1. 29 6月, 2013 1 次提交
  2. 10 5月, 2013 1 次提交
  3. 04 3月, 2013 1 次提交
  4. 23 2月, 2013 1 次提交
  5. 18 12月, 2012 1 次提交
    • C
      fs, notify: add procfs fdinfo helper · be77196b
      Cyrill Gorcunov 提交于
      This allow us to print out fsnotify details such as watchee inode, device,
      mask and optionally a file handle.
      
      For inotify objects if kernel compiled with exportfs support the output
      will be
      
       | pos:	0
       | flags:	02000000
       | inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
       | inotify wd:2 ino:a111 sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:11a1000020542153
       | inotify wd:1 ino:6b149 sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:49b1060023552153
      
      If kernel compiled without exportfs support, the file handle
      won't be provided but inode and device only.
      
       | pos:	0
       | flags:	02000000
       | inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0
       | inotify wd:2 ino:a111 sdev:800013 mask:800afce ignored_mask:0
       | inotify wd:1 ino:6b149 sdev:800013 mask:800afce ignored_mask:0
      
      For fanotify the output is like
      
       | pos:	0
       | flags:	04002
       | fanotify flags:10 event-flags:0
       | fanotify mnt_id:12 mask:3b ignored_mask:0
       | fanotify ino:50205 sdev:800013 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:05020500fb1d47e7
      
      To minimize impact on general fsnotify code the new functionality
      is gathered in fs/notify/fdinfo.c file.
      Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
      Acked-by: NPavel Emelyanov <xemul@parallels.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Andrey Vagin <avagin@openvz.org>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: James Bottomley <jbottomley@parallels.com>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Matthew Helsley <matt.helsley@gmail.com>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      be77196b
  6. 12 12月, 2012 5 次提交
  7. 19 11月, 2012 2 次提交
  8. 09 11月, 2012 1 次提交
  9. 27 9月, 2012 2 次提交
  10. 23 7月, 2012 1 次提交
  11. 04 1月, 2012 1 次提交
  12. 31 3月, 2011 1 次提交
  13. 01 3月, 2011 1 次提交
  14. 16 12月, 2010 1 次提交
  15. 08 12月, 2010 6 次提交
    • L
      fanotify: Dont try to open a file descriptor for the overflow event · fdbf3cee
      Lino Sanfilippo 提交于
      We should not try to open a file descriptor for the overflow event since this
      will always fail.
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      fdbf3cee
    • E
      fanotify: do not leak user reference on allocation failure · 26379198
      Eric Paris 提交于
      If fanotify_init is unable to allocate a new fsnotify group it will
      return but will not drop its reference on the associated user struct.
      Drop that reference on error.
      Reported-by: NVegard Nossum <vegard.nossum@gmail.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      26379198
    • L
      fanotify: on group destroy allow all waiters to bypass permission check · 09e5f14e
      Lino Sanfilippo 提交于
      When fanotify_release() is called, there may still be processes waiting for
      access permission. Currently only processes for which an event has already been
      queued into the groups access list will be woken up.  Processes for which no
      event has been queued will continue to sleep and thus cause a deadlock when
      fsnotify_put_group() is called.
      Furthermore there is a race allowing further processes to be waiting on the
      access wait queue after wake_up (if they arrive before clear_marks_by_group()
      is called).
      This patch corrects this by setting a flag to inform processes that the group
      is about to be destroyed and thus not to wait for access permission.
      
      [additional changelog from eparis]
      Lets think about the 4 relevant code paths from the PoV of the
      'operator' 'listener' 'responder' and 'closer'.  Where operator is the
      process doing an action (like open/read) which could require permission.
      Listener is the task (or in this case thread) slated with reading from
      the fanotify file descriptor.  The 'responder' is the thread responsible
      for responding to access requests.  'Closer' is the thread attempting to
      close the fanotify file descriptor.
      
      The 'operator' is going to end up in:
      fanotify_handle_event()
        get_response_from_access()
          (THIS BLOCKS WAITING ON USERSPACE)
      
      The 'listener' interesting code path
      fanotify_read()
        copy_event_to_user()
          prepare_for_access_response()
            (THIS CREATES AN fanotify_response_event)
      
      The 'responder' code path:
      fanotify_write()
        process_access_response()
          (REMOVE A fanotify_response_event, SET RESPONSE, WAKE UP 'operator')
      
      The 'closer':
      fanotify_release()
        (SUPPOSED TO CLEAN UP THE REST OF THIS MESS)
      
      What we have today is that in the closer we remove all of the
      fanotify_response_events and set a bit so no more response events are
      ever created in prepare_for_access_response().
      
      The bug is that we never wake all of the operators up and tell them to
      move along.  You fix that in fanotify_get_response_from_access().  You
      also fix other operators which haven't gotten there yet.  So I agree
      that's a good fix.
      [/additional changelog from eparis]
      
      [remove additional changes to minimize patch size]
      [move initialization so it was inside CONFIG_FANOTIFY_PERMISSION]
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      09e5f14e
    • L
      fanotify: Dont allow a mask of 0 if setting or removing a mark · 1734dee4
      Lino Sanfilippo 提交于
      In mark_remove_from_mask() we destroy marks that have their event mask cleared.
      Thus we should not allow the creation of those marks in the first place.
      With this patch we check if the mask given from user is 0 in case of FAN_MARK_ADD.
      If so we return an error. Same for FAN_MARK_REMOVE since this does not have any
      effect.
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      1734dee4
    • L
      fanotify: correct broken ref counting in case adding a mark failed · fa218ab9
      Lino Sanfilippo 提交于
      If adding a mount or inode mark failed fanotify_free_mark() is called explicitly.
      But at this time the mark has already been put into the destroy list of the
      fsnotify_mark kernel thread. If the thread is too slow it will try to decrease
      the reference of a mark, that has already been freed by fanotify_free_mark().
      (If its fast enough it will only decrease the marks ref counter from 2 to 1 - note
      that the counter has been increased to 2 in add_mark() - which has practically no
      effect.)
      
      This patch fixes the ref counting by not calling free_mark() explicitly, but
      decreasing the ref counter and rely on the fsnotify_mark thread to cleanup in
      case adding the mark has failed.
      Signed-off-by: NLino Sanfilippo <LinoSanfilippo@gmx.de>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      fa218ab9
    • E
      fanotify: deny permissions when no event was sent · ecf6f5e7
      Eric Paris 提交于
      If no event was sent to userspace we cannot expect userspace to respond to
      permissions requests.  Today such requests just hang forever. This patch will
      deny any permissions event which was unable to be sent to userspace.
      Reported-by: NTvrtko Ursulin <tvrtko.ursulin@sophos.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      ecf6f5e7
  16. 02 11月, 2010 1 次提交
  17. 31 10月, 2010 1 次提交
  18. 29 10月, 2010 11 次提交
    • A
      fs/notify/fanotify/fanotify_user.c: fix warnings · 19ba54f4
      Andrew Morton 提交于
      fs/notify/fanotify/fanotify_user.c: In function 'fanotify_release':
      fs/notify/fanotify/fanotify_user.c:375: warning: unused variable 'lre'
      fs/notify/fanotify/fanotify_user.c:375: warning: unused variable 're'
      
      this is really ugly.
      
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      19ba54f4
    • E
      fanotify: do not recalculate the mask if the ignored mask changed · 192ca4d1
      Eric Paris 提交于
      If fanotify sets a new bit in the ignored mask it will cause the generic
      fsnotify layer to recalculate the real mask.  This is stupid since we
      didn't change that part.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      192ca4d1
    • E
      fanotify: ignore events on directories unless specifically requested · 8fcd6528
      Eric Paris 提交于
      fanotify has a very limited number of events it sends on directories.  The
      usefulness of these events is yet to be seen and still we send them.  This
      is particularly painful for mount marks where one might receive many of
      these useless events.  As such this patch will drop events on IS_DIR()
      inodes unless they were explictly requested with FAN_ON_DIR.
      
      This means that a mark on a directory without FAN_EVENT_ON_CHILD or
      FAN_ON_DIR is meaningless and will result in no events ever (although it
      will still be allowed since detecting it is hard)
      Signed-off-by: NEric Paris <eparis@redhat.com>
      8fcd6528
    • E
      fanotify: do not send events for irregular files · e1c048ba
      Eric Paris 提交于
      fanotify_should_send_event has a test to see if an object is a file or
      directory and does not send an event otherwise.  The problem is that the
      test is actually checking if the object with a mark is a file or directory,
      not if the object the event happened on is a file or directory.  We should
      check the latter.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      e1c048ba
    • E
      fanotify: limit number of listeners per user · 4afeff85
      Eric Paris 提交于
      fanotify currently has no limit on the number of listeners a given user can
      have open.  This patch limits the total number of listeners per user to
      128.  This is the same as the inotify default limit.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      4afeff85
    • E
      fanotify: allow userspace to override max marks · ac7e22dc
      Eric Paris 提交于
      Some fanotify groups, especially those like AV scanners, will need to place
      lots of marks, particularly ignore marks.  Since ignore marks do not pin
      inodes in cache and are cleared if the inode is removed from core (usually
      under memory pressure) we expose an interface for listeners, with
      CAP_SYS_ADMIN, to override the maximum number of marks and be allowed to
      set and 'unlimited' number of marks.  Programs which make use of this
      feature will be able to OOM a machine.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      ac7e22dc
    • E
      fanotify: limit the number of marks in a single fanotify group · e7099d8a
      Eric Paris 提交于
      There is currently no limit on the number of marks a given fanotify group
      can have.  Since fanotify is gated on CAP_SYS_ADMIN this was not seen as
      a serious DoS threat.  This patch implements a default of 8192, the same as
      inotify to work towards removing the CAP_SYS_ADMIN gating and eliminating
      the default DoS'able status.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      e7099d8a
    • E
      fanotify: allow userspace to override max queue depth · 5dd03f55
      Eric Paris 提交于
      fanotify has a defualt max queue depth.  This patch allows processes which
      explicitly request it to have an 'unlimited' queue depth.  These processes
      need to be very careful to make sure they cannot fall far enough behind
      that they OOM the box.  Thus this flag is gated on CAP_SYS_ADMIN.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      5dd03f55
    • E
      fsnotify: implement a default maximum queue depth · 2529a0df
      Eric Paris 提交于
      Currently fanotify has no maximum queue depth.  Since fanotify is
      CAP_SYS_ADMIN only this does not pose a normal user DoS issue, but it
      certianly is possible that an fanotify listener which can't keep up could
      OOM the box.  This patch implements a default 16k depth.  This is the same
      default depth used by inotify, but given fanotify's better queue merging in
      many situations this queue will contain many additional useful events by
      comparison.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      2529a0df
    • E
      fanotify: ignore fanotify ignore marks if open writers · 5322a59f
      Eric Paris 提交于
      fanotify will clear ignore marks if a task changes the contents of an
      inode.  The problem is with the races around when userspace finishes
      checking a file and when that result is actually attached to the inode.
      This race was described as such:
      
      Consider the following scenario with hostile processes A and B, and
      victim process C:
      1. Process A opens new file for writing. File check request is generated.
      2. File check is performed in userspace. Check result is "file has no malware".
      3. The "permit" response is delivered to kernel space.
      4. File ignored mark set.
      5. Process A writes dummy bytes to the file. File ignored flags are cleared.
      6. Process B opens the same file for reading. File check request is generated.
      7. File check is performed in userspace. Check result is "file has no malware".
      8. Process A writes malware bytes to the file. There is no cached response yet.
      9. The "permit" response is delivered to kernel space and is cached in fanotify.
      10. File ignored mark set.
      11. Now any process C will be permitted to open the malware file.
      There is a race between steps 8 and 10
      
      While fanotify makes no strong guarantees about systems with hostile
      processes there is no reason we cannot harden against this race.  We do
      that by simply ignoring any ignore marks if the inode has open writers (aka
      i_writecount > 0).  (We actually do not ignore ignore marks if the
      FAN_MARK_SURV_MODIFY flag is set)
      Reported-by: NVasily Novikov <vasily.novikov@kaspersky.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      5322a59f
    • E
      fanotify: implement fanotify listener ordering · 4231a235
      Eric Paris 提交于
      The fanotify listeners needs to be able to specify what types of operations
      they are going to perform so they can be ordered appropriately between other
      listeners doing other types of operations.  They need this to be able to make
      sure that things like hierarchichal storage managers will get access to inodes
      before processes which need the data.  This patch defines 3 possible uses
      which groups must indicate in the fanotify_init() flags.
      
      FAN_CLASS_PRE_CONTENT
      FAN_CLASS_CONTENT
      FAN_CLASS_NOTIF
      
      Groups will receive notification in that order.  The order between 2 groups in
      the same class is undeterministic.
      
      FAN_CLASS_PRE_CONTENT is intended to be used by listeners which need access to
      the inode before they are certain that the inode contains it's final data.  A
      hierarchical storage manager should choose to use this class.
      
      FAN_CLASS_CONTENT is intended to be used by listeners which need access to the
      inode after it contains its intended contents.  This would be the appropriate
      level for an AV solution or document control system.
      
      FAN_CLASS_NOTIF is intended for normal async notification about access, much the
      same as inotify and dnotify.  Syncronous permissions events are not permitted
      at this class.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      4231a235
  19. 15 10月, 2010 1 次提交
    • A
      llseek: automatically add .llseek fop · 6038f373
      Arnd Bergmann 提交于
      All file_operations should get a .llseek operation so we can make
      nonseekable_open the default for future file operations without a
      .llseek pointer.
      
      The three cases that we can automatically detect are no_llseek, seq_lseek
      and default_llseek. For cases where we can we can automatically prove that
      the file offset is always ignored, we use noop_llseek, which maintains
      the current behavior of not returning an error from a seek.
      
      New drivers should normally not use noop_llseek but instead use no_llseek
      and call nonseekable_open at open time.  Existing drivers can be converted
      to do the same when the maintainer knows for certain that no user code
      relies on calling seek on the device file.
      
      The generated code is often incorrectly indented and right now contains
      comments that clarify for each added line why a specific variant was
      chosen. In the version that gets submitted upstream, the comments will
      be gone and I will manually fix the indentation, because there does not
      seem to be a way to do that using coccinelle.
      
      Some amount of new code is currently sitting in linux-next that should get
      the same modifications, which I will do at the end of the merge window.
      
      Many thanks to Julia Lawall for helping me learn to write a semantic
      patch that does all this.
      
      ===== begin semantic patch =====
      // This adds an llseek= method to all file operations,
      // as a preparation for making no_llseek the default.
      //
      // The rules are
      // - use no_llseek explicitly if we do nonseekable_open
      // - use seq_lseek for sequential files
      // - use default_llseek if we know we access f_pos
      // - use noop_llseek if we know we don't access f_pos,
      //   but we still want to allow users to call lseek
      //
      @ open1 exists @
      identifier nested_open;
      @@
      nested_open(...)
      {
      <+...
      nonseekable_open(...)
      ...+>
      }
      
      @ open exists@
      identifier open_f;
      identifier i, f;
      identifier open1.nested_open;
      @@
      int open_f(struct inode *i, struct file *f)
      {
      <+...
      (
      nonseekable_open(...)
      |
      nested_open(...)
      )
      ...+>
      }
      
      @ read disable optional_qualifier exists @
      identifier read_f;
      identifier f, p, s, off;
      type ssize_t, size_t, loff_t;
      expression E;
      identifier func;
      @@
      ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
      {
      <+...
      (
         *off = E
      |
         *off += E
      |
         func(..., off, ...)
      |
         E = *off
      )
      ...+>
      }
      
      @ read_no_fpos disable optional_qualifier exists @
      identifier read_f;
      identifier f, p, s, off;
      type ssize_t, size_t, loff_t;
      @@
      ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
      {
      ... when != off
      }
      
      @ write @
      identifier write_f;
      identifier f, p, s, off;
      type ssize_t, size_t, loff_t;
      expression E;
      identifier func;
      @@
      ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
      {
      <+...
      (
        *off = E
      |
        *off += E
      |
        func(..., off, ...)
      |
        E = *off
      )
      ...+>
      }
      
      @ write_no_fpos @
      identifier write_f;
      identifier f, p, s, off;
      type ssize_t, size_t, loff_t;
      @@
      ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
      {
      ... when != off
      }
      
      @ fops0 @
      identifier fops;
      @@
      struct file_operations fops = {
       ...
      };
      
      @ has_llseek depends on fops0 @
      identifier fops0.fops;
      identifier llseek_f;
      @@
      struct file_operations fops = {
      ...
       .llseek = llseek_f,
      ...
      };
      
      @ has_read depends on fops0 @
      identifier fops0.fops;
      identifier read_f;
      @@
      struct file_operations fops = {
      ...
       .read = read_f,
      ...
      };
      
      @ has_write depends on fops0 @
      identifier fops0.fops;
      identifier write_f;
      @@
      struct file_operations fops = {
      ...
       .write = write_f,
      ...
      };
      
      @ has_open depends on fops0 @
      identifier fops0.fops;
      identifier open_f;
      @@
      struct file_operations fops = {
      ...
       .open = open_f,
      ...
      };
      
      // use no_llseek if we call nonseekable_open
      ////////////////////////////////////////////
      @ nonseekable1 depends on !has_llseek && has_open @
      identifier fops0.fops;
      identifier nso ~= "nonseekable_open";
      @@
      struct file_operations fops = {
      ...  .open = nso, ...
      +.llseek = no_llseek, /* nonseekable */
      };
      
      @ nonseekable2 depends on !has_llseek @
      identifier fops0.fops;
      identifier open.open_f;
      @@
      struct file_operations fops = {
      ...  .open = open_f, ...
      +.llseek = no_llseek, /* open uses nonseekable */
      };
      
      // use seq_lseek for sequential files
      /////////////////////////////////////
      @ seq depends on !has_llseek @
      identifier fops0.fops;
      identifier sr ~= "seq_read";
      @@
      struct file_operations fops = {
      ...  .read = sr, ...
      +.llseek = seq_lseek, /* we have seq_read */
      };
      
      // use default_llseek if there is a readdir
      ///////////////////////////////////////////
      @ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier readdir_e;
      @@
      // any other fop is used that changes pos
      struct file_operations fops = {
      ... .readdir = readdir_e, ...
      +.llseek = default_llseek, /* readdir is present */
      };
      
      // use default_llseek if at least one of read/write touches f_pos
      /////////////////////////////////////////////////////////////////
      @ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier read.read_f;
      @@
      // read fops use offset
      struct file_operations fops = {
      ... .read = read_f, ...
      +.llseek = default_llseek, /* read accesses f_pos */
      };
      
      @ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier write.write_f;
      @@
      // write fops use offset
      struct file_operations fops = {
      ... .write = write_f, ...
      +	.llseek = default_llseek, /* write accesses f_pos */
      };
      
      // Use noop_llseek if neither read nor write accesses f_pos
      ///////////////////////////////////////////////////////////
      
      @ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier read_no_fpos.read_f;
      identifier write_no_fpos.write_f;
      @@
      // write fops use offset
      struct file_operations fops = {
      ...
       .write = write_f,
       .read = read_f,
      ...
      +.llseek = noop_llseek, /* read and write both use no f_pos */
      };
      
      @ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier write_no_fpos.write_f;
      @@
      struct file_operations fops = {
      ... .write = write_f, ...
      +.llseek = noop_llseek, /* write uses no f_pos */
      };
      
      @ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      identifier read_no_fpos.read_f;
      @@
      struct file_operations fops = {
      ... .read = read_f, ...
      +.llseek = noop_llseek, /* read uses no f_pos */
      };
      
      @ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
      identifier fops0.fops;
      @@
      struct file_operations fops = {
      ...
      +.llseek = noop_llseek, /* no read or write fn */
      };
      ===== End semantic patch =====
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Cc: Julia Lawall <julia@diku.dk>
      Cc: Christoph Hellwig <hch@infradead.org>
      6038f373