tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()

The latter trigger LSM (e.g. SELinux) checks, which will log a denial
when permission is denied, so it's better to do them after validity
checks to avoid logging a denial when the operation would fail anyway.

Fixes: 0b3b094ac9a7 ("fanotify: Disallow permission events for proc filesystem")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20260216150625.793013-3-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>

authored by

Ondrej Mosnacek and committed by
Jan Kara 66052a76 0d5ee337

+10 -15
+10 -15
fs/notify/fanotify/fanotify_user.c
··· 1210 1210 1211 1211 *path = fd_file(f)->f_path; 1212 1212 path_get(path); 1213 + ret = 0; 1213 1214 } else { 1214 1215 unsigned int lookup_flags = 0; 1215 1216 ··· 1220 1219 lookup_flags |= LOOKUP_DIRECTORY; 1221 1220 1222 1221 ret = user_path_at(dfd, filename, lookup_flags, path); 1223 - if (ret) 1224 - goto out; 1225 1222 } 1226 - 1227 - /* you can only watch an inode if you have read permissions on it */ 1228 - ret = path_permission(path, MAY_READ); 1229 - if (ret) { 1230 - path_put(path); 1231 - goto out; 1232 - } 1233 - 1234 - ret = security_path_notify(path, mask, obj_type); 1235 - if (ret) 1236 - path_put(path); 1237 - 1238 - out: 1239 1223 return ret; 1240 1224 } 1241 1225 ··· 2043 2057 if (ret) 2044 2058 goto path_put_and_out; 2045 2059 } 2060 + 2061 + /* you can only watch an inode if you have read permissions on it */ 2062 + ret = path_permission(&path, MAY_READ); 2063 + if (ret) 2064 + goto path_put_and_out; 2065 + 2066 + ret = security_path_notify(&path, mask, obj_type); 2067 + if (ret) 2068 + goto path_put_and_out; 2046 2069 2047 2070 if (fid_mode) { 2048 2071 ret = fanotify_test_fsid(path.dentry, flags, &__fsid);