1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/fanotify.h>
3 #include <linux/fcntl.h>
4 #include <linux/file.h>
6 #include <linux/anon_inodes.h>
7 #include <linux/fsnotify_backend.h>
8 #include <linux/init.h>
9 #include <linux/mount.h>
10 #include <linux/namei.h>
11 #include <linux/poll.h>
12 #include <linux/security.h>
13 #include <linux/syscalls.h>
14 #include <linux/slab.h>
15 #include <linux/types.h>
16 #include <linux/uaccess.h>
17 #include <linux/compat.h>
18 #include <linux/sched/signal.h>
19 #include <linux/memcontrol.h>
20 #include <linux/statfs.h>
21 #include <linux/exportfs.h>
23 #include <asm/ioctls.h>
25 #include "../../mount.h"
26 #include "../fdinfo.h"
29 #define FANOTIFY_DEFAULT_MAX_EVENTS 16384
30 #define FANOTIFY_DEFAULT_MAX_MARKS 8192
31 #define FANOTIFY_DEFAULT_MAX_LISTENERS 128
34 * All flags that may be specified in parameter event_f_flags of fanotify_init.
36 * Internal and external open flags are stored together in field f_flags of
37 * struct file. Only external open flags shall be allowed in event_f_flags.
38 * Internal flags like FMODE_NONOTIFY, FMODE_EXEC, FMODE_NOCMTIME shall be
41 #define FANOTIFY_INIT_ALL_EVENT_F_BITS ( \
42 O_ACCMODE | O_APPEND | O_NONBLOCK | \
43 __O_SYNC | O_DSYNC | O_CLOEXEC | \
44 O_LARGEFILE | O_NOATIME )
46 extern const struct fsnotify_ops fanotify_fsnotify_ops;
48 struct kmem_cache *fanotify_mark_cache __read_mostly;
49 struct kmem_cache *fanotify_fid_event_cachep __read_mostly;
50 struct kmem_cache *fanotify_path_event_cachep __read_mostly;
51 struct kmem_cache *fanotify_perm_event_cachep __read_mostly;
53 #define FANOTIFY_EVENT_ALIGN 4
54 #define FANOTIFY_INFO_HDR_LEN \
55 (sizeof(struct fanotify_event_info_fid) + sizeof(struct file_handle))
57 static int fanotify_fid_info_len(int fh_len, int name_len)
59 int info_len = fh_len;
62 info_len += name_len + 1;
64 return roundup(FANOTIFY_INFO_HDR_LEN + info_len, FANOTIFY_EVENT_ALIGN);
67 static int fanotify_event_info_len(unsigned int fid_mode,
68 struct fanotify_event *event)
70 struct fanotify_info *info = fanotify_event_info(event);
71 int dir_fh_len = fanotify_event_dir_fh_len(event);
72 int fh_len = fanotify_event_object_fh_len(event);
77 info_len += fanotify_fid_info_len(dir_fh_len, info->name_len);
78 } else if ((fid_mode & FAN_REPORT_NAME) && (event->mask & FAN_ONDIR)) {
80 * With group flag FAN_REPORT_NAME, if name was not recorded in
81 * event on a directory, we will report the name ".".
87 info_len += fanotify_fid_info_len(fh_len, dot_len);
93 * Remove an hashed event from merge hash table.
95 static void fanotify_unhash_event(struct fsnotify_group *group,
96 struct fanotify_event *event)
98 assert_spin_locked(&group->notification_lock);
100 pr_debug("%s: group=%p event=%p bucket=%u\n", __func__,
101 group, event, fanotify_event_hash_bucket(group, event));
103 if (WARN_ON_ONCE(hlist_unhashed(&event->merge_list)))
106 hlist_del_init(&event->merge_list);
110 * Get an fanotify notification event if one exists and is small
111 * enough to fit in "count". Return an error pointer if the count
112 * is not large enough. When permission event is dequeued, its state is
113 * updated accordingly.
115 static struct fanotify_event *get_one_event(struct fsnotify_group *group,
118 size_t event_size = FAN_EVENT_METADATA_LEN;
119 struct fanotify_event *event = NULL;
120 struct fsnotify_event *fsn_event;
121 unsigned int fid_mode = FAN_GROUP_FLAG(group, FANOTIFY_FID_BITS);
123 pr_debug("%s: group=%p count=%zd\n", __func__, group, count);
125 spin_lock(&group->notification_lock);
126 fsn_event = fsnotify_peek_first_event(group);
130 event = FANOTIFY_E(fsn_event);
132 event_size += fanotify_event_info_len(fid_mode, event);
134 if (event_size > count) {
135 event = ERR_PTR(-EINVAL);
140 * Held the notification_lock the whole time, so this is the
141 * same event we peeked above.
143 fsnotify_remove_first_event(group);
144 if (fanotify_is_perm_event(event->mask))
145 FANOTIFY_PERM(event)->state = FAN_EVENT_REPORTED;
146 if (fanotify_is_hashed_event(event->mask))
147 fanotify_unhash_event(group, event);
149 spin_unlock(&group->notification_lock);
153 static int create_fd(struct fsnotify_group *group, struct path *path,
157 struct file *new_file;
159 client_fd = get_unused_fd_flags(group->fanotify_data.f_flags);
164 * we need a new file handle for the userspace program so it can read even if it was
165 * originally opened O_WRONLY.
167 new_file = dentry_open(path,
168 group->fanotify_data.f_flags | FMODE_NONOTIFY,
170 if (IS_ERR(new_file)) {
172 * we still send an event even if we can't open the file. this
173 * can happen when say tasks are gone and we try to open their
174 * /proc files or we try to open a WRONLY file like in sysfs
175 * we just send the errno to userspace since there isn't much
178 put_unused_fd(client_fd);
179 client_fd = PTR_ERR(new_file);
188 * Finish processing of permission event by setting it to ANSWERED state and
189 * drop group->notification_lock.
191 static void finish_permission_event(struct fsnotify_group *group,
192 struct fanotify_perm_event *event,
193 unsigned int response)
194 __releases(&group->notification_lock)
196 bool destroy = false;
198 assert_spin_locked(&group->notification_lock);
199 event->response = response;
200 if (event->state == FAN_EVENT_CANCELED)
203 event->state = FAN_EVENT_ANSWERED;
204 spin_unlock(&group->notification_lock);
206 fsnotify_destroy_event(group, &event->fae.fse);
209 static int process_access_response(struct fsnotify_group *group,
210 struct fanotify_response *response_struct)
212 struct fanotify_perm_event *event;
213 int fd = response_struct->fd;
214 int response = response_struct->response;
216 pr_debug("%s: group=%p fd=%d response=%d\n", __func__, group,
219 * make sure the response is valid, if invalid we do nothing and either
220 * userspace can send a valid response or we will clean it up after the
223 switch (response & ~FAN_AUDIT) {
234 if ((response & FAN_AUDIT) && !FAN_GROUP_FLAG(group, FAN_ENABLE_AUDIT))
237 spin_lock(&group->notification_lock);
238 list_for_each_entry(event, &group->fanotify_data.access_list,
243 list_del_init(&event->fae.fse.list);
244 finish_permission_event(group, event, response);
245 wake_up(&group->fanotify_data.access_waitq);
248 spin_unlock(&group->notification_lock);
253 static int copy_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh,
254 int info_type, const char *name, size_t name_len,
255 char __user *buf, size_t count)
257 struct fanotify_event_info_fid info = { };
258 struct file_handle handle = { };
259 unsigned char bounce[FANOTIFY_INLINE_FH_LEN], *fh_buf;
260 size_t fh_len = fh ? fh->len : 0;
261 size_t info_len = fanotify_fid_info_len(fh_len, name_len);
262 size_t len = info_len;
264 pr_debug("%s: fh_len=%zu name_len=%zu, info_len=%zu, count=%zu\n",
265 __func__, fh_len, name_len, info_len, count);
270 if (WARN_ON_ONCE(len < sizeof(info) || len > count))
274 * Copy event info fid header followed by variable sized file handle
275 * and optionally followed by variable sized filename.
278 case FAN_EVENT_INFO_TYPE_FID:
279 case FAN_EVENT_INFO_TYPE_DFID:
280 if (WARN_ON_ONCE(name_len))
283 case FAN_EVENT_INFO_TYPE_DFID_NAME:
284 if (WARN_ON_ONCE(!name || !name_len))
291 info.hdr.info_type = info_type;
294 if (copy_to_user(buf, &info, sizeof(info)))
299 if (WARN_ON_ONCE(len < sizeof(handle)))
302 handle.handle_type = fh->type;
303 handle.handle_bytes = fh_len;
304 if (copy_to_user(buf, &handle, sizeof(handle)))
307 buf += sizeof(handle);
308 len -= sizeof(handle);
309 if (WARN_ON_ONCE(len < fh_len))
313 * For an inline fh and inline file name, copy through stack to exclude
314 * the copy from usercopy hardening protections.
316 fh_buf = fanotify_fh_buf(fh);
317 if (fh_len <= FANOTIFY_INLINE_FH_LEN) {
318 memcpy(bounce, fh_buf, fh_len);
321 if (copy_to_user(buf, fh_buf, fh_len))
328 /* Copy the filename with terminating null */
330 if (WARN_ON_ONCE(len < name_len))
333 if (copy_to_user(buf, name, name_len))
341 WARN_ON_ONCE(len < 0 || len >= FANOTIFY_EVENT_ALIGN);
342 if (len > 0 && clear_user(buf, len))
348 static ssize_t copy_event_to_user(struct fsnotify_group *group,
349 struct fanotify_event *event,
350 char __user *buf, size_t count)
352 struct fanotify_event_metadata metadata;
353 struct path *path = fanotify_event_path(event);
354 struct fanotify_info *info = fanotify_event_info(event);
355 unsigned int fid_mode = FAN_GROUP_FLAG(group, FANOTIFY_FID_BITS);
356 struct file *f = NULL;
357 int ret, fd = FAN_NOFD;
360 pr_debug("%s: group=%p event=%p\n", __func__, group, event);
362 metadata.event_len = FAN_EVENT_METADATA_LEN +
363 fanotify_event_info_len(fid_mode, event);
364 metadata.metadata_len = FAN_EVENT_METADATA_LEN;
365 metadata.vers = FANOTIFY_METADATA_VERSION;
366 metadata.reserved = 0;
367 metadata.mask = event->mask & FANOTIFY_OUTGOING_EVENTS;
368 metadata.pid = pid_vnr(event->pid);
370 if (path && path->mnt && path->dentry) {
371 fd = create_fd(group, path, &f);
379 * Sanity check copy size in case get_one_event() and
380 * event_len sizes ever get out of sync.
382 if (WARN_ON_ONCE(metadata.event_len > count))
385 if (copy_to_user(buf, &metadata, FAN_EVENT_METADATA_LEN))
388 buf += FAN_EVENT_METADATA_LEN;
389 count -= FAN_EVENT_METADATA_LEN;
391 if (fanotify_is_perm_event(event->mask))
392 FANOTIFY_PERM(event)->fd = fd;
397 /* Event info records order is: dir fid + name, child fid */
398 if (fanotify_event_dir_fh_len(event)) {
399 info_type = info->name_len ? FAN_EVENT_INFO_TYPE_DFID_NAME :
400 FAN_EVENT_INFO_TYPE_DFID;
401 ret = copy_info_to_user(fanotify_event_fsid(event),
402 fanotify_info_dir_fh(info),
403 info_type, fanotify_info_name(info),
404 info->name_len, buf, count);
412 if (fanotify_event_object_fh_len(event)) {
413 const char *dot = NULL;
416 if (fid_mode == FAN_REPORT_FID || info_type) {
418 * With only group flag FAN_REPORT_FID only type FID is
419 * reported. Second info record type is always FID.
421 info_type = FAN_EVENT_INFO_TYPE_FID;
422 } else if ((fid_mode & FAN_REPORT_NAME) &&
423 (event->mask & FAN_ONDIR)) {
425 * With group flag FAN_REPORT_NAME, if name was not
426 * recorded in an event on a directory, report the
427 * name "." with info type DFID_NAME.
429 info_type = FAN_EVENT_INFO_TYPE_DFID_NAME;
432 } else if ((event->mask & ALL_FSNOTIFY_DIRENT_EVENTS) ||
433 (event->mask & FAN_ONDIR)) {
435 * With group flag FAN_REPORT_DIR_FID, a single info
436 * record has type DFID for directory entry modification
437 * event and for event on a directory.
439 info_type = FAN_EVENT_INFO_TYPE_DFID;
442 * With group flags FAN_REPORT_DIR_FID|FAN_REPORT_FID,
443 * a single info record has type FID for event on a
444 * non-directory, when there is no directory to report.
445 * For example, on FAN_DELETE_SELF event.
447 info_type = FAN_EVENT_INFO_TYPE_FID;
450 ret = copy_info_to_user(fanotify_event_fsid(event),
451 fanotify_event_object_fh(event),
452 info_type, dot, dot_len, buf, count);
460 return metadata.event_len;
463 if (fd != FAN_NOFD) {
470 /* intofiy userspace file descriptor functions */
471 static __poll_t fanotify_poll(struct file *file, poll_table *wait)
473 struct fsnotify_group *group = file->private_data;
476 poll_wait(file, &group->notification_waitq, wait);
477 spin_lock(&group->notification_lock);
478 if (!fsnotify_notify_queue_is_empty(group))
479 ret = EPOLLIN | EPOLLRDNORM;
480 spin_unlock(&group->notification_lock);
485 static ssize_t fanotify_read(struct file *file, char __user *buf,
486 size_t count, loff_t *pos)
488 struct fsnotify_group *group;
489 struct fanotify_event *event;
492 DEFINE_WAIT_FUNC(wait, woken_wake_function);
495 group = file->private_data;
497 pr_debug("%s: group=%p\n", __func__, group);
499 add_wait_queue(&group->notification_waitq, &wait);
502 * User can supply arbitrarily large buffer. Avoid softlockups
503 * in case there are lots of available events.
506 event = get_one_event(group, count);
508 ret = PTR_ERR(event);
514 if (file->f_flags & O_NONBLOCK)
518 if (signal_pending(current))
524 wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
528 ret = copy_event_to_user(group, event, buf, count);
529 if (unlikely(ret == -EOPENSTALE)) {
531 * We cannot report events with stale fd so drop it.
532 * Setting ret to 0 will continue the event loop and
533 * do the right thing if there are no more events to
534 * read (i.e. return bytes read, -EAGAIN or wait).
540 * Permission events get queued to wait for response. Other
541 * events can be destroyed now.
543 if (!fanotify_is_perm_event(event->mask)) {
544 fsnotify_destroy_event(group, &event->fse);
547 spin_lock(&group->notification_lock);
548 finish_permission_event(group,
549 FANOTIFY_PERM(event), FAN_DENY);
550 wake_up(&group->fanotify_data.access_waitq);
552 spin_lock(&group->notification_lock);
553 list_add_tail(&event->fse.list,
554 &group->fanotify_data.access_list);
555 spin_unlock(&group->notification_lock);
563 remove_wait_queue(&group->notification_waitq, &wait);
565 if (start != buf && ret != -EFAULT)
570 static ssize_t fanotify_write(struct file *file, const char __user *buf, size_t count, loff_t *pos)
572 struct fanotify_response response = { .fd = -1, .response = -1 };
573 struct fsnotify_group *group;
576 if (!IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS))
579 group = file->private_data;
581 if (count < sizeof(response))
584 count = sizeof(response);
586 pr_debug("%s: group=%p count=%zu\n", __func__, group, count);
588 if (copy_from_user(&response, buf, count))
591 ret = process_access_response(group, &response);
598 static int fanotify_release(struct inode *ignored, struct file *file)
600 struct fsnotify_group *group = file->private_data;
601 struct fsnotify_event *fsn_event;
604 * Stop new events from arriving in the notification queue. since
605 * userspace cannot use fanotify fd anymore, no event can enter or
606 * leave access_list by now either.
608 fsnotify_group_stop_queueing(group);
611 * Process all permission events on access_list and notification queue
612 * and simulate reply from userspace.
614 spin_lock(&group->notification_lock);
615 while (!list_empty(&group->fanotify_data.access_list)) {
616 struct fanotify_perm_event *event;
618 event = list_first_entry(&group->fanotify_data.access_list,
619 struct fanotify_perm_event, fae.fse.list);
620 list_del_init(&event->fae.fse.list);
621 finish_permission_event(group, event, FAN_ALLOW);
622 spin_lock(&group->notification_lock);
626 * Destroy all non-permission events. For permission events just
627 * dequeue them and set the response. They will be freed once the
628 * response is consumed and fanotify_get_response() returns.
630 while ((fsn_event = fsnotify_remove_first_event(group))) {
631 struct fanotify_event *event = FANOTIFY_E(fsn_event);
633 if (!(event->mask & FANOTIFY_PERM_EVENTS)) {
634 spin_unlock(&group->notification_lock);
635 fsnotify_destroy_event(group, fsn_event);
637 finish_permission_event(group, FANOTIFY_PERM(event),
640 spin_lock(&group->notification_lock);
642 spin_unlock(&group->notification_lock);
644 /* Response for all permission events it set, wakeup waiters */
645 wake_up(&group->fanotify_data.access_waitq);
647 /* matches the fanotify_init->fsnotify_alloc_group */
648 fsnotify_destroy_group(group);
653 static long fanotify_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
655 struct fsnotify_group *group;
656 struct fsnotify_event *fsn_event;
661 group = file->private_data;
663 p = (void __user *) arg;
667 spin_lock(&group->notification_lock);
668 list_for_each_entry(fsn_event, &group->notification_list, list)
669 send_len += FAN_EVENT_METADATA_LEN;
670 spin_unlock(&group->notification_lock);
671 ret = put_user(send_len, (int __user *) p);
678 static const struct file_operations fanotify_fops = {
679 .show_fdinfo = fanotify_show_fdinfo,
680 .poll = fanotify_poll,
681 .read = fanotify_read,
682 .write = fanotify_write,
684 .release = fanotify_release,
685 .unlocked_ioctl = fanotify_ioctl,
686 .compat_ioctl = compat_ptr_ioctl,
687 .llseek = noop_llseek,
690 static int fanotify_find_path(int dfd, const char __user *filename,
691 struct path *path, unsigned int flags, __u64 mask,
692 unsigned int obj_type)
696 pr_debug("%s: dfd=%d filename=%p flags=%x\n", __func__,
697 dfd, filename, flags);
699 if (filename == NULL) {
700 struct fd f = fdget(dfd);
707 if ((flags & FAN_MARK_ONLYDIR) &&
708 !(S_ISDIR(file_inode(f.file)->i_mode))) {
713 *path = f.file->f_path;
717 unsigned int lookup_flags = 0;
719 if (!(flags & FAN_MARK_DONT_FOLLOW))
720 lookup_flags |= LOOKUP_FOLLOW;
721 if (flags & FAN_MARK_ONLYDIR)
722 lookup_flags |= LOOKUP_DIRECTORY;
724 ret = user_path_at(dfd, filename, lookup_flags, path);
729 /* you can only watch an inode if you have read permissions on it */
730 ret = path_permission(path, MAY_READ);
736 ret = security_path_notify(path, mask, obj_type);
744 static __u32 fanotify_mark_remove_from_mask(struct fsnotify_mark *fsn_mark,
745 __u32 mask, unsigned int flags,
746 __u32 umask, int *destroy)
750 /* umask bits cannot be removed by user */
752 spin_lock(&fsn_mark->lock);
753 if (!(flags & FAN_MARK_IGNORED_MASK)) {
754 oldmask = fsn_mark->mask;
755 fsn_mark->mask &= ~mask;
757 fsn_mark->ignored_mask &= ~mask;
760 * We need to keep the mark around even if remaining mask cannot
761 * result in any events (e.g. mask == FAN_ONDIR) to support incremenal
762 * changes to the mask.
763 * Destroy mark when only umask bits remain.
765 *destroy = !((fsn_mark->mask | fsn_mark->ignored_mask) & ~umask);
766 spin_unlock(&fsn_mark->lock);
768 return mask & oldmask;
771 static int fanotify_remove_mark(struct fsnotify_group *group,
772 fsnotify_connp_t *connp, __u32 mask,
773 unsigned int flags, __u32 umask)
775 struct fsnotify_mark *fsn_mark = NULL;
779 mutex_lock(&group->mark_mutex);
780 fsn_mark = fsnotify_find_mark(connp, group);
782 mutex_unlock(&group->mark_mutex);
786 removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
787 umask, &destroy_mark);
788 if (removed & fsnotify_conn_mask(fsn_mark->connector))
789 fsnotify_recalc_mask(fsn_mark->connector);
791 fsnotify_detach_mark(fsn_mark);
792 mutex_unlock(&group->mark_mutex);
794 fsnotify_free_mark(fsn_mark);
796 /* matches the fsnotify_find_mark() */
797 fsnotify_put_mark(fsn_mark);
801 static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
802 struct vfsmount *mnt, __u32 mask,
803 unsigned int flags, __u32 umask)
805 return fanotify_remove_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
809 static int fanotify_remove_sb_mark(struct fsnotify_group *group,
810 struct super_block *sb, __u32 mask,
811 unsigned int flags, __u32 umask)
813 return fanotify_remove_mark(group, &sb->s_fsnotify_marks, mask,
817 static int fanotify_remove_inode_mark(struct fsnotify_group *group,
818 struct inode *inode, __u32 mask,
819 unsigned int flags, __u32 umask)
821 return fanotify_remove_mark(group, &inode->i_fsnotify_marks, mask,
825 static __u32 fanotify_mark_add_to_mask(struct fsnotify_mark *fsn_mark,
831 spin_lock(&fsn_mark->lock);
832 if (!(flags & FAN_MARK_IGNORED_MASK)) {
833 oldmask = fsn_mark->mask;
834 fsn_mark->mask |= mask;
836 fsn_mark->ignored_mask |= mask;
837 if (flags & FAN_MARK_IGNORED_SURV_MODIFY)
838 fsn_mark->flags |= FSNOTIFY_MARK_FLAG_IGNORED_SURV_MODIFY;
840 spin_unlock(&fsn_mark->lock);
842 return mask & ~oldmask;
845 static struct fsnotify_mark *fanotify_add_new_mark(struct fsnotify_group *group,
846 fsnotify_connp_t *connp,
848 __kernel_fsid_t *fsid)
850 struct fsnotify_mark *mark;
853 if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
854 return ERR_PTR(-ENOSPC);
856 mark = kmem_cache_alloc(fanotify_mark_cache, GFP_KERNEL);
858 return ERR_PTR(-ENOMEM);
860 fsnotify_init_mark(mark, group);
861 ret = fsnotify_add_mark_locked(mark, connp, type, 0, fsid);
863 fsnotify_put_mark(mark);
871 static int fanotify_add_mark(struct fsnotify_group *group,
872 fsnotify_connp_t *connp, unsigned int type,
873 __u32 mask, unsigned int flags,
874 __kernel_fsid_t *fsid)
876 struct fsnotify_mark *fsn_mark;
879 mutex_lock(&group->mark_mutex);
880 fsn_mark = fsnotify_find_mark(connp, group);
882 fsn_mark = fanotify_add_new_mark(group, connp, type, fsid);
883 if (IS_ERR(fsn_mark)) {
884 mutex_unlock(&group->mark_mutex);
885 return PTR_ERR(fsn_mark);
888 added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
889 if (added & ~fsnotify_conn_mask(fsn_mark->connector))
890 fsnotify_recalc_mask(fsn_mark->connector);
891 mutex_unlock(&group->mark_mutex);
893 fsnotify_put_mark(fsn_mark);
897 static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
898 struct vfsmount *mnt, __u32 mask,
899 unsigned int flags, __kernel_fsid_t *fsid)
901 return fanotify_add_mark(group, &real_mount(mnt)->mnt_fsnotify_marks,
902 FSNOTIFY_OBJ_TYPE_VFSMOUNT, mask, flags, fsid);
905 static int fanotify_add_sb_mark(struct fsnotify_group *group,
906 struct super_block *sb, __u32 mask,
907 unsigned int flags, __kernel_fsid_t *fsid)
909 return fanotify_add_mark(group, &sb->s_fsnotify_marks,
910 FSNOTIFY_OBJ_TYPE_SB, mask, flags, fsid);
913 static int fanotify_add_inode_mark(struct fsnotify_group *group,
914 struct inode *inode, __u32 mask,
915 unsigned int flags, __kernel_fsid_t *fsid)
917 pr_debug("%s: group=%p inode=%p\n", __func__, group, inode);
920 * If some other task has this inode open for write we should not add
921 * an ignored mark, unless that ignored mark is supposed to survive
922 * modification changes anyway.
924 if ((flags & FAN_MARK_IGNORED_MASK) &&
925 !(flags & FAN_MARK_IGNORED_SURV_MODIFY) &&
926 inode_is_open_for_write(inode))
929 return fanotify_add_mark(group, &inode->i_fsnotify_marks,
930 FSNOTIFY_OBJ_TYPE_INODE, mask, flags, fsid);
933 static struct fsnotify_event *fanotify_alloc_overflow_event(void)
935 struct fanotify_event *oevent;
937 oevent = kmalloc(sizeof(*oevent), GFP_KERNEL_ACCOUNT);
941 fanotify_init_event(oevent, 0, FS_Q_OVERFLOW);
942 oevent->type = FANOTIFY_EVENT_TYPE_OVERFLOW;
947 static struct hlist_head *fanotify_alloc_merge_hash(void)
949 struct hlist_head *hash;
951 hash = kmalloc(sizeof(struct hlist_head) << FANOTIFY_HTABLE_BITS,
956 __hash_init(hash, FANOTIFY_HTABLE_SIZE);
961 /* fanotify syscalls */
962 SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
964 struct fsnotify_group *group;
966 struct user_struct *user;
967 unsigned int fid_mode = flags & FANOTIFY_FID_BITS;
968 unsigned int class = flags & FANOTIFY_CLASS_BITS;
970 pr_debug("%s: flags=%x event_f_flags=%x\n",
971 __func__, flags, event_f_flags);
973 if (!capable(CAP_SYS_ADMIN))
976 #ifdef CONFIG_AUDITSYSCALL
977 if (flags & ~(FANOTIFY_INIT_FLAGS | FAN_ENABLE_AUDIT))
979 if (flags & ~FANOTIFY_INIT_FLAGS)
983 if (event_f_flags & ~FANOTIFY_INIT_ALL_EVENT_F_BITS)
986 switch (event_f_flags & O_ACCMODE) {
995 if (fid_mode && class != FAN_CLASS_NOTIF)
999 * Child name is reported with parent fid so requires dir fid.
1000 * We can report both child fid and dir fid with or without name.
1002 if ((fid_mode & FAN_REPORT_NAME) && !(fid_mode & FAN_REPORT_DIR_FID))
1005 user = get_current_user();
1006 if (atomic_read(&user->fanotify_listeners) > FANOTIFY_DEFAULT_MAX_LISTENERS) {
1011 f_flags = O_RDWR | FMODE_NONOTIFY;
1012 if (flags & FAN_CLOEXEC)
1013 f_flags |= O_CLOEXEC;
1014 if (flags & FAN_NONBLOCK)
1015 f_flags |= O_NONBLOCK;
1017 /* fsnotify_alloc_group takes a ref. Dropped in fanotify_release */
1018 group = fsnotify_alloc_user_group(&fanotify_fsnotify_ops);
1019 if (IS_ERR(group)) {
1021 return PTR_ERR(group);
1024 group->fanotify_data.user = user;
1025 group->fanotify_data.flags = flags;
1026 atomic_inc(&user->fanotify_listeners);
1027 group->memcg = get_mem_cgroup_from_mm(current->mm);
1029 group->fanotify_data.merge_hash = fanotify_alloc_merge_hash();
1030 if (!group->fanotify_data.merge_hash) {
1032 goto out_destroy_group;
1035 group->overflow_event = fanotify_alloc_overflow_event();
1036 if (unlikely(!group->overflow_event)) {
1038 goto out_destroy_group;
1041 if (force_o_largefile())
1042 event_f_flags |= O_LARGEFILE;
1043 group->fanotify_data.f_flags = event_f_flags;
1044 init_waitqueue_head(&group->fanotify_data.access_waitq);
1045 INIT_LIST_HEAD(&group->fanotify_data.access_list);
1047 case FAN_CLASS_NOTIF:
1048 group->priority = FS_PRIO_0;
1050 case FAN_CLASS_CONTENT:
1051 group->priority = FS_PRIO_1;
1053 case FAN_CLASS_PRE_CONTENT:
1054 group->priority = FS_PRIO_2;
1058 goto out_destroy_group;
1061 if (flags & FAN_UNLIMITED_QUEUE) {
1063 if (!capable(CAP_SYS_ADMIN))
1064 goto out_destroy_group;
1065 group->max_events = UINT_MAX;
1067 group->max_events = FANOTIFY_DEFAULT_MAX_EVENTS;
1070 if (flags & FAN_UNLIMITED_MARKS) {
1072 if (!capable(CAP_SYS_ADMIN))
1073 goto out_destroy_group;
1074 group->fanotify_data.max_marks = UINT_MAX;
1076 group->fanotify_data.max_marks = FANOTIFY_DEFAULT_MAX_MARKS;
1079 if (flags & FAN_ENABLE_AUDIT) {
1081 if (!capable(CAP_AUDIT_WRITE))
1082 goto out_destroy_group;
1085 fd = anon_inode_getfd("[fanotify]", &fanotify_fops, group, f_flags);
1087 goto out_destroy_group;
1092 fsnotify_destroy_group(group);
1096 /* Check if filesystem can encode a unique fid */
1097 static int fanotify_test_fid(struct path *path, __kernel_fsid_t *fsid)
1099 __kernel_fsid_t root_fsid;
1103 * Make sure path is not in filesystem with zero fsid (e.g. tmpfs).
1105 err = vfs_get_fsid(path->dentry, fsid);
1109 if (!fsid->val[0] && !fsid->val[1])
1113 * Make sure path is not inside a filesystem subvolume (e.g. btrfs)
1114 * which uses a different fsid than sb root.
1116 err = vfs_get_fsid(path->dentry->d_sb->s_root, &root_fsid);
1120 if (root_fsid.val[0] != fsid->val[0] ||
1121 root_fsid.val[1] != fsid->val[1])
1125 * We need to make sure that the file system supports at least
1126 * encoding a file handle so user can use name_to_handle_at() to
1127 * compare fid returned with event to the file handle of watched
1128 * objects. However, name_to_handle_at() requires that the
1129 * filesystem also supports decoding file handles.
1131 if (!path->dentry->d_sb->s_export_op ||
1132 !path->dentry->d_sb->s_export_op->fh_to_dentry)
1138 static int fanotify_events_supported(struct path *path, __u64 mask)
1141 * Some filesystems such as 'proc' acquire unusual locks when opening
1142 * files. For them fanotify permission events have high chances of
1143 * deadlocking the system - open done when reporting fanotify event
1144 * blocks on this "unusual" lock while another process holding the lock
1145 * waits for fanotify permission event to be answered. Just disallow
1146 * permission events for such filesystems.
1148 if (mask & FANOTIFY_PERM_EVENTS &&
1149 path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM)
1154 static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
1155 int dfd, const char __user *pathname)
1157 struct inode *inode = NULL;
1158 struct vfsmount *mnt = NULL;
1159 struct fsnotify_group *group;
1162 __kernel_fsid_t __fsid, *fsid = NULL;
1163 u32 valid_mask = FANOTIFY_EVENTS | FANOTIFY_EVENT_FLAGS;
1164 unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
1165 bool ignored = flags & FAN_MARK_IGNORED_MASK;
1166 unsigned int obj_type, fid_mode;
1170 pr_debug("%s: fanotify_fd=%d flags=%x dfd=%d pathname=%p mask=%llx\n",
1171 __func__, fanotify_fd, flags, dfd, pathname, mask);
1173 /* we only use the lower 32 bits as of right now. */
1174 if (mask & ((__u64)0xffffffff << 32))
1177 if (flags & ~FANOTIFY_MARK_FLAGS)
1180 switch (mark_type) {
1181 case FAN_MARK_INODE:
1182 obj_type = FSNOTIFY_OBJ_TYPE_INODE;
1184 case FAN_MARK_MOUNT:
1185 obj_type = FSNOTIFY_OBJ_TYPE_VFSMOUNT;
1187 case FAN_MARK_FILESYSTEM:
1188 obj_type = FSNOTIFY_OBJ_TYPE_SB;
1194 switch (flags & (FAN_MARK_ADD | FAN_MARK_REMOVE | FAN_MARK_FLUSH)) {
1196 case FAN_MARK_REMOVE:
1200 case FAN_MARK_FLUSH:
1201 if (flags & ~(FANOTIFY_MARK_TYPE_BITS | FAN_MARK_FLUSH))
1208 if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS))
1209 valid_mask |= FANOTIFY_PERM_EVENTS;
1211 if (mask & ~valid_mask)
1214 /* Event flags (ONDIR, ON_CHILD) are meaningless in ignored mask */
1216 mask &= ~FANOTIFY_EVENT_FLAGS;
1218 f = fdget(fanotify_fd);
1219 if (unlikely(!f.file))
1222 /* verify that this is indeed an fanotify instance */
1224 if (unlikely(f.file->f_op != &fanotify_fops))
1226 group = f.file->private_data;
1229 * group->priority == FS_PRIO_0 == FAN_CLASS_NOTIF. These are not
1230 * allowed to set permissions events.
1233 if (mask & FANOTIFY_PERM_EVENTS &&
1234 group->priority == FS_PRIO_0)
1238 * Events with data type inode do not carry enough information to report
1239 * event->fd, so we do not allow setting a mask for inode events unless
1240 * group supports reporting fid.
1241 * inode events are not supported on a mount mark, because they do not
1242 * carry enough information (i.e. path) to be filtered by mount point.
1244 fid_mode = FAN_GROUP_FLAG(group, FANOTIFY_FID_BITS);
1245 if (mask & FANOTIFY_INODE_EVENTS &&
1246 (!fid_mode || mark_type == FAN_MARK_MOUNT))
1249 if (flags & FAN_MARK_FLUSH) {
1251 if (mark_type == FAN_MARK_MOUNT)
1252 fsnotify_clear_vfsmount_marks_by_group(group);
1253 else if (mark_type == FAN_MARK_FILESYSTEM)
1254 fsnotify_clear_sb_marks_by_group(group);
1256 fsnotify_clear_inode_marks_by_group(group);
1260 ret = fanotify_find_path(dfd, pathname, &path, flags,
1261 (mask & ALL_FSNOTIFY_EVENTS), obj_type);
1265 if (flags & FAN_MARK_ADD) {
1266 ret = fanotify_events_supported(&path, mask);
1268 goto path_put_and_out;
1272 ret = fanotify_test_fid(&path, &__fsid);
1274 goto path_put_and_out;
1279 /* inode held in place by reference to path; group by fget on fd */
1280 if (mark_type == FAN_MARK_INODE)
1281 inode = path.dentry->d_inode;
1285 /* Mask out FAN_EVENT_ON_CHILD flag for sb/mount/non-dir marks */
1286 if (mnt || !S_ISDIR(inode->i_mode)) {
1287 mask &= ~FAN_EVENT_ON_CHILD;
1288 umask = FAN_EVENT_ON_CHILD;
1290 * If group needs to report parent fid, register for getting
1291 * events with parent/name info for non-directory.
1293 if ((fid_mode & FAN_REPORT_DIR_FID) &&
1294 (flags & FAN_MARK_ADD) && !ignored)
1295 mask |= FAN_EVENT_ON_CHILD;
1298 /* create/update an inode mark */
1299 switch (flags & (FAN_MARK_ADD | FAN_MARK_REMOVE)) {
1301 if (mark_type == FAN_MARK_MOUNT)
1302 ret = fanotify_add_vfsmount_mark(group, mnt, mask,
1304 else if (mark_type == FAN_MARK_FILESYSTEM)
1305 ret = fanotify_add_sb_mark(group, mnt->mnt_sb, mask,
1308 ret = fanotify_add_inode_mark(group, inode, mask,
1311 case FAN_MARK_REMOVE:
1312 if (mark_type == FAN_MARK_MOUNT)
1313 ret = fanotify_remove_vfsmount_mark(group, mnt, mask,
1315 else if (mark_type == FAN_MARK_FILESYSTEM)
1316 ret = fanotify_remove_sb_mark(group, mnt->mnt_sb, mask,
1319 ret = fanotify_remove_inode_mark(group, inode, mask,
1333 #ifndef CONFIG_ARCH_SPLIT_ARG64
1334 SYSCALL_DEFINE5(fanotify_mark, int, fanotify_fd, unsigned int, flags,
1335 __u64, mask, int, dfd,
1336 const char __user *, pathname)
1338 return do_fanotify_mark(fanotify_fd, flags, mask, dfd, pathname);
1342 #if defined(CONFIG_ARCH_SPLIT_ARG64) || defined(CONFIG_COMPAT)
1343 SYSCALL32_DEFINE6(fanotify_mark,
1344 int, fanotify_fd, unsigned int, flags,
1345 SC_ARG64(mask), int, dfd,
1346 const char __user *, pathname)
1348 return do_fanotify_mark(fanotify_fd, flags, SC_VAL64(__u64, mask),
1354 * fanotify_user_setup - Our initialization function. Note that we cannot return
1355 * error because we have compiled-in VFS hooks. So an (unlikely) failure here
1356 * must result in panic().
1358 static int __init fanotify_user_setup(void)
1360 BUILD_BUG_ON(HWEIGHT32(FANOTIFY_INIT_FLAGS) != 10);
1361 BUILD_BUG_ON(HWEIGHT32(FANOTIFY_MARK_FLAGS) != 9);
1363 fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
1364 SLAB_PANIC|SLAB_ACCOUNT);
1365 fanotify_fid_event_cachep = KMEM_CACHE(fanotify_fid_event,
1367 fanotify_path_event_cachep = KMEM_CACHE(fanotify_path_event,
1369 if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS)) {
1370 fanotify_perm_event_cachep =
1371 KMEM_CACHE(fanotify_perm_event, SLAB_PANIC);
1376 device_initcall(fanotify_user_setup);