         __u32 f_flags;
>>         __s32 pid;
>>         __s32 tgid;
>>         __u64 cookie;
>> }  __attribute__((packed));
>>
>> fd specifies the new file descriptor that was created in the context of
>> the listener.  (readlink of /proc/self/fd will give you A pathname)
>> mask indicates the events type (bitwise OR of the event types listed
>> above).  f_flags here is the f_flags the ORIGINAL process has the file
>> open with.  pid and tgid are from the original process.  cookie is used
>> when the listener needs to allow, deny, or delay the operation.
> 
> One more thing. uid and gid (possibly whole set?) would be useful so we can 
> tell which user triggered an event without having to look at the process 
> which has maybe disappeared in the mean time. I _think_ uid was in the 
> original proposal/idea and don't remember if it was decided we cannot get it 
> deliberately, or it was omitted by accident?

Maybe it would be good to include in the documentation how to extract
extra information that listeners might want?

e.g.

To get the path (or an approximation), do readlink on the fd.

To get the UID/GID of the originator process, look in /proc/<PID>/????

etc.

This would provide easier answers to the questions on including extra
info in the fanotify events.

-- 
Douglas Leeder
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ