Bug#876381: linux-image-4.9.0-3-amd64: fanotify doesn't see events from other namespaces

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#876381: linux-image-4.9.0-3-amd64: fanotify doesn't see events from other namespaces
From: Martin von Wittich <martin.von.wittich@iserv.eu>
Date: Thu, 21 Sep 2017 16:05:38 +0200
Message-id: <[🔎] 150600273863.28411.7751058731055502384.reportbug@iserv.joerg.mein-iserv.de>
Reply-to: Martin von Wittich <martin.von.wittich@iserv.eu>, 876381@bugs.debian.org

Package: src:linux
Version: 4.9.30-2+deb9u5
Severity: normal
Tags: upstream

Dear Maintainer,

we use the Linux fanotify interface in a virus scanner to detect
viruses as soon as the files are written. Yesterday we noticed that a
machine that has been upgraded to Debian stretch no longer detects
viruses that have been uploaded with a PHP script served by Apache.

The issue is easily reproducable by installing the package fnotifystat
and using that to monitor for filesystem events caused by Apache, for
example:

# fnotifystat -v | grep apache

Then request some document served by Apache, or just trigger a reload:

# systemctl reload apache2

fnotifystat won't print any filesystem events caused by Apache, the only
thing you'll see are a few events from apachectl that is used by systemd
to reload Apache.

The reason for this is apparently the namespace isolation done by
systemd that is triggered by the following setting:

host ~ # grep PrivateTmp /lib/systemd/system/apache2.service 
PrivateTmp=true

If I comment the PrivateTmp line out and then restart Apache:

# systemctl daemon-reload; systemctl restart apache2

then fnotifystat will be able to see events caused by Apache, either
from requesting a document, or from reloading it. This issue has been
documented on some websites already, but I haven't found any bugreports
for it yet:

https://community.sophos.com/kb/en-us/122625
https://lkml.org/lkml/2015/10/29/268
https://community.f-secure.com/t5/Business/Linux-Security-11-00-unable-to/ta-p/77793

It is easily worked around by disabling PrivateTmp on all services that
may be used to upload files, but I do believe that it should be properly
fixed in the kernel. fanotify seems to be the intended interface for
virus scanners, and therefore it shouldn't be accidentally circumvented
by namespace isolation.

-- Package-specific info:
** Version:
Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06)

** Command line:
root=UUID=97174b79-e90a-436b-b6b8-55f37167c1e5 ro  quiet

** Tainted: W (512)
 * Taint on warning.

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information

** Loaded modules:
dm_mod
cpuid
ipt_MASQUERADE
nf_nat_masquerade_ipv4
xt_NFLOG
xt_REDIRECT
nf_nat_redirect
ipt_REJECT
nf_reject_ipv4
xt_mac
xt_u32
xt_length
xt_nat
iptable_nat
nf_nat_ipv4
veth
xt_multiport
nf_conntrack_ipv4
nf_defrag_ipv4
xt_TCPMSS
nf_nat_tftp
xt_conntrack
nf_conntrack_tftp
nf_nat_sip
nf_conntrack_sip
nf_nat_pptp
nf_nat_proto_gre
nf_conntrack_pptp
nf_conntrack_proto_gre
xt_tcpudp
nf_nat_irc
iptable_filter
bridge
nf_conntrack_irc
stp
llc
nf_nat_h323
nf_conntrack_netlink
nf_conntrack_h323
xfrm_user
nf_nat_ftp
xfrm_algo
nf_conntrack_ftp
nf_nat_amanda
ts_kmp
nf_conntrack_amanda
nf_nat
nf_conntrack
overlay
nfnetlink_log
nfnetlink
intel_rapl
x86_pkg_temp_thermal
coretemp
crct10dif_pclmul
crc32_pclmul
ghash_clmulni_intel
evdev
pcspkr
intel_rapl_perf
loop
parport_pc
ppdev
lp
parport
ip_tables
x_tables
autofs4
ext4
crc16
jbd2
fscrypto
ecb
mbcache
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
crc32c_intel
xen_netfront
xen_blkfront
aesni_intel
aes_x86_64
glue_helper
lrw
gf128mul
ablk_helper
cryptd

** PCI devices:

** USB devices:
not available


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.9.0-3-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.130
ii  kmod                                    23-2
ii  linux-base                              4.5

Versions of packages linux-image-4.9.0-3-amd64 recommends:
ii  firmware-linux-free  3.4
pn  irqbalance           <none>

Versions of packages linux-image-4.9.0-3-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-pc                 2.02~beta3-5
pn  linux-doc-4.9           <none>

Versions of packages linux-image-4.9.0-3-amd64 is related to:
ii  firmware-amd-graphics     20161130-3
pn  firmware-atheros          <none>
ii  firmware-bnx2             20161130-3
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
ii  firmware-linux-nonfree    20161130-3
ii  firmware-misc-nonfree     20161130-3
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
ii  firmware-realtek          20161130-3
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

Reply to:

Prev by Date: Bug#857198: Error reproduced in a barebone computer with Debain 9.1 (stretch)
Next by Date: Processed: found 876381 in 4.9.30-1
Previous by thread: Bug#857198: Error reproduced in a barebone computer with Debain 9.1 (stretch)
Next by thread: Processed: found 876381 in 4.9.30-1
Index(es):
- Date
- Thread