From 86049ad9e3e586162eaac134c6a16a375a98756e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 13 Jul 2016 01:37:22 +0100 Subject: [PATCH] fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS Forwarded: not-needed Various free and proprietary AV products use this feature and users apparently want it. But punting access checks to userland seems like an easy way to deadlock the system, and there will be nothing we can do about that. So warn and taint the kernel if this feature is actually used. Gbp-Pq: Topic debian Gbp-Pq: Name fanotify-taint-on-use-of-fanotify_access_permissions.patch --- fs/notify/fanotify/fanotify_user.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index 84de9f97bbc..1487b25d4bd 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -1188,6 +1188,14 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask, if (ignored) mask &= ~FANOTIFY_EVENT_FLAGS; +#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS + if (mask & FANOTIFY_PERM_EVENTS) { + pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n", + current->comm, current->pid); + add_taint(TAINT_AUX, LOCKDEP_STILL_OK); + } +#endif + f = fdget(fanotify_fd); if (unlikely(!f.file)) return -EBADF; -- 2.30.2