Linux - fanotify, but for exec()?

Question

Is there a facility like fanotify, but for exec() operations? Something like kauth in MacOS, but in userland.

fanotify only seems to notify on (and allow/deny) file open/close/read/write.

I've seen code that can notify on fork and exec by other means (also here), but there is no way to allow or deny an exec. Also, it seems there are drawbacks to this approach, because not all kernels are compiled with netlink/proc connector, and it can get overwhelmed with events.

How exactly would this work in userland? Seems to me this is something that could only be implemented in the kernel. — Martin Konecny, May 28 '14 at 05:43
I was wondering if there was a userland interface I could use for some pre-existing functionality in the kernel, like the netlink code in the link above. — craig65535, May 30 '14 at 19:06

score 2 · Answer 1 · answered May 21 '14 at 06:42

2

Perhaps you are looking for SELinux, a Linux kernel module which provides the enforcement of fine-grained security policies, like who or what gets to execute a certain file.

answered May 21 '14 at 06:42

Kaz

55,781
9
100
149

Does it have an API of some kind, or is it just setup through configuration files? – craig65535 May 22 '14 at 00:21
Thanks for the link. I'm having a bit of trouble figuring out what is possible with this API, though. Would it be possible for me to write a module that would get notified of an exec, and then return an access decision to selinux? Or, is the API more for reading/building a static configuration? Examples I've seen using libselinux are projects like SE-PostgreSQL, and from my reading they use it to comply with the access control that is already setup in selinux. – craig65535 May 22 '14 at 21:34

score 1 · Accepted Answer · answered Jun 07 '19 at 07:42

1

Looks like Linux finally added this feature to fanotify in kernel 5.0 (shipped in e.g. Ubuntu 19.04).

See man 2 fanotify_mark for details. The relevant flags are FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM.

answered Jun 07 '19 at 07:42

craig65535

3,439
1
23
49

score 0 · Answer 3 · answered Jul 20 '16 at 22:38

I believe the "Process Events Connector" is what you are looking for. This interface will allow you to receive notifications of fork, exec, and setuid/setguid events.

Read more at LWN (https://lwn.net/Articles/157150/) and a great blog article (not mine) at http://netsplit.com/the-proc-connector-and-socket-filters.

Linux - fanotify, but for exec()?

3 Answers3