[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201008201729.09535.agruen@suse.de>
Date: Fri, 20 Aug 2010 17:29:07 +0200
From: Andreas Gruenbacher <agruen@...e.de>
To: Christoph Hellwig <hch@...radead.org>,
Andreas Dilger <adilger@...ger.ca>
Cc: Eric Paris <eparis@...hat.com>, Matt Helsley <matthltc@...ibm.com>,
torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
viro@...iv.linux.org.uk, akpm@...ux-foundation.org,
Michael Kerrisk <michael.kerrisk@...il.com>,
linux-fsdevel@...r.kernel.org
Subject: Re: [GIT PULL] notification tree: directory events
On Friday 20 August 2010 11:21:27 Christoph Hellwig wrote:
> On Thu, Aug 19, 2010 at 11:19:07PM -0600, Andreas Dilger wrote:
> > What about unifying the file identification here with the file handle
> > used for open_by_handle()? That keeps a consistent identifier for the
> > inode between multiple system calls (always a good thing), and allows
> > the inode to be opened again via open_by_handle() if needed.
>
> That's what the dmapi callouts that are intendeded to do just about the
> same as fanotify always did. I'm pretty sure I brought this up earlier
> in the discussion.
I remember you bringing this up.
The persistent handles require CAP_DAC_READ_SEARCH for using open_by_handle()
to prevent an unprivileged process from forging handles and bypassing
directory permission checks. This would be okay for users of fanotify which
can listen to all events in their namespace (and which requires CAP_SYS_ADMIN
anyway).
I don't see how open_by_handle() could be made safe to use by arbitrary
processes; I don't think we can make the handles cryptographically strong, for
example. But I may be overlooking something here.
[Side note: checking for CAP_DAC_READ_SEARCH in fanotify would probably be
enough when no perm events are involved because dentry_open() performs tail
permission checks anyway.]
In the future it will make sense to extend fanotify to allow unprivileged
processes to listen to "their own" events, for example, like inotify does
today. (You know that providing a better inotify replacement was one of the
goals of fanotify before it got merged anyway.) Unprivileged processes
wouldn't be allowed to use open_by_handle() anymore though, and so file
handles still look like a better choice for fanotify to me.
Thanks,
Andreas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists