fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)
Various free and proprietary AV products use this feature and users apparently want it. But punting access checks to userland seems like an easy way to deadlock the system, and there will be nothing we can do about that. So warn and taint the kernel if this feature is actually used.
This commit is contained in:
parent
5e52b9de5c
commit
38ec618a21
|
@ -15,6 +15,8 @@ linux (4.7~rc6-1~exp1) UNRELEASED; urgency=medium
|
|||
* [amd64] power: Fix crash whan the hibernation code passes control to the
|
||||
image kernel
|
||||
* [x86] KASLR, power: Remove x86 hibernation restrictions
|
||||
* fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)
|
||||
- Warn and taint kernel if this feature is actually used
|
||||
|
||||
[ Bastian Blank ]
|
||||
* Mark debug symbols packages to move them into the debug archive.
|
||||
|
|
|
@ -663,6 +663,11 @@ CONFIG_ORION_WATCHDOG=m
|
|||
##
|
||||
# CONFIG_FS_DAX is not set
|
||||
|
||||
##
|
||||
## file: fs/notify/fanotify/Kconfig
|
||||
##
|
||||
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
|
||||
|
||||
##
|
||||
## file: init/Kconfig
|
||||
##
|
||||
|
|
|
@ -5319,7 +5319,7 @@ CONFIG_DNOTIFY=y
|
|||
## file: fs/notify/fanotify/Kconfig
|
||||
##
|
||||
CONFIG_FANOTIFY=y
|
||||
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
|
||||
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
|
||||
|
||||
##
|
||||
## file: fs/notify/inotify/Kconfig
|
||||
|
|
29
debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
vendored
Normal file
29
debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
vendored
Normal file
|
@ -0,0 +1,29 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
|
||||
Date: Wed, 13 Jul 2016 01:37:22 +0100
|
||||
Forwarded: not-needed
|
||||
|
||||
Various free and proprietary AV products use this feature and users
|
||||
apparently want it. But punting access checks to userland seems like
|
||||
an easy way to deadlock the system, and there will be nothing we can
|
||||
do about that. So warn and taint the kernel if this feature is
|
||||
actually used.
|
||||
|
||||
---
|
||||
--- a/fs/notify/fanotify/fanotify_user.c
|
||||
+++ b/fs/notify/fanotify/fanotify_user.c
|
||||
@@ -847,6 +847,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano
|
||||
#endif
|
||||
return -EINVAL;
|
||||
|
||||
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
|
||||
+ if (mask & FAN_ALL_PERM_EVENTS) {
|
||||
+ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
|
||||
+ current->comm, current->pid);
|
||||
+ add_taint(TAINT_USER, LOCKDEP_STILL_OK);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
f = fdget(fanotify_fd);
|
||||
if (unlikely(!f.file))
|
||||
return -EBADF;
|
|
@ -43,6 +43,9 @@ debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
|
|||
debian/snd-pcsp-disable-autoload.patch
|
||||
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
|
||||
|
||||
# Taint if dangerous features are used
|
||||
debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
|
||||
|
||||
# Arch bug fixes
|
||||
bugfix/x86/x86-power-64-fix-crash-whan-the-hibernation-code-pas.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue