Re: [PATCH =-v3 11/21] fanotify: give a special access permissioncheck

[Eric Paris]

On Wed, 2008-11-12 at 11:53 -0500, Christoph Hellwig wrote:
> On Wed, Nov 12, 2008 at 11:11:24AM -0500, Eric Paris wrote:
> >  	fsnotify_open_exec(file);
> > +	error = fanotify(file, FAN_ACCESS_EXEC_PERM);
> > +	if (error) {
> > +		fput(file);
> > +		goto out;
> > +	}
> 
> Adding your own fanotify calls next to the fsnotify calls completely
> defeats th purpose of these.  Please make sure we have one set of hooks.

Absolutely in this case.  Would you prefer I funneled ALL fanotify
blocking calls through fsnotify?  I did back in patch #10 add fanotify
calls next to some security calls (it also might be possible for me to
pull the fsnotify calls of these paths up rather than introduce new
fsnotify hooks, I'm not yet certain.)

> And given that we now have three notification schemes I think it's
> getting time that you also unifify the actuall backends (buffering, etc)
> instead of faning out at the fsnotify layer and just leave dnotify and
> inotify as tiny userspace interface layers.

doing something like this would obviously require in kernel fastpaths
(as i'm sure you are aware.)   I guess then I get to use the space in
inode of both dnotify and inotify.  Like I said I'll try to see what I
can do down this path.

No matter what I think this is going to have to be merged first as
fanotify is quite broad in comparison to either d or i notify.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/