|
 |
32a688 |
From 2b13715219bbb6a84a73e007cea84f0d5d1d39ab Mon Sep 17 00:00:00 2001
|
|
|
32a688 |
From: Radovan Sroka <rsroka@redhat.com>
|
|
|
32a688 |
Date: Tue, 6 Dec 2022 15:09:44 +0100
|
|
|
32a688 |
Subject: [PATCH] Extend new_event state machine
|
|
|
32a688 |
|
|
|
32a688 |
- allow other opens before dynamic linker execution
|
|
|
32a688 |
- split original STATE_REOPEN to the new STATE_REOPEN and STATE_DEFAULT_REOPEN
|
|
|
32a688 |
|
|
|
32a688 |
- STATE_REOPEN now behaves as loop state for new opens (from the same subject),
|
|
|
32a688 |
uses skip_path
|
|
|
32a688 |
- STATE_DEFAULT_REOPEN is needed when dynamic linker is directly executed
|
|
|
32a688 |
in such scenario we need to be sure that non of the following opens will
|
|
|
32a688 |
skip the path
|
|
|
32a688 |
|
|
|
32a688 |
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
|
32a688 |
---
|
|
|
32a688 |
src/library/event.c | 16 ++++++++++++++++
|
|
|
32a688 |
src/library/process.h | 3 ++-
|
|
|
32a688 |
2 files changed, 18 insertions(+), 1 deletion(-)
|
|
|
32a688 |
|
|
|
32a688 |
diff --git a/src/library/event.c b/src/library/event.c
|
|
|
32a688 |
index 4d79eb98..649cb9d6 100644
|
|
|
32a688 |
--- a/src/library/event.c
|
|
|
32a688 |
+++ b/src/library/event.c
|
|
|
32a688 |
@@ -133,6 +133,12 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
|
|
32a688 |
(e->type & FAN_OPEN_PERM) && !rc) {
|
|
|
32a688 |
skip_path = 1;
|
|
|
32a688 |
s->info->state = STATE_REOPEN;
|
|
|
32a688 |
+
|
|
|
32a688 |
+ // special branch after ld_so exec
|
|
|
32a688 |
+ // next opens will go fall trough
|
|
|
32a688 |
+ if (s->info->path1 &&
|
|
|
32a688 |
+ (strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
|
|
|
32a688 |
+ s->info->state = STATE_DEFAULT_REOPEN;
|
|
|
32a688 |
}
|
|
|
32a688 |
|
|
|
32a688 |
// If not same proc or we detect execution, evict
|
|
|
32a688 |
@@ -164,6 +170,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
|
|
32a688 |
skip_path = 1;
|
|
|
32a688 |
}
|
|
|
32a688 |
|
|
|
32a688 |
+
|
|
|
32a688 |
// If we've seen the reopen and its an execute and process
|
|
|
32a688 |
// has an interpreter and we're the same process, don't evict
|
|
|
32a688 |
// and don't collect the path since reopen interp will. The
|
|
|
32a688 |
@@ -172,10 +179,19 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
|
|
32a688 |
if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
|
|
32a688 |
(e->type & FAN_OPEN_EXEC_PERM) &&
|
|
|
32a688 |
(s->info->elf_info & HAS_INTERP) && !rc) {
|
|
|
32a688 |
+ s->info->state = STATE_DEFAULT_REOPEN;
|
|
|
32a688 |
evict = 0;
|
|
|
32a688 |
skip_path = 1;
|
|
|
32a688 |
}
|
|
|
32a688 |
|
|
|
32a688 |
+ // this is how STATE_REOPEN and
|
|
|
32a688 |
+ // STATE_DEFAULT_REOPEN differs
|
|
|
32a688 |
+ // in STATE_REOPEN path is always skipped
|
|
|
32a688 |
+ if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
|
|
32a688 |
+ (e->type & FAN_OPEN_PERM) && !rc) {
|
|
|
32a688 |
+ skip_path = 1;
|
|
|
32a688 |
+ }
|
|
|
32a688 |
+
|
|
|
32a688 |
if (evict) {
|
|
|
32a688 |
lru_evict(subj_cache, key);
|
|
|
32a688 |
q_node = check_lru_cache(subj_cache, key);
|
|
|
32a688 |
diff --git a/src/library/process.h b/src/library/process.h
|
|
|
32a688 |
index daa9d0d0..a741d1ac 100644
|
|
|
32a688 |
--- a/src/library/process.h
|
|
|
32a688 |
+++ b/src/library/process.h
|
|
|
32a688 |
@@ -31,7 +31,8 @@
|
|
|
32a688 |
#include "gcc-attributes.h"
|
|
|
32a688 |
|
|
|
32a688 |
typedef enum { STATE_COLLECTING=0, // initial state - execute
|
|
|
32a688 |
- STATE_REOPEN, // anticipating open perm next
|
|
|
32a688 |
+ STATE_REOPEN, // anticipating open perm next, always skips the path
|
|
|
32a688 |
+ STATE_DEFAULT_REOPEN, // reopen after dyn. linker exec, never skips the path
|
|
|
32a688 |
STATE_STATIC_REOPEN, // static app aniticipating
|
|
|
32a688 |
STATE_PARTIAL, // second path collected
|
|
|
32a688 |
STATE_STATIC_PARTIAL, // second path collected
|