1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/fanotify.h>
3 #include <linux/fcntl.h>
4 #include <linux/fdtable.h>
5 #include <linux/file.h>
7 #include <linux/anon_inodes.h>
8 #include <linux/fsnotify_backend.h>
9 #include <linux/init.h>
10 #include <linux/mount.h>
11 #include <linux/namei.h>
12 #include <linux/poll.h>
13 #include <linux/security.h>
14 #include <linux/syscalls.h>
15 #include <linux/slab.h>
16 #include <linux/types.h>
17 #include <linux/uaccess.h>
18 #include <linux/compat.h>
19 #include <linux/sched/signal.h>
20 #include <linux/memcontrol.h>
21 #include <linux/statfs.h>
22 #include <linux/exportfs.h>
24 #include <asm/ioctls.h>
26 #include "../../mount.h"
27 #include "../fdinfo.h"
30 #define FANOTIFY_DEFAULT_MAX_EVENTS 16384
31 #define FANOTIFY_OLD_DEFAULT_MAX_MARKS 8192
32 #define FANOTIFY_DEFAULT_MAX_GROUPS 128
33 #define FANOTIFY_DEFAULT_FEE_POOL_SIZE 32
36 * Legacy fanotify marks limits (8192) is per group and we introduced a tunable
37 * limit of marks per user, similar to inotify. Effectively, the legacy limit
38 * of fanotify marks per user is <max marks per group> * <max groups per user>.
39 * This default limit (1M) also happens to match the increased limit of inotify
40 * max_user_watches since v5.10.
42 #define FANOTIFY_DEFAULT_MAX_USER_MARKS \
43 (FANOTIFY_OLD_DEFAULT_MAX_MARKS * FANOTIFY_DEFAULT_MAX_GROUPS)
46 * Most of the memory cost of adding an inode mark is pinning the marked inode.
47 * The size of the filesystem inode struct is not uniform across filesystems,
48 * so double the size of a VFS inode is used as a conservative approximation.
50 #define INODE_MARK_COST (2 * sizeof(struct inode))
52 /* configurable via /proc/sys/fs/fanotify/ */
53 static int fanotify_max_queued_events __read_mostly;
57 #include <linux/sysctl.h>
59 static long ft_zero = 0;
60 static long ft_int_max = INT_MAX;
62 static struct ctl_table fanotify_table[] = {
64 .procname = "max_user_groups",
65 .data = &init_user_ns.ucount_max[UCOUNT_FANOTIFY_GROUPS],
66 .maxlen = sizeof(long),
68 .proc_handler = proc_doulongvec_minmax,
70 .extra2 = &ft_int_max,
73 .procname = "max_user_marks",
74 .data = &init_user_ns.ucount_max[UCOUNT_FANOTIFY_MARKS],
75 .maxlen = sizeof(long),
77 .proc_handler = proc_doulongvec_minmax,
79 .extra2 = &ft_int_max,
82 .procname = "max_queued_events",
83 .data = &fanotify_max_queued_events,
84 .maxlen = sizeof(int),
86 .proc_handler = proc_dointvec_minmax,
92 static void __init fanotify_sysctls_init(void)
94 register_sysctl("fs/fanotify", fanotify_table);
97 #define fanotify_sysctls_init() do { } while (0)
98 #endif /* CONFIG_SYSCTL */
101 * All flags that may be specified in parameter event_f_flags of fanotify_init.
103 * Internal and external open flags are stored together in field f_flags of
104 * struct file. Only external open flags shall be allowed in event_f_flags.
105 * Internal flags like FMODE_NONOTIFY, FMODE_EXEC, FMODE_NOCMTIME shall be
108 #define FANOTIFY_INIT_ALL_EVENT_F_BITS ( \
109 O_ACCMODE | O_APPEND | O_NONBLOCK | \
110 __O_SYNC | O_DSYNC | O_CLOEXEC | \
111 O_LARGEFILE | O_NOATIME )
113 extern const struct fsnotify_ops fanotify_fsnotify_ops;
115 struct kmem_cache *fanotify_mark_cache __read_mostly;
116 struct kmem_cache *fanotify_fid_event_cachep __read_mostly;
117 struct kmem_cache *fanotify_path_event_cachep __read_mostly;
118 struct kmem_cache *fanotify_perm_event_cachep __read_mostly;
120 #define FANOTIFY_EVENT_ALIGN 4
121 #define FANOTIFY_FID_INFO_HDR_LEN \
122 (sizeof(struct fanotify_event_info_fid) + sizeof(struct file_handle))
123 #define FANOTIFY_PIDFD_INFO_HDR_LEN \
124 sizeof(struct fanotify_event_info_pidfd)
125 #define FANOTIFY_ERROR_INFO_LEN \
126 (sizeof(struct fanotify_event_info_error))
128 static int fanotify_fid_info_len(int fh_len, int name_len)
130 int info_len = fh_len;
133 info_len += name_len + 1;
135 return roundup(FANOTIFY_FID_INFO_HDR_LEN + info_len,
136 FANOTIFY_EVENT_ALIGN);
139 /* FAN_RENAME may have one or two dir+name info records */
140 static int fanotify_dir_name_info_len(struct fanotify_event *event)
142 struct fanotify_info *info = fanotify_event_info(event);
143 int dir_fh_len = fanotify_event_dir_fh_len(event);
144 int dir2_fh_len = fanotify_event_dir2_fh_len(event);
148 info_len += fanotify_fid_info_len(dir_fh_len,
151 info_len += fanotify_fid_info_len(dir2_fh_len,
157 static size_t fanotify_event_len(unsigned int info_mode,
158 struct fanotify_event *event)
160 size_t event_len = FAN_EVENT_METADATA_LEN;
161 struct fanotify_info *info;
168 if (fanotify_is_error_event(event->mask))
169 event_len += FANOTIFY_ERROR_INFO_LEN;
171 info = fanotify_event_info(event);
173 if (fanotify_event_has_any_dir_fh(event)) {
174 event_len += fanotify_dir_name_info_len(event);
175 } else if ((info_mode & FAN_REPORT_NAME) &&
176 (event->mask & FAN_ONDIR)) {
178 * With group flag FAN_REPORT_NAME, if name was not recorded in
179 * event on a directory, we will report the name ".".
184 if (info_mode & FAN_REPORT_PIDFD)
185 event_len += FANOTIFY_PIDFD_INFO_HDR_LEN;
187 if (fanotify_event_has_object_fh(event)) {
188 fh_len = fanotify_event_object_fh_len(event);
189 event_len += fanotify_fid_info_len(fh_len, dot_len);
196 * Remove an hashed event from merge hash table.
198 static void fanotify_unhash_event(struct fsnotify_group *group,
199 struct fanotify_event *event)
201 assert_spin_locked(&group->notification_lock);
203 pr_debug("%s: group=%p event=%p bucket=%u\n", __func__,
204 group, event, fanotify_event_hash_bucket(group, event));
206 if (WARN_ON_ONCE(hlist_unhashed(&event->merge_list)))
209 hlist_del_init(&event->merge_list);
213 * Get an fanotify notification event if one exists and is small
214 * enough to fit in "count". Return an error pointer if the count
215 * is not large enough. When permission event is dequeued, its state is
216 * updated accordingly.
218 static struct fanotify_event *get_one_event(struct fsnotify_group *group,
222 struct fanotify_event *event = NULL;
223 struct fsnotify_event *fsn_event;
224 unsigned int info_mode = FAN_GROUP_FLAG(group, FANOTIFY_INFO_MODES);
226 pr_debug("%s: group=%p count=%zd\n", __func__, group, count);
228 spin_lock(&group->notification_lock);
229 fsn_event = fsnotify_peek_first_event(group);
233 event = FANOTIFY_E(fsn_event);
234 event_size = fanotify_event_len(info_mode, event);
236 if (event_size > count) {
237 event = ERR_PTR(-EINVAL);
242 * Held the notification_lock the whole time, so this is the
243 * same event we peeked above.
245 fsnotify_remove_first_event(group);
246 if (fanotify_is_perm_event(event->mask))
247 FANOTIFY_PERM(event)->state = FAN_EVENT_REPORTED;
248 if (fanotify_is_hashed_event(event->mask))
249 fanotify_unhash_event(group, event);
251 spin_unlock(&group->notification_lock);
255 static int create_fd(struct fsnotify_group *group, struct path *path,
259 struct file *new_file;
261 client_fd = get_unused_fd_flags(group->fanotify_data.f_flags);
266 * we need a new file handle for the userspace program so it can read even if it was
267 * originally opened O_WRONLY.
269 new_file = dentry_open(path,
270 group->fanotify_data.f_flags | FMODE_NONOTIFY,
272 if (IS_ERR(new_file)) {
274 * we still send an event even if we can't open the file. this
275 * can happen when say tasks are gone and we try to open their
276 * /proc files or we try to open a WRONLY file like in sysfs
277 * we just send the errno to userspace since there isn't much
280 put_unused_fd(client_fd);
281 client_fd = PTR_ERR(new_file);
290 * Finish processing of permission event by setting it to ANSWERED state and
291 * drop group->notification_lock.
293 static void finish_permission_event(struct fsnotify_group *group,
294 struct fanotify_perm_event *event,
295 unsigned int response)
296 __releases(&group->notification_lock)
298 bool destroy = false;
300 assert_spin_locked(&group->notification_lock);
301 event->response = response;
302 if (event->state == FAN_EVENT_CANCELED)
305 event->state = FAN_EVENT_ANSWERED;
306 spin_unlock(&group->notification_lock);
308 fsnotify_destroy_event(group, &event->fae.fse);
311 static int process_access_response(struct fsnotify_group *group,
312 struct fanotify_response *response_struct)
314 struct fanotify_perm_event *event;
315 int fd = response_struct->fd;
316 int response = response_struct->response;
318 pr_debug("%s: group=%p fd=%d response=%d\n", __func__, group,
321 * make sure the response is valid, if invalid we do nothing and either
322 * userspace can send a valid response or we will clean it up after the
325 switch (response & ~FAN_AUDIT) {
336 if ((response & FAN_AUDIT) && !FAN_GROUP_FLAG(group, FAN_ENABLE_AUDIT))
339 spin_lock(&group->notification_lock);
340 list_for_each_entry(event, &group->fanotify_data.access_list,
345 list_del_init(&event->fae.fse.list);
346 finish_permission_event(group, event, response);
347 wake_up(&group->fanotify_data.access_waitq);
350 spin_unlock(&group->notification_lock);
355 static size_t copy_error_info_to_user(struct fanotify_event *event,
356 char __user *buf, int count)
358 struct fanotify_event_info_error info = { };
359 struct fanotify_error_event *fee = FANOTIFY_EE(event);
361 info.hdr.info_type = FAN_EVENT_INFO_TYPE_ERROR;
362 info.hdr.len = FANOTIFY_ERROR_INFO_LEN;
364 if (WARN_ON(count < info.hdr.len))
367 info.error = fee->error;
368 info.error_count = fee->err_count;
370 if (copy_to_user(buf, &info, sizeof(info)))
376 static int copy_fid_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh,
377 int info_type, const char *name,
379 char __user *buf, size_t count)
381 struct fanotify_event_info_fid info = { };
382 struct file_handle handle = { };
383 unsigned char bounce[FANOTIFY_INLINE_FH_LEN], *fh_buf;
384 size_t fh_len = fh ? fh->len : 0;
385 size_t info_len = fanotify_fid_info_len(fh_len, name_len);
386 size_t len = info_len;
388 pr_debug("%s: fh_len=%zu name_len=%zu, info_len=%zu, count=%zu\n",
389 __func__, fh_len, name_len, info_len, count);
391 if (WARN_ON_ONCE(len < sizeof(info) || len > count))
395 * Copy event info fid header followed by variable sized file handle
396 * and optionally followed by variable sized filename.
399 case FAN_EVENT_INFO_TYPE_FID:
400 case FAN_EVENT_INFO_TYPE_DFID:
401 if (WARN_ON_ONCE(name_len))
404 case FAN_EVENT_INFO_TYPE_DFID_NAME:
405 case FAN_EVENT_INFO_TYPE_OLD_DFID_NAME:
406 case FAN_EVENT_INFO_TYPE_NEW_DFID_NAME:
407 if (WARN_ON_ONCE(!name || !name_len))
414 info.hdr.info_type = info_type;
417 if (copy_to_user(buf, &info, sizeof(info)))
422 if (WARN_ON_ONCE(len < sizeof(handle)))
425 handle.handle_type = fh->type;
426 handle.handle_bytes = fh_len;
428 /* Mangle handle_type for bad file_handle */
430 handle.handle_type = FILEID_INVALID;
432 if (copy_to_user(buf, &handle, sizeof(handle)))
435 buf += sizeof(handle);
436 len -= sizeof(handle);
437 if (WARN_ON_ONCE(len < fh_len))
441 * For an inline fh and inline file name, copy through stack to exclude
442 * the copy from usercopy hardening protections.
444 fh_buf = fanotify_fh_buf(fh);
445 if (fh_len <= FANOTIFY_INLINE_FH_LEN) {
446 memcpy(bounce, fh_buf, fh_len);
449 if (copy_to_user(buf, fh_buf, fh_len))
456 /* Copy the filename with terminating null */
458 if (WARN_ON_ONCE(len < name_len))
461 if (copy_to_user(buf, name, name_len))
469 WARN_ON_ONCE(len < 0 || len >= FANOTIFY_EVENT_ALIGN);
470 if (len > 0 && clear_user(buf, len))
476 static int copy_pidfd_info_to_user(int pidfd,
480 struct fanotify_event_info_pidfd info = { };
481 size_t info_len = FANOTIFY_PIDFD_INFO_HDR_LEN;
483 if (WARN_ON_ONCE(info_len > count))
486 info.hdr.info_type = FAN_EVENT_INFO_TYPE_PIDFD;
487 info.hdr.len = info_len;
490 if (copy_to_user(buf, &info, info_len))
496 static int copy_info_records_to_user(struct fanotify_event *event,
497 struct fanotify_info *info,
498 unsigned int info_mode, int pidfd,
499 char __user *buf, size_t count)
501 int ret, total_bytes = 0, info_type = 0;
502 unsigned int fid_mode = info_mode & FANOTIFY_FID_BITS;
503 unsigned int pidfd_mode = info_mode & FAN_REPORT_PIDFD;
506 * Event info records order is as follows:
508 * 2. (optional) new dir fid + new name
509 * 3. (optional) child fid
511 if (fanotify_event_has_dir_fh(event)) {
512 info_type = info->name_len ? FAN_EVENT_INFO_TYPE_DFID_NAME :
513 FAN_EVENT_INFO_TYPE_DFID;
515 /* FAN_RENAME uses special info types */
516 if (event->mask & FAN_RENAME)
517 info_type = FAN_EVENT_INFO_TYPE_OLD_DFID_NAME;
519 ret = copy_fid_info_to_user(fanotify_event_fsid(event),
520 fanotify_info_dir_fh(info),
522 fanotify_info_name(info),
523 info->name_len, buf, count);
532 /* New dir fid+name may be reported in addition to old dir fid+name */
533 if (fanotify_event_has_dir2_fh(event)) {
534 info_type = FAN_EVENT_INFO_TYPE_NEW_DFID_NAME;
535 ret = copy_fid_info_to_user(fanotify_event_fsid(event),
536 fanotify_info_dir2_fh(info),
538 fanotify_info_name2(info),
539 info->name2_len, buf, count);
548 if (fanotify_event_has_object_fh(event)) {
549 const char *dot = NULL;
552 if (fid_mode == FAN_REPORT_FID || info_type) {
554 * With only group flag FAN_REPORT_FID only type FID is
555 * reported. Second info record type is always FID.
557 info_type = FAN_EVENT_INFO_TYPE_FID;
558 } else if ((fid_mode & FAN_REPORT_NAME) &&
559 (event->mask & FAN_ONDIR)) {
561 * With group flag FAN_REPORT_NAME, if name was not
562 * recorded in an event on a directory, report the name
563 * "." with info type DFID_NAME.
565 info_type = FAN_EVENT_INFO_TYPE_DFID_NAME;
568 } else if ((event->mask & ALL_FSNOTIFY_DIRENT_EVENTS) ||
569 (event->mask & FAN_ONDIR)) {
571 * With group flag FAN_REPORT_DIR_FID, a single info
572 * record has type DFID for directory entry modification
573 * event and for event on a directory.
575 info_type = FAN_EVENT_INFO_TYPE_DFID;
578 * With group flags FAN_REPORT_DIR_FID|FAN_REPORT_FID,
579 * a single info record has type FID for event on a
580 * non-directory, when there is no directory to report.
581 * For example, on FAN_DELETE_SELF event.
583 info_type = FAN_EVENT_INFO_TYPE_FID;
586 ret = copy_fid_info_to_user(fanotify_event_fsid(event),
587 fanotify_event_object_fh(event),
588 info_type, dot, dot_len,
599 ret = copy_pidfd_info_to_user(pidfd, buf, count);
608 if (fanotify_is_error_event(event->mask)) {
609 ret = copy_error_info_to_user(event, buf, count);
620 static ssize_t copy_event_to_user(struct fsnotify_group *group,
621 struct fanotify_event *event,
622 char __user *buf, size_t count)
624 struct fanotify_event_metadata metadata;
625 struct path *path = fanotify_event_path(event);
626 struct fanotify_info *info = fanotify_event_info(event);
627 unsigned int info_mode = FAN_GROUP_FLAG(group, FANOTIFY_INFO_MODES);
628 unsigned int pidfd_mode = info_mode & FAN_REPORT_PIDFD;
629 struct file *f = NULL;
630 int ret, pidfd = FAN_NOPIDFD, fd = FAN_NOFD;
632 pr_debug("%s: group=%p event=%p\n", __func__, group, event);
634 metadata.event_len = fanotify_event_len(info_mode, event);
635 metadata.metadata_len = FAN_EVENT_METADATA_LEN;
636 metadata.vers = FANOTIFY_METADATA_VERSION;
637 metadata.reserved = 0;
638 metadata.mask = event->mask & FANOTIFY_OUTGOING_EVENTS;
639 metadata.pid = pid_vnr(event->pid);
641 * For an unprivileged listener, event->pid can be used to identify the
642 * events generated by the listener process itself, without disclosing
643 * the pids of other processes.
645 if (FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV) &&
646 task_tgid(current) != event->pid)
650 * For now, fid mode is required for an unprivileged listener and
651 * fid mode does not report fd in events. Keep this check anyway
652 * for safety in case fid mode requirement is relaxed in the future
653 * to allow unprivileged listener to get events with no fd and no fid.
655 if (!FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV) &&
656 path && path->mnt && path->dentry) {
657 fd = create_fd(group, path, &f);
665 * Complain if the FAN_REPORT_PIDFD and FAN_REPORT_TID mutual
666 * exclusion is ever lifted. At the time of incoporating pidfd
667 * support within fanotify, the pidfd API only supported the
668 * creation of pidfds for thread-group leaders.
670 WARN_ON_ONCE(FAN_GROUP_FLAG(group, FAN_REPORT_TID));
673 * The PIDTYPE_TGID check for an event->pid is performed
674 * preemptively in an attempt to catch out cases where the event
675 * listener reads events after the event generating process has
676 * already terminated. Report FAN_NOPIDFD to the event listener
677 * in those cases, with all other pidfd creation errors being
678 * reported as FAN_EPIDFD.
680 if (metadata.pid == 0 ||
681 !pid_has_task(event->pid, PIDTYPE_TGID)) {
684 pidfd = pidfd_create(event->pid, 0);
692 * Sanity check copy size in case get_one_event() and
693 * event_len sizes ever get out of sync.
695 if (WARN_ON_ONCE(metadata.event_len > count))
698 if (copy_to_user(buf, &metadata, FAN_EVENT_METADATA_LEN))
701 buf += FAN_EVENT_METADATA_LEN;
702 count -= FAN_EVENT_METADATA_LEN;
704 if (fanotify_is_perm_event(event->mask))
705 FANOTIFY_PERM(event)->fd = fd;
711 ret = copy_info_records_to_user(event, info, info_mode, pidfd,
717 return metadata.event_len;
720 if (fd != FAN_NOFD) {
731 /* intofiy userspace file descriptor functions */
732 static __poll_t fanotify_poll(struct file *file, poll_table *wait)
734 struct fsnotify_group *group = file->private_data;
737 poll_wait(file, &group->notification_waitq, wait);
738 spin_lock(&group->notification_lock);
739 if (!fsnotify_notify_queue_is_empty(group))
740 ret = EPOLLIN | EPOLLRDNORM;
741 spin_unlock(&group->notification_lock);
746 static ssize_t fanotify_read(struct file *file, char __user *buf,
747 size_t count, loff_t *pos)
749 struct fsnotify_group *group;
750 struct fanotify_event *event;
753 DEFINE_WAIT_FUNC(wait, woken_wake_function);
756 group = file->private_data;
758 pr_debug("%s: group=%p\n", __func__, group);
760 add_wait_queue(&group->notification_waitq, &wait);
763 * User can supply arbitrarily large buffer. Avoid softlockups
764 * in case there are lots of available events.
767 event = get_one_event(group, count);
769 ret = PTR_ERR(event);
775 if (file->f_flags & O_NONBLOCK)
779 if (signal_pending(current))
785 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
789 ret = copy_event_to_user(group, event, buf, count);
790 if (unlikely(ret == -EOPENSTALE)) {
792 * We cannot report events with stale fd so drop it.
793 * Setting ret to 0 will continue the event loop and
794 * do the right thing if there are no more events to
795 * read (i.e. return bytes read, -EAGAIN or wait).
801 * Permission events get queued to wait for response. Other
802 * events can be destroyed now.
804 if (!fanotify_is_perm_event(event->mask)) {
805 fsnotify_destroy_event(group, &event->fse);
808 spin_lock(&group->notification_lock);
809 finish_permission_event(group,
810 FANOTIFY_PERM(event), FAN_DENY);
811 wake_up(&group->fanotify_data.access_waitq);
813 spin_lock(&group->notification_lock);
814 list_add_tail(&event->fse.list,
815 &group->fanotify_data.access_list);
816 spin_unlock(&group->notification_lock);
824 remove_wait_queue(&group->notification_waitq, &wait);
826 if (start != buf && ret != -EFAULT)
831 static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t count, loff_t *pos)
833 struct fanotify_response response = { .fd = -1, .response = -1 };
834 struct fsnotify_group *group;
837 if (!IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS))
840 group = file->private_data;
842 if (count < sizeof(response))
845 count = sizeof(response);
847 pr_debug("%s: group=%p count=%zu\n", __func__, group, count);
849 if (copy_from_user(&response, buf, count))
852 ret = process_access_response(group, &response);
859 static int fanotify_release(struct inode *ignored, struct file *file)
861 struct fsnotify_group *group = file->private_data;
862 struct fsnotify_event *fsn_event;
865 * Stop new events from arriving in the notification queue. since
866 * userspace cannot use fanotify fd anymore, no event can enter or
867 * leave access_list by now either.
869 fsnotify_group_stop_queueing(group);
872 * Process all permission events on access_list and notification queue
873 * and simulate reply from userspace.
875 spin_lock(&group->notification_lock);
876 while (!list_empty(&group->fanotify_data.access_list)) {
877 struct fanotify_perm_event *event;
879 event = list_first_entry(&group->fanotify_data.access_list,
880 struct fanotify_perm_event, fae.fse.list);
881 list_del_init(&event->fae.fse.list);
882 finish_permission_event(group, event, FAN_ALLOW);
883 spin_lock(&group->notification_lock);
887 * Destroy all non-permission events. For permission events just
888 * dequeue them and set the response. They will be freed once the
889 * response is consumed and fanotify_get_response() returns.
891 while ((fsn_event = fsnotify_remove_first_event(group))) {
892 struct fanotify_event *event = FANOTIFY_E(fsn_event);
894 if (!(event->mask & FANOTIFY_PERM_EVENTS)) {
895 spin_unlock(&group->notification_lock);
896 fsnotify_destroy_event(group, fsn_event);
898 finish_permission_event(group, FANOTIFY_PERM(event),
901 spin_lock(&group->notification_lock);
903 spin_unlock(&group->notification_lock);
905 /* Response for all permission events it set, wakeup waiters */
906 wake_up(&group->fanotify_data.access_waitq);
908 /* matches the fanotify_init->fsnotify_alloc_group */
909 fsnotify_destroy_group(group);
914 static long fanotify_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
916 struct fsnotify_group *group;
917 struct fsnotify_event *fsn_event;
922 group = file->private_data;
924 p = (void __user *) arg;
928 spin_lock(&group->notification_lock);
929 list_for_each_entry(fsn_event, &group->notification_list, list)
930 send_len += FAN_EVENT_METADATA_LEN;
931 spin_unlock(&group->notification_lock);
932 ret = put_user(send_len, (int __user *) p);
939 static const struct file_operations fanotify_fops = {
940 .show_fdinfo = fanotify_show_fdinfo,
941 .poll = fanotify_poll,
942 .read = fanotify_read,
943 .write = fanotify_write,
945 .release = fanotify_release,
946 .unlocked_ioctl = fanotify_ioctl,
947 .compat_ioctl = compat_ptr_ioctl,
948 .llseek = noop_llseek,
951 static int fanotify_find_path(int dfd, const char __user *filename,
952 struct path *path, unsigned int flags, __u64 mask,
953 unsigned int obj_type)
957 pr_debug("%s: dfd=%d filename=%p flags=%x\n", __func__,
958 dfd, filename, flags);
960 if (filename == NULL) {
961 struct fd f = fdget(dfd);
968 if ((flags & FAN_MARK_ONLYDIR) &&
969 !(S_ISDIR(file_inode(f.file)->i_mode))) {
974 *path = f.file->f_path;
978 unsigned int lookup_flags = 0;
980 if (!(flags & FAN_MARK_DONT_FOLLOW))
981 lookup_flags |= LOOKUP_FOLLOW;
982 if (flags & FAN_MARK_ONLYDIR)
983 lookup_flags |= LOOKUP_DIRECTORY;
985 ret = user_path_at(dfd, filename, lookup_flags, path);
990 /* you can only watch an inode if you have read permissions on it */
991 ret = path_permission(path, MAY_READ);
997 ret = security_path_notify(path, mask, obj_type);
1005 static __u32 fanotify_mark_remove_from_mask(struct fsnotify_mark *fsn_mark,
1006 __u32 mask, unsigned int flags,
1007 __u32 umask, int *destroy)
1011 /* umask bits cannot be removed by user */
1013 spin_lock(&fsn_mark->lock);
1014 if (!(flags & FAN_MARK_IGNORED_MASK)) {
1015 oldmask = fsn_mark->mask;
1016 fsn_mark->mask &= ~mask;
1018 fsn_mark->ignored_mask &= ~mask;
1021 * We need to keep the mark around even if remaining mask cannot
1022 * result in any events (e.g. mask == FAN_ONDIR) to support incremenal
1023 * changes to the mask.
1024 * Destroy mark when only umask bits remain.
1026 *destroy = !((fsn_mark->mask | fsn_mark->ignored_mask) & ~umask);
1027 spin_unlock(&fsn_mark->lock);
1029 return mask & oldmask;
1032 static int fanotify_remove_mark(struct fsnotify_group *group,
1033 fsnotify_connp_t *connp, __u32 mask,
1034 unsigned int flags, __u32 umask)
1036 struct fsnotify_mark *fsn_mark = NULL;
1040 mutex_lock(&group->mark_mutex);
1041 fsn_mark = fsnotify_find_mark(connp, group);
1043 mutex_unlock(&group->mark_mutex);
1047 removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
1048 umask, &destroy_mark);
1049 if (removed & fsnotify_conn_mask(fsn_mark->connector))
1050 fsnotify_recalc_mask(fsn_mark->connector);
1052 fsnotify_detach_mark(fsn_mark);
1053 mutex_unlock(&group->mark_mutex);
1055 fsnotify_free_mark(fsn_mark);
1057 /* matches the fsnotify_find_mark() */
1058 fsnotify_put_mark(fsn_mark);
1062 static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
1063 struct vfsmount *mnt, __u32 mask,
1064 unsigned int flags, __u32 umask)
1066 return fanotify_remove_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
1067 mask, flags, umask);
1070 static int fanotify_remove_sb_mark(struct fsnotify_group *group,
1071 struct super_block *sb, __u32 mask,
1072 unsigned int flags, __u32 umask)
1074 return fanotify_remove_mark(group, &sb->s_fsnotify_marks, mask,
1078 static int fanotify_remove_inode_mark(struct fsnotify_group *group,
1079 struct inode *inode, __u32 mask,
1080 unsigned int flags, __u32 umask)
1082 return fanotify_remove_mark(group, &inode->i_fsnotify_marks, mask,
1086 static __u32 fanotify_mark_add_to_mask(struct fsnotify_mark *fsn_mark,
1092 spin_lock(&fsn_mark->lock);
1093 if (!(flags & FAN_MARK_IGNORED_MASK)) {
1094 oldmask = fsn_mark->mask;
1095 fsn_mark->mask |= mask;
1097 fsn_mark->ignored_mask |= mask;
1098 if (flags & FAN_MARK_IGNORED_SURV_MODIFY)
1099 fsn_mark->flags |= FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY;
1101 spin_unlock(&fsn_mark->lock);
1103 return mask & ~oldmask;
1106 static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
1107 fsnotify_connp_t *connp,
1108 unsigned int obj_type,
1109 __kernel_fsid_t *fsid)
1111 struct ucounts *ucounts = group->fanotify_data.ucounts;
1112 struct fsnotify_mark *mark;
1116 * Enforce per user marks limits per user in all containing user ns.
1117 * A group with FAN_UNLIMITED_MARKS does not contribute to mark count
1118 * in the limited groups account.
1120 if (!FAN_GROUP_FLAG(group, FAN_UNLIMITED_MARKS) &&
1121 !inc_ucount(ucounts->ns, ucounts->uid, UCOUNT_FANOTIFY_MARKS))
1122 return ERR_PTR(-ENOSPC);
1124 mark = kmem_cache_alloc(fanotify_mark_cache, GFP_KERNEL);
1127 goto out_dec_ucounts;
1130 fsnotify_init_mark(mark, group);
1131 ret = fsnotify_add_mark_locked(mark, connp, obj_type, 0, fsid);
1133 fsnotify_put_mark(mark);
1134 goto out_dec_ucounts;
1140 if (!FAN_GROUP_FLAG(group, FAN_UNLIMITED_MARKS))
1141 dec_ucount(ucounts, UCOUNT_FANOTIFY_MARKS);
1142 return ERR_PTR(ret);
1145 static int fanotify_group_init_error_pool(struct fsnotify_group *group)
1147 if (mempool_initialized(&group->fanotify_data.error_events_pool))
1150 return mempool_init_kmalloc_pool(&group->fanotify_data.error_events_pool,
1151 FANOTIFY_DEFAULT_FEE_POOL_SIZE,
1152 sizeof(struct fanotify_error_event));
1155 static int fanotify_add_mark(struct fsnotify_group *group,
1156 fsnotify_connp_t *connp, unsigned int obj_type,
1157 __u32 mask, unsigned int flags,
1158 __kernel_fsid_t *fsid)
1160 struct fsnotify_mark *fsn_mark;
1164 mutex_lock(&group->mark_mutex);
1165 fsn_mark = fsnotify_find_mark(connp, group);
1167 fsn_mark = fanotify_add_new_mark(group, connp, obj_type, fsid);
1168 if (IS_ERR(fsn_mark)) {
1169 mutex_unlock(&group->mark_mutex);
1170 return PTR_ERR(fsn_mark);
1175 * Error events are pre-allocated per group, only if strictly
1176 * needed (i.e. FAN_FS_ERROR was requested).
1178 if (!(flags & FAN_MARK_IGNORED_MASK) && (mask & FAN_FS_ERROR)) {
1179 ret = fanotify_group_init_error_pool(group);
1184 added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
1185 if (added & ~fsnotify_conn_mask(fsn_mark->connector))
1186 fsnotify_recalc_mask(fsn_mark->connector);
1189 mutex_unlock(&group->mark_mutex);
1191 fsnotify_put_mark(fsn_mark);
1195 static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
1196 struct vfsmount *mnt, __u32 mask,
1197 unsigned int flags, __kernel_fsid_t *fsid)
1199 return fanotify_add_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
1200 FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid);
1203 static int fanotify_add_sb_mark(struct fsnotify_group *group,
1204 struct super_block *sb, __u32 mask,
1205 unsigned int flags, __kernel_fsid_t *fsid)
1207 return fanotify_add_mark(group, &sb->s_fsnotify_marks,
1208 FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid);
1211 static int fanotify_add_inode_mark(struct fsnotify_group *group,
1212 struct inode *inode, __u32 mask,
1213 unsigned int flags, __kernel_fsid_t *fsid)
1215 pr_debug("%s: group=%p inode=%p\n", __func__, group, inode);
1218 * If some other task has this inode open for write we should not add
1219 * an ignored mark, unless that ignored mark is supposed to survive
1220 * modification changes anyway.
1222 if ((flags & FAN_MARK_IGNORED_MASK) &&
1223 !(flags & FAN_MARK_IGNORED_SURV_MODIFY) &&
1224 inode_is_open_for_write(inode))
1227 return fanotify_add_mark(group, &inode->i_fsnotify_marks,
1228 FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid);
1231 static struct fsnotify_event *fanotify_alloc_overflow_event(void)
1233 struct fanotify_event *oevent;
1235 oevent = kmalloc(sizeof(*oevent), GFP_KERNEL_ACCOUNT);
1239 fanotify_init_event(oevent, 0, FS_Q_OVERFLOW);
1240 oevent->type = FANOTIFY_EVENT_TYPE_OVERFLOW;
1242 return &oevent->fse;
1245 static struct hlist_head *fanotify_alloc_merge_hash(void)
1247 struct hlist_head *hash;
1249 hash = kmalloc(sizeof(struct hlist_head) << FANOTIFY_HTABLE_BITS,
1250 GFP_KERNEL_ACCOUNT);
1254 __hash_init(hash, FANOTIFY_HTABLE_SIZE);
1259 /* fanotify syscalls */
1260 SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
1262 struct fsnotify_group *group;
1264 unsigned int fid_mode = flags & FANOTIFY_FID_BITS;
1265 unsigned int class = flags & FANOTIFY_CLASS_BITS;
1266 unsigned int internal_flags = 0;
1268 pr_debug("%s: flags=%x event_f_flags=%x\n",
1269 __func__, flags, event_f_flags);
1271 if (!capable(CAP_SYS_ADMIN)) {
1273 * An unprivileged user can setup an fanotify group with
1274 * limited functionality - an unprivileged group is limited to
1275 * notification events with file handles and it cannot use
1276 * unlimited queue/marks.
1278 if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) || !fid_mode)
1282 * Setting the internal flag FANOTIFY_UNPRIV on the group
1283 * prevents setting mount/filesystem marks on this group and
1284 * prevents reporting pid and open fd in events.
1286 internal_flags |= FANOTIFY_UNPRIV;
1289 #ifdef CONFIG_AUDITSYSCALL
1290 if (flags & ~(FANOTIFY_INIT_FLAGS | FAN_ENABLE_AUDIT))
1292 if (flags & ~FANOTIFY_INIT_FLAGS)
1297 * A pidfd can only be returned for a thread-group leader; thus
1298 * FAN_REPORT_PIDFD and FAN_REPORT_TID need to remain mutually
1301 if ((flags & FAN_REPORT_PIDFD) && (flags & FAN_REPORT_TID))
1304 if (event_f_flags & ~FANOTIFY_INIT_ALL_EVENT_F_BITS)
1307 switch (event_f_flags & O_ACCMODE) {
1316 if (fid_mode && class != FAN_CLASS_NOTIF)
1320 * Child name is reported with parent fid so requires dir fid.
1321 * We can report both child fid and dir fid with or without name.
1323 if ((fid_mode & FAN_REPORT_NAME) && !(fid_mode & FAN_REPORT_DIR_FID))
1327 * FAN_REPORT_TARGET_FID requires FAN_REPORT_NAME and FAN_REPORT_FID
1328 * and is used as an indication to report both dir and child fid on all
1331 if ((fid_mode & FAN_REPORT_TARGET_FID) &&
1332 (!(fid_mode & FAN_REPORT_NAME) || !(fid_mode & FAN_REPORT_FID)))
1335 f_flags = O_RDWR | FMODE_NONOTIFY;
1336 if (flags & FAN_CLOEXEC)
1337 f_flags |= O_CLOEXEC;
1338 if (flags & FAN_NONBLOCK)
1339 f_flags |= O_NONBLOCK;
1341 /* fsnotify_alloc_group takes a ref. Dropped in fanotify_release */
1342 group = fsnotify_alloc_user_group(&fanotify_fsnotify_ops);
1343 if (IS_ERR(group)) {
1344 return PTR_ERR(group);
1347 /* Enforce groups limits per user in all containing user ns */
1348 group->fanotify_data.ucounts = inc_ucount(current_user_ns(),
1350 UCOUNT_FANOTIFY_GROUPS);
1351 if (!group->fanotify_data.ucounts) {
1353 goto out_destroy_group;
1356 group->fanotify_data.flags = flags | internal_flags;
1357 group->memcg = get_mem_cgroup_from_mm(current->mm);
1359 group->fanotify_data.merge_hash = fanotify_alloc_merge_hash();
1360 if (!group->fanotify_data.merge_hash) {
1362 goto out_destroy_group;
1365 group->overflow_event = fanotify_alloc_overflow_event();
1366 if (unlikely(!group->overflow_event)) {
1368 goto out_destroy_group;
1371 if (force_o_largefile())
1372 event_f_flags |= O_LARGEFILE;
1373 group->fanotify_data.f_flags = event_f_flags;
1374 init_waitqueue_head(&group->fanotify_data.access_waitq);
1375 INIT_LIST_HEAD(&group->fanotify_data.access_list);
1377 case FAN_CLASS_NOTIF:
1378 group->priority = FS_PRIO_0;
1380 case FAN_CLASS_CONTENT:
1381 group->priority = FS_PRIO_1;
1383 case FAN_CLASS_PRE_CONTENT:
1384 group->priority = FS_PRIO_2;
1388 goto out_destroy_group;
1391 if (flags & FAN_UNLIMITED_QUEUE) {
1393 if (!capable(CAP_SYS_ADMIN))
1394 goto out_destroy_group;
1395 group->max_events = UINT_MAX;
1397 group->max_events = fanotify_max_queued_events;
1400 if (flags & FAN_UNLIMITED_MARKS) {
1402 if (!capable(CAP_SYS_ADMIN))
1403 goto out_destroy_group;
1406 if (flags & FAN_ENABLE_AUDIT) {
1408 if (!capable(CAP_AUDIT_WRITE))
1409 goto out_destroy_group;
1412 fd = anon_inode_getfd("[fanotify]", &fanotify_fops, group, f_flags);
1414 goto out_destroy_group;
1419 fsnotify_destroy_group(group);
1423 static int fanotify_test_fsid(struct dentry *dentry, __kernel_fsid_t *fsid)
1425 __kernel_fsid_t root_fsid;
1429 * Make sure dentry is not of a filesystem with zero fsid (e.g. fuse).
1431 err = vfs_get_fsid(dentry, fsid);
1435 if (!fsid->val[0] && !fsid->val[1])
1439 * Make sure dentry is not of a filesystem subvolume (e.g. btrfs)
1440 * which uses a different fsid than sb root.
1442 err = vfs_get_fsid(dentry->d_sb->s_root, &root_fsid);
1446 if (root_fsid.val[0] != fsid->val[0] ||
1447 root_fsid.val[1] != fsid->val[1])
1453 /* Check if filesystem can encode a unique fid */
1454 static int fanotify_test_fid(struct dentry *dentry)
1457 * We need to make sure that the file system supports at least
1458 * encoding a file handle so user can use name_to_handle_at() to
1459 * compare fid returned with event to the file handle of watched
1460 * objects. However, name_to_handle_at() requires that the
1461 * filesystem also supports decoding file handles.
1463 if (!dentry->d_sb->s_export_op ||
1464 !dentry->d_sb->s_export_op->fh_to_dentry)
1470 static int fanotify_events_supported(struct path *path, __u64 mask)
1473 * Some filesystems such as 'proc' acquire unusual locks when opening
1474 * files. For them fanotify permission events have high chances of
1475 * deadlocking the system - open done when reporting fanotify event
1476 * blocks on this "unusual" lock while another process holding the lock
1477 * waits for fanotify permission event to be answered. Just disallow
1478 * permission events for such filesystems.
1480 if (mask & FANOTIFY_PERM_EVENTS &&
1481 path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM)
1486 static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
1487 int dfd, const char __user *pathname)
1489 struct inode *inode = NULL;
1490 struct vfsmount *mnt = NULL;
1491 struct fsnotify_group *group;
1494 __kernel_fsid_t __fsid, *fsid = NULL;
1495 u32 valid_mask = FANOTIFY_EVENTS | FANOTIFY_EVENT_FLAGS;
1496 unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
1497 bool ignored = flags & FAN_MARK_IGNORED_MASK;
1498 unsigned int obj_type, fid_mode;
1502 pr_debug("%s: fanotify_fd=%d flags=%x dfd=%d pathname=%p mask=%llx\n",
1503 __func__, fanotify_fd, flags, dfd, pathname, mask);
1505 /* we only use the lower 32 bits as of right now. */
1506 if (upper_32_bits(mask))
1509 if (flags & ~FANOTIFY_MARK_FLAGS)
1512 switch (mark_type) {
1513 case FAN_MARK_INODE:
1514 obj_type = FSNOTIFY_OBJ_TYPE_INODE;
1516 case FAN_MARK_MOUNT:
1517 obj_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT;
1519 case FAN_MARK_FILESYSTEM:
1520 obj_type = FSNOTIFY_OBJ_TYPE_SB;
1526 switch (flags & (FAN_MARK_ADD | FAN_MARK_REMOVE | FAN_MARK_FLUSH)) {
1528 case FAN_MARK_REMOVE:
1532 case FAN_MARK_FLUSH:
1533 if (flags & ~(FANOTIFY_MARK_TYPE_BITS | FAN_MARK_FLUSH))
1540 if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS))
1541 valid_mask |= FANOTIFY_PERM_EVENTS;
1543 if (mask & ~valid_mask)
1546 /* Event flags (ONDIR, ON_CHILD) are meaningless in ignored mask */
1548 mask &= ~FANOTIFY_EVENT_FLAGS;
1550 f = fdget(fanotify_fd);
1551 if (unlikely(!f.file))
1554 /* verify that this is indeed an fanotify instance */
1556 if (unlikely(f.file->f_op != &fanotify_fops))
1558 group = f.file->private_data;
1561 * An unprivileged user is not allowed to setup mount nor filesystem
1562 * marks. This also includes setting up such marks by a group that
1563 * was initialized by an unprivileged user.
1566 if ((!capable(CAP_SYS_ADMIN) ||
1567 FAN_GROUP_FLAG(group, FANOTIFY_UNPRIV)) &&
1568 mark_type != FAN_MARK_INODE)
1572 * group->priority == FS_PRIO_0 == FAN_CLASS_NOTIF. These are not
1573 * allowed to set permissions events.
1576 if (mask & FANOTIFY_PERM_EVENTS &&
1577 group->priority == FS_PRIO_0)
1580 if (mask & FAN_FS_ERROR &&
1581 mark_type != FAN_MARK_FILESYSTEM)
1585 * Events that do not carry enough information to report
1586 * event->fd require a group that supports reporting fid. Those
1587 * events are not supported on a mount mark, because they do not
1588 * carry enough information (i.e. path) to be filtered by mount
1591 fid_mode = FAN_GROUP_FLAG(group, FANOTIFY_FID_BITS);
1592 if (mask & ~(FANOTIFY_FD_EVENTS|FANOTIFY_EVENT_FLAGS) &&
1593 (!fid_mode || mark_type == FAN_MARK_MOUNT))
1597 * FAN_RENAME uses special info type records to report the old and
1598 * new parent+name. Reporting only old and new parent id is less
1599 * useful and was not implemented.
1601 if (mask & FAN_RENAME && !(fid_mode & FAN_REPORT_NAME))
1604 if (flags & FAN_MARK_FLUSH) {
1606 if (mark_type == FAN_MARK_MOUNT)
1607 fsnotify_clear_vfsmount_marks_by_group(group);
1608 else if (mark_type == FAN_MARK_FILESYSTEM)
1609 fsnotify_clear_sb_marks_by_group(group);
1611 fsnotify_clear_inode_marks_by_group(group);
1615 ret = fanotify_find_path(dfd, pathname, &path, flags,
1616 (mask & ALL_FSNOTIFY_EVENTS), obj_type);
1620 if (flags & FAN_MARK_ADD) {
1621 ret = fanotify_events_supported(&path, mask);
1623 goto path_put_and_out;
1627 ret = fanotify_test_fsid(path.dentry, &__fsid);
1629 goto path_put_and_out;
1631 ret = fanotify_test_fid(path.dentry);
1633 goto path_put_and_out;
1638 /* inode held in place by reference to path; group by fget on fd */
1639 if (mark_type == FAN_MARK_INODE)
1640 inode = path.dentry->d_inode;
1644 /* Mask out FAN_EVENT_ON_CHILD flag for sb/mount/non-dir marks */
1645 if (mnt || !S_ISDIR(inode->i_mode)) {
1646 mask &= ~FAN_EVENT_ON_CHILD;
1647 umask = FAN_EVENT_ON_CHILD;
1649 * If group needs to report parent fid, register for getting
1650 * events with parent/name info for non-directory.
1652 if ((fid_mode & FAN_REPORT_DIR_FID) &&
1653 (flags & FAN_MARK_ADD) && !ignored)
1654 mask |= FAN_EVENT_ON_CHILD;
1657 /* create/update an inode mark */
1658 switch (flags & (FAN_MARK_ADD | FAN_MARK_REMOVE)) {
1660 if (mark_type == FAN_MARK_MOUNT)
1661 ret = fanotify_add_vfsmount_mark(group, mnt, mask,
1663 else if (mark_type == FAN_MARK_FILESYSTEM)
1664 ret = fanotify_add_sb_mark(group, mnt->mnt_sb, mask,
1667 ret = fanotify_add_inode_mark(group, inode, mask,
1670 case FAN_MARK_REMOVE:
1671 if (mark_type == FAN_MARK_MOUNT)
1672 ret = fanotify_remove_vfsmount_mark(group, mnt, mask,
1674 else if (mark_type == FAN_MARK_FILESYSTEM)
1675 ret = fanotify_remove_sb_mark(group, mnt->mnt_sb, mask,
1678 ret = fanotify_remove_inode_mark(group, inode, mask,
1692 #ifndef CONFIG_ARCH_SPLIT_ARG64
1693 SYSCALL_DEFINE5(fanotify_mark, int, fanotify_fd, unsigned int, flags,
1694 __u64, mask, int, dfd,
1695 const char __user *, pathname)
1697 return do_fanotify_mark(fanotify_fd, flags, mask, dfd, pathname);
1701 #if defined(CONFIG_ARCH_SPLIT_ARG64) || defined(CONFIG_COMPAT)
1702 SYSCALL32_DEFINE6(fanotify_mark,
1703 int, fanotify_fd, unsigned int, flags,
1704 SC_ARG64(mask), int, dfd,
1705 const char __user *, pathname)
1707 return do_fanotify_mark(fanotify_fd, flags, SC_VAL64(__u64, mask),
1713 * fanotify_user_setup - Our initialization function. Note that we cannot return
1714 * error because we have compiled-in VFS hooks. So an (unlikely) failure here
1715 * must result in panic().
1717 static int __init fanotify_user_setup(void)
1724 * Allow up to 1% of addressable memory to be accounted for per user
1725 * marks limited to the range [8192, 1048576]. mount and sb marks are
1726 * a lot cheaper than inode marks, but there is no reason for a user
1727 * to have many of those, so calculate by the cost of inode marks.
1729 max_marks = (((si.totalram - si.totalhigh) / 100) << PAGE_SHIFT) /
1731 max_marks = clamp(max_marks, FANOTIFY_OLD_DEFAULT_MAX_MARKS,
1732 FANOTIFY_DEFAULT_MAX_USER_MARKS);
1734 BUILD_BUG_ON(FANOTIFY_INIT_FLAGS & FANOTIFY_INTERNAL_GROUP_FLAGS);
1735 BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 12);
1736 BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
1738 fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
1739 SLAB_PANIC|SLAB_ACCOUNT);
1740 fanotify_fid_event_cachep = KMEM_CACHE(fanotify_fid_event,
1742 fanotify_path_event_cachep = KMEM_CACHE(fanotify_path_event,
1744 if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS)) {
1745 fanotify_perm_event_cachep =
1746 KMEM_CACHE(fanotify_perm_event, SLAB_PANIC);
1749 fanotify_max_queued_events = FANOTIFY_DEFAULT_MAX_EVENTS;
1750 init_user_ns.ucount_max[UCOUNT_FANOTIFY_GROUPS] =
1751 FANOTIFY_DEFAULT_MAX_GROUPS;
1752 init_user_ns.ucount_max[UCOUNT_FANOTIFY_MARKS] = max_marks;
1753 fanotify_sysctls_init();
1757 device_initcall(fanotify_user_setup);