| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 05 Aug 2009 11:12:23 +0100
From: Douglas Leeder <douglas.leeder@...hos.com>
To: Tvrtko Ursulin <tvrtko.ursulin@...hos.com>
CC: Eric Paris <eparis@...hat.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"malware-list@...sg.printk.net" <malware-list@...sg.printk.net>,
"Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
"greg@...ah.com" <greg@...ah.com>,
"jcm@...hat.com" <jcm@...hat.com>, "tytso@....edu" <tytso@....edu>,
"arjan@...radead.org" <arjan@...radead.org>,
"david@...g.hm" <david@...g.hm>,
"jengelh@...ozas.de" <jengelh@...ozas.de>,
"aviro@...hat.com" <aviro@...hat.com>,
"mrkafk@...il.com" <mrkafk@...il.com>,
"alexl@...hat.com" <alexl@...hat.com>,
"jack@...e.cz" <jack@...e.cz>,
"a.p.zijlstra@...llo.nl" <a.p.zijlstra@...llo.nl>,
"hch@...radead.org" <hch@...radead.org>,
"alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>,
"mmorley@....in" <mmorley@....in>, "pavel@...e.cz" <pavel@...e.cz>
Subject: Re: fanotify - overall design before I start sending patches
Tvrtko Ursulin wrote:
> On Friday 24 July 2009 21:13:49 Eric Paris wrote:
>> After the socket is bound events are attained using the read() syscall
>> (recv* probably also works haven't tested). This will result in the
>> buffer being filled with one or more events like this:
>>
>> struct fanotify_event_metadata {
>> __u32 event_len;
>> __s32 fd;
>> __u32 mask;
>> __u32 f_flags;
>> __s32 pid;
>> __s32 tgid;
>> __u64 cookie;
>> } __attribute__((packed));
>>
>> fd specifies the new file descriptor that was created in the context of
>> the listener. (readlink of /proc/self/fd will give you A pathname)
>> mask indicates the events type (bitwise OR of the event types listed
>> above). f_flags here is the f_flags the ORIGINAL process has the file
>> open with. pid and tgid are from the original process. cookie is used
>> when the listener needs to allow, deny, or delay the operation.
>
> One more thing. uid and gid (possibly whole set?) would be useful so we can
> tell which user triggered an event without having to look at the process
> which has maybe disappeared in the mean time. I _think_ uid was in the
> original proposal/idea and don't remember if it was decided we cannot get it
> deliberately, or it was omitted by accident?
Maybe it would be good to include in the documentation how to extract
extra information that listeners might want?
e.g.
To get the path (or an approximation), do readlink on the fd.
To get the UID/GID of the originator process, look in /proc/<PID>/????
etc.
This would provide easier answers to the questions on including extra
info in the fanotify events.
--
Douglas Leeder
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists