OpenCloudOS-Kernel/fs
Eric Paris 5322a59f14 fanotify: ignore fanotify ignore marks if open writers
fanotify will clear ignore marks if a task changes the contents of an
inode.  The problem is with the races around when userspace finishes
checking a file and when that result is actually attached to the inode.
This race was described as such:

Consider the following scenario with hostile processes A and B, and
victim process C:
1. Process A opens new file for writing. File check request is generated.
2. File check is performed in userspace. Check result is "file has no malware".
3. The "permit" response is delivered to kernel space.
4. File ignored mark set.
5. Process A writes dummy bytes to the file. File ignored flags are cleared.
6. Process B opens the same file for reading. File check request is generated.
7. File check is performed in userspace. Check result is "file has no malware".
8. Process A writes malware bytes to the file. There is no cached response yet.
9. The "permit" response is delivered to kernel space and is cached in fanotify.
10. File ignored mark set.
11. Now any process C will be permitted to open the malware file.
There is a race between steps 8 and 10

While fanotify makes no strong guarantees about systems with hostile
processes there is no reason we cannot harden against this race.  We do
that by simply ignoring any ignore marks if the inode has open writers (aka
i_writecount > 0).  (We actually do not ignore ignore marks if the
FAN_MARK_SURV_MODIFY flag is set)

Reported-by: Vasily Novikov <vasily.novikov@kaspersky.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
2010-10-28 17:22:14 -04:00
..
9p 9p: Add datasync to client side TFSYNC/RFSYNC for dotl 2010-10-28 09:08:49 -05:00
adfs Merge branch 'vfs' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:01 -07:00
affs new helper: ihold() 2010-10-25 21:26:11 -04:00
afs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
autofs4 fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
befs
bfs new helper: ihold() 2010-10-25 21:26:11 -04:00
btrfs new helper: ihold() 2010-10-25 21:26:11 -04:00
cachefiles llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
ceph writeback: remove nonblocking/encountered_congestion references 2010-10-26 16:52:05 -07:00
cifs writeback: remove nonblocking/encountered_congestion references 2010-10-26 16:52:05 -07:00
coda new helper: ihold() 2010-10-25 21:26:11 -04:00
configfs fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
cramfs cramfs: only unlock new inodes 2010-08-18 01:01:33 -04:00
debugfs fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
devpts
dlm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm 2010-10-22 17:33:16 -07:00
ecryptfs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-10-24 13:41:39 -07:00
efs
exofs new helper: ihold() 2010-10-25 21:26:11 -04:00
exportfs exportfs: use dget_parent 2010-10-25 21:26:13 -04:00
ext2 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-10-27 20:13:18 -07:00
ext3 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-10-27 20:13:18 -07:00
ext4 ext4: fix compile with CONFIG_EXT4_FS_XATTR disabled 2010-10-28 09:29:17 -07:00
fat Merge branch 'for-2.6.37/barrier' of git://git.kernel.dk/linux-2.6-block 2010-10-22 17:07:18 -07:00
freevxfs fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
fscache Add a dummy printk function for the maintenance of unused printks 2010-08-12 09:51:35 -07:00
fuse fuse: use release_pages() 2010-10-27 18:03:17 -07:00
gfs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
hfs switch hfs to hlist_add_fake() 2010-10-25 21:24:16 -04:00
hfsplus Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/hfsplus 2010-10-28 09:32:05 -07:00
hostfs hostfs: code cleanups 2010-10-26 16:52:12 -07:00
hpfs Merge branch 'vfs' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:01 -07:00
hppfs llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
hugetlbfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
isofs isofs: work-around for Rock Ridge+Joliet CDs with empty ISO root directory 2010-10-27 18:03:08 -07:00
jbd Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-10-27 20:13:18 -07:00
jbd2 Merge branch 'upstream-merge' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 2010-10-27 21:54:31 -07:00
jffs2 new helper: ihold() 2010-10-25 21:26:11 -04:00
jfs new helper: ihold() 2010-10-25 21:26:11 -04:00
lockd lockd: fix nlmsvc_notify_blocked locking 2010-10-27 21:39:50 +02:00
logfs new helper: ihold() 2010-10-25 21:26:11 -04:00
minix new helper: ihold() 2010-10-25 21:26:11 -04:00
ncpfs ncpfs: Lock socket in ncpfs while setting its callbacks 2010-10-05 11:02:14 +02:00
nfs Merge branch 'flock' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-27 18:13:34 -07:00
nfs_common
nfsd Merge branch 'flock' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-27 18:13:34 -07:00
nilfs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
nls
notify fanotify: ignore fanotify ignore marks if open writers 2010-10-28 17:22:14 -04:00
ntfs new helper: ihold() 2010-10-25 21:26:11 -04:00
ocfs2 fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
omfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bcopeland/omfs 2010-08-10 11:47:36 -07:00
openpromfs
partitions Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block 2010-10-25 07:45:10 -07:00
proc /proc/stat: fix scalability of irq sum of all cpu 2010-10-27 18:03:13 -07:00
qnx4 BKL: remove BKL from qnx4 2010-10-21 18:48:04 +02:00
quota quota: Fix possible oops in __dquot_initialize() 2010-10-28 01:30:06 +02:00
ramfs fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
romfs llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
squashfs Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:56 -07:00
sysfs Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6 2010-10-22 19:36:42 -07:00
sysv new helper: ihold() 2010-10-25 21:26:11 -04:00
ubifs new helper: ihold() 2010-10-25 21:26:11 -04:00
udf new helper: ihold() 2010-10-25 21:26:11 -04:00
ufs new helper: ihold() 2010-10-25 21:26:11 -04:00
xfs Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2010-10-27 20:13:18 -07:00
Kconfig Merge 'staging-next' to Linus's tree 2010-10-28 09:44:56 -07:00
Kconfig.binfmt coredump: default CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y 2010-10-27 18:03:12 -07:00
Makefile Merge 'staging-next' to Linus's tree 2010-10-28 09:44:56 -07:00
aio.c new helper: ihold() 2010-10-25 21:26:11 -04:00
anon_inodes.c fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
attr.c check ATTR_SIZE contraints in inode_change_ok 2010-08-09 16:47:39 -04:00
bad_inode.c bkl: Remove locked .ioctl file operation 2010-08-14 00:24:24 +02:00
binfmt_aout.c Don't dump task struct in a.out core-dumps 2010-10-14 10:57:40 -07:00
binfmt_elf.c ARM: 6342/1: fix ASLR of PIE executables 2010-10-08 10:02:53 +01:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
binfmt_script.c Make do_execve() take a const filename pointer 2010-08-17 18:07:43 -07:00
binfmt_som.c
bio-integrity.c fs/bio-integrity.c: return -ENOMEM on kmalloc failure 2010-08-23 13:36:59 +02:00
bio.c block: unify flags for struct bio and struct request 2010-08-07 18:20:39 +02:00
block_dev.c fs: inode split IO and LRU lists 2010-10-25 21:26:15 -04:00
buffer.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
char_dev.c Merge branch 'llseek' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-22 10:52:56 -07:00
compat.c Merge 'staging-next' to Linus's tree 2010-10-28 09:44:56 -07:00
compat_binfmt_elf.c
compat_ioctl.c Merge 'staging-next' to Linus's tree 2010-10-28 09:44:56 -07:00
dcache.c fs: use RCU read side protection in d_validate 2010-10-25 21:26:13 -04:00
dcookies.c
direct-io.c fs/direct-io.c: fix truncation error in dio_complete() return 2010-10-26 16:52:13 -07:00
drop_caches.c simplify checks for I_CLEAR/I_FREEING 2010-08-09 16:47:44 -04:00
eventfd.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
eventpoll.c epoll: make epoll_wait() use the hrtimer range feature 2010-10-27 18:03:18 -07:00
exec.c exec: don't turn PF_KTHREAD off when a target command was not found 2010-10-27 18:03:13 -07:00
fcntl.c fasync: Fix placement of FASYNC flag comment 2010-10-27 18:17:02 -07:00
fifo.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
file.c vfs: use kmalloc() to allocate fdmem if possible 2010-08-11 08:59:02 -07:00
file_table.c fs: allow for more than 2^31 files 2010-10-26 16:52:15 -07:00
filesystems.c
fs-writeback.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
fs_struct.c fs: fs_struct rwlock to spinlock 2010-08-18 08:35:46 -04:00
generic_acl.c vfs: update ctime when changing the file's permission by setfacl 2010-08-18 01:04:22 -04:00
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
internal.h split invalidate_inodes() 2010-10-25 21:27:18 -04:00
ioctl.c fs: Add FITRIM ioctl 2010-10-27 21:30:11 -04:00
ioprio.c
libfs.c new helper: ihold() 2010-10-25 21:26:11 -04:00
locks.c Merge branch 'flock' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/bkl 2010-10-27 18:13:34 -07:00
mbcache.c mbcache: Limit the maximum number of cache entries 2010-08-18 06:24:41 -04:00
mpage.c
namei.c new helper: ihold() 2010-10-25 21:26:11 -04:00
namespace.c vfs: fix infinite loop caused by clone_mnt race 2010-10-25 21:24:16 -04:00
nfsctl.c
no-block.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
open.c fs: cleanup files_lock locking 2010-08-18 08:35:47 -04:00
pipe.c fs: do not assign default i_ino in new_inode 2010-10-25 21:26:11 -04:00
pnode.c fs: brlock vfsmount_lock 2010-08-18 08:35:48 -04:00
pnode.h
posix_acl.c
read_write.c vfs: introduce FMODE_UNSIGNED_OFFSET for allowing negative f_pos 2010-10-25 21:18:21 -04:00
read_write.h
readdir.c vfs: fix warning: 'dirent' is used uninitialized in this function 2010-08-09 20:45:05 -07:00
select.c epoll: make epoll_wait() use the hrtimer range feature 2010-10-27 18:03:18 -07:00
seq_file.c fs: take dcache_lock inside __d_path 2010-10-25 21:26:12 -04:00
signalfd.c Merge branch 'hwpoison' of git://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-mce-2.6 2010-10-26 10:13:10 -07:00
splice.c splice: fix misuse of SPLICE_F_NONBLOCK 2010-08-07 18:52:56 +02:00
stack.c
stat.c Mark arguments to certain syscalls as being const 2010-08-13 16:53:13 -07:00
statfs.c add f_flags to struct statfs(64) 2010-08-09 16:48:44 -04:00
super.c split invalidate_inodes() 2010-10-25 21:27:18 -04:00
sync.c get rid of file_fsync() 2010-08-09 16:47:43 -04:00
timerfd.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
utimes.c Mark arguments to certain syscalls as being const 2010-08-13 16:53:13 -07:00
xattr.c
xattr_acl.c