[linux] 01/01: fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Jul 13 00:54:49 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 38ec618a211f5210ee5ed7b6d0d54b4d3ecfb6bb
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Jul 13 01:47:58 2016 +0100

    fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)
    
    Various free and proprietary AV products use this feature and users
    apparently want it.  But punting access checks to userland seems like
    an easy way to deadlock the system, and there will be nothing we can
    do about that.  So warn and taint the kernel if this feature is
    actually used.
---
 debian/changelog                                   |  2 ++
 debian/config/armel/config.marvell                 |  5 ++++
 debian/config/config                               |  2 +-
 ...int-on-use-of-fanotify_access_permissions.patch | 29 ++++++++++++++++++++++
 debian/patches/series                              |  3 +++
 5 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index e107ce3..306e6d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ linux (4.7~rc6-1~exp1) UNRELEASED; urgency=medium
   * [amd64] power: Fix crash whan the hibernation code passes control to the
     image kernel
   * [x86] KASLR, power: Remove x86 hibernation restrictions
+  * fanotify: Enable FANOTIFY_ACCESS_PERMISSIONS (Closes: #690737)
+    - Warn and taint kernel if this feature is actually used
 
   [ Bastian Blank ]
   * Mark debug symbols packages to move them into the debug archive.
diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell
index 049116a..83ed563 100644
--- a/debian/config/armel/config.marvell
+++ b/debian/config/armel/config.marvell
@@ -664,6 +664,11 @@ CONFIG_ORION_WATCHDOG=m
 # CONFIG_FS_DAX is not set
 
 ##
+## file: fs/notify/fanotify/Kconfig
+##
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
+
+##
 ## file: init/Kconfig
 ##
 #. Saves about 7K
diff --git a/debian/config/config b/debian/config/config
index 4b8c853..f56c443 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -5319,7 +5319,7 @@ CONFIG_DNOTIFY=y
 ## file: fs/notify/fanotify/Kconfig
 ##
 CONFIG_FANOTIFY=y
-# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
 
 ##
 ## file: fs/notify/inotify/Kconfig
diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
new file mode 100644
index 0000000..77d44b4
--- /dev/null
+++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
@@ -0,0 +1,29 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS
+Date: Wed, 13 Jul 2016 01:37:22 +0100
+Forwarded: not-needed
+
+Various free and proprietary AV products use this feature and users
+apparently want it.  But punting access checks to userland seems like
+an easy way to deadlock the system, and there will be nothing we can
+do about that.  So warn and taint the kernel if this feature is
+actually used.
+
+---
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -847,6 +847,14 @@ SYSCALL_DEFINE5(fanotify_mark, int, fano
+ #endif
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
++	if (mask & FAN_ALL_PERM_EVENTS) {
++		pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n",
++			     current->comm, current->pid);
++		add_taint(TAINT_USER, LOCKDEP_STILL_OK);
++	}
++#endif
++
+ 	f = fdget(fanotify_fd);
+ 	if (unlikely(!f.file))
+ 		return -EBADF;
diff --git a/debian/patches/series b/debian/patches/series
index 6ee0974..cbdf9a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -43,6 +43,9 @@ debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
 debian/snd-pcsp-disable-autoload.patch
 bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 
+# Taint if dangerous features are used
+debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
+
 # Arch bug fixes
 bugfix/x86/x86-power-64-fix-crash-whan-the-hibernation-code-pas.patch
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list