Linux - fanotify, but for exec()?
Question
Is there a facility like fanotify, but for exec() operations? Something like kauth in MacOS , but in userland.
fanotify only seems to notify on (and allow/deny) file open/close/read/write.
I've seen code that can notify on fork and exec by other means (also here ), but there is no way to allow or deny an exec. Also, it seems there are drawbacks to this approach, because not all kernels are compiled with netlink/proc connector, and it can get overwhelmed with events.
3 answers
solution1
2 2014-05-21 06:42:23
也许您正在寻找SELinux ,这是一个Linux内核模块,它提供了细粒度的安全策略的实施,比如谁或什么来执行某个文件。
solution2
0 2016-07-20 22:38:28
I believe the "Process Events Connector" is what you are looking for. This interface will allow you to receive notifications of fork, exec, and setuid/setguid events.
Read more at LWN ( https://lwn.net/Articles/157150/ ) and a great blog article (not mine) at http://netsplit.com/the-proc-connector-and-socket-filters .
solution3
0 ACCPTED 2019-06-07 07:42:49
Looks like Linux finally added this feature to fanotify in kernel 5.0 (shipped in eg Ubuntu 19.04).
See man 2 fanotify_mark for details. The relevant flags are FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.