From 38ec618a211f5210ee5ed7b6d0d54b4d3ecfb6bb Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 13 Jul 2016 01:47:58 +0100 Subject: [PATCH] fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737) Various free and proprietary AV products use this feature and users apparently want it. But punting access checks to userland seems like an easy way to deadlock the system, and there will be nothing we can do about that. So warn and taint the kernel if this feature is actually used. --- debian/changelog | 2 ++ debian/config/armel/config.marvell | 5 ++++ debian/config/config | 2 +- ...n-use-of-fanotify_access_permissions.patch | 29 +++++++++++++++++++ debian/patches/series | 3 ++ 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch diff --git a/debian/changelog b/debian/changelog index e107ce3a3..306e6d9fc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,6 +15,8 @@ linux (4.7~rc6-1~exp1) UNRELEASED; urgency=medium * [amd64] power: Fix crash whan the hibernation code passes control to the image kernel * [x86] KASLR, power: Remove x86 hibernation restrictions + * fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737) + - Warn and taint kernel if this feature is actually used [ Bastian Blank ] * Mark debug symbols packages to move them into the debug archive. diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell index 049116a4e..83ed5633e 100644 --- a/debian/config/armel/config.marvell +++ b/debian/config/armel/config.marvell @@ -663,6 +663,11 @@ CONFIG_ORION_WATCHDOG=m ## # CONFIG_FS_DAX is not set +## +## file: fs/notify/fanotify/Kconfig +## +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set + ## ## file: init/Kconfig ## diff --git a/debian/config/config b/debian/config/config index 4b8c853a9..f56c443d6 100644 --- a/debian/config/config +++ b/debian/config/config @@ -5319,7 +5319,7 @@ CONFIG_DNOTIFY=y ## file: fs/notify/fanotify/Kconfig ## CONFIG_FANOTIFY=y -# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set +CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y ## ## file: fs/notify/inotify/Kconfig diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch new file mode 100644 index 000000000..77d44b431 --- /dev/null +++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings +Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS +Date: Wed, 13 Jul 2016 01:37:22 +0100 +Forwarded: not-needed + +Various free and proprietary AV products use this feature and users +apparently want it. But punting access checks to userland seems like +an easy way to deadlock the system, and there will be nothing we can +do about that. So warn and taint the kernel if this feature is +actually used. + +--- +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -847,6 +847,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano + #endif + return -EINVAL; + ++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS ++ if (mask & FAN_ALL_PERM_EVENTS) { ++ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n", ++ current->comm, current->pid); ++ add_taint(TAINT_USER, LOCKDEP_STILL_OK); ++ } ++#endif ++ + f = fdget(fanotify_fd); + if (unlikely(!f.file)) + return -EBADF; diff --git a/debian/patches/series b/debian/patches/series index 6ee0974ed..cbdf9a961 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -43,6 +43,9 @@ debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch debian/snd-pcsp-disable-autoload.patch bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch +# Taint if dangerous features are used +debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch + # Arch bug fixes bugfix/x86/x86-power-64-fix-crash-whan-the-hibernation-code-pas.patch