1/* SPDX-License-Identifier: GPL-2.0 */
2#ifndef _LINUX_FANOTIFY_H
3#define _LINUX_FANOTIFY_H
4
5#include <linux/sysctl.h>
6#include <uapi/linux/fanotify.h>
7
8#define FAN_GROUP_FLAG(group, flag) \
9 ((group)->fanotify_data.flags & (flag))
10
11/*
12 * Flags allowed to be passed from/to userspace.
13 *
14 * We intentionally do not add new bits to the old FAN_ALL_* constants, because
15 * they are uapi exposed constants. If there are programs out there using
16 * these constant, the programs may break if re-compiled with new uapi headers
17 * and then run on an old kernel.
18 */
19
20/* Group classes where permission events are allowed */
21#define FANOTIFY_PERM_CLASSES (FAN_CLASS_CONTENT | \
22 FAN_CLASS_PRE_CONTENT)
23
24#define FANOTIFY_CLASS_BITS (FAN_CLASS_NOTIF | FANOTIFY_PERM_CLASSES)
25
26#define FANOTIFY_FID_BITS (FAN_REPORT_DFID_NAME_TARGET)
27
28#define FANOTIFY_INFO_MODES (FANOTIFY_FID_BITS | FAN_REPORT_PIDFD | FAN_REPORT_MNT)
29
30/*
31 * fanotify_init() flags that require CAP_SYS_ADMIN.
32 * We do not allow unprivileged groups to request permission events.
33 * We do not allow unprivileged groups to get other process pid in events.
34 * We do not allow unprivileged groups to use unlimited resources.
35 */
36#define FANOTIFY_ADMIN_INIT_FLAGS (FANOTIFY_PERM_CLASSES | \
37 FAN_REPORT_TID | \
38 FAN_REPORT_PIDFD | \
39 FAN_REPORT_FD_ERROR | \
40 FAN_UNLIMITED_QUEUE | \
41 FAN_UNLIMITED_MARKS)
42
43/*
44 * fanotify_init() flags that are allowed for user without CAP_SYS_ADMIN.
45 * FAN_CLASS_NOTIF is the only class we allow for unprivileged group.
46 * We do not allow unprivileged groups to get file descriptors in events,
47 * so one of the flags for reporting file handles is required.
48 */
49#define FANOTIFY_USER_INIT_FLAGS (FAN_CLASS_NOTIF | \
50 FANOTIFY_FID_BITS | FAN_REPORT_MNT | \
51 FAN_CLOEXEC | FAN_NONBLOCK)
52
53#define FANOTIFY_INIT_FLAGS (FANOTIFY_ADMIN_INIT_FLAGS | \
54 FANOTIFY_USER_INIT_FLAGS)
55
56/* Internal group flags */
57#define FANOTIFY_UNPRIV 0x80000000
58#define FANOTIFY_INTERNAL_GROUP_FLAGS (FANOTIFY_UNPRIV)
59
60#define FANOTIFY_MARK_TYPE_BITS (FAN_MARK_INODE | FAN_MARK_MOUNT | \
61 FAN_MARK_FILESYSTEM | FAN_MARK_MNTNS)
62
63#define FANOTIFY_MARK_CMD_BITS (FAN_MARK_ADD | FAN_MARK_REMOVE | \
64 FAN_MARK_FLUSH)
65
66#define FANOTIFY_MARK_IGNORE_BITS (FAN_MARK_IGNORED_MASK | \
67 FAN_MARK_IGNORE)
68
69#define FANOTIFY_MARK_FLAGS (FANOTIFY_MARK_TYPE_BITS | \
70 FANOTIFY_MARK_CMD_BITS | \
71 FANOTIFY_MARK_IGNORE_BITS | \
72 FAN_MARK_DONT_FOLLOW | \
73 FAN_MARK_ONLYDIR | \
74 FAN_MARK_IGNORED_SURV_MODIFY | \
75 FAN_MARK_EVICTABLE)
76
77/*
78 * Events that can be reported with data type FSNOTIFY_EVENT_PATH.
79 * Note that FAN_MODIFY can also be reported with data type
80 * FSNOTIFY_EVENT_INODE.
81 */
82#define FANOTIFY_PATH_EVENTS (FAN_ACCESS | FAN_MODIFY | \
83 FAN_CLOSE | FAN_OPEN | FAN_OPEN_EXEC)
84
85/*
86 * Directory entry modification events - reported only to directory
87 * where entry is modified and not to a watching parent.
88 */
89#define FANOTIFY_DIRENT_EVENTS (FAN_MOVE | FAN_CREATE | FAN_DELETE | \
90 FAN_RENAME)
91
92/* Content events can be used to inspect file content */
93#define FANOTIFY_CONTENT_PERM_EVENTS (FAN_OPEN_PERM | FAN_OPEN_EXEC_PERM | \
94 FAN_ACCESS_PERM)
95/* Pre-content events can be used to fill file content */
96#define FANOTIFY_PRE_CONTENT_EVENTS (FAN_PRE_ACCESS)
97
98/* Events that require a permission response from user */
99#define FANOTIFY_PERM_EVENTS (FANOTIFY_CONTENT_PERM_EVENTS | \
100 FANOTIFY_PRE_CONTENT_EVENTS)
101
102/* Events that can be reported with event->fd */
103#define FANOTIFY_FD_EVENTS (FANOTIFY_PATH_EVENTS | FANOTIFY_PERM_EVENTS)
104
105/* Events that can only be reported with data type FSNOTIFY_EVENT_INODE */
106#define FANOTIFY_INODE_EVENTS (FANOTIFY_DIRENT_EVENTS | \
107 FAN_ATTRIB | FAN_MOVE_SELF | FAN_DELETE_SELF)
108
109/* Events that can only be reported with data type FSNOTIFY_EVENT_ERROR */
110#define FANOTIFY_ERROR_EVENTS (FAN_FS_ERROR)
111
112#define FANOTIFY_MOUNT_EVENTS (FAN_MNT_ATTACH | FAN_MNT_DETACH)
113
114/* Events that user can request to be notified on */
115#define FANOTIFY_EVENTS (FANOTIFY_PATH_EVENTS | \
116 FANOTIFY_INODE_EVENTS | \
117 FANOTIFY_ERROR_EVENTS | \
118 FANOTIFY_MOUNT_EVENTS)
119
120/* Extra flags that may be reported with event or control handling of events */
121#define FANOTIFY_EVENT_FLAGS (FAN_EVENT_ON_CHILD | FAN_ONDIR)
122
123/* Events that may be reported to user */
124#define FANOTIFY_OUTGOING_EVENTS (FANOTIFY_EVENTS | \
125 FANOTIFY_PERM_EVENTS | \
126 FAN_Q_OVERFLOW | FAN_ONDIR)
127
128/* Events and flags relevant only for directories */
129#define FANOTIFY_DIRONLY_EVENT_BITS (FANOTIFY_DIRENT_EVENTS | \
130 FAN_EVENT_ON_CHILD | FAN_ONDIR)
131
132#define ALL_FANOTIFY_EVENT_BITS (FANOTIFY_OUTGOING_EVENTS | \
133 FANOTIFY_EVENT_FLAGS)
134
135/* These masks check for invalid bits in permission responses. */
136#define FANOTIFY_RESPONSE_ACCESS (FAN_ALLOW | FAN_DENY)
137#define FANOTIFY_RESPONSE_FLAGS (FAN_AUDIT | FAN_INFO)
138#define FANOTIFY_RESPONSE_VALID_MASK \
139 (FANOTIFY_RESPONSE_ACCESS | FANOTIFY_RESPONSE_FLAGS | \
140 (FAN_ERRNO_MASK << FAN_ERRNO_SHIFT))
141
142/* Do not use these old uapi constants internally */
143#undef FAN_ALL_CLASS_BITS
144#undef FAN_ALL_INIT_FLAGS
145#undef FAN_ALL_MARK_FLAGS
146#undef FAN_ALL_EVENTS
147#undef FAN_ALL_PERM_EVENTS
148#undef FAN_ALL_OUTGOING_EVENTS
149
150#endif /* _LINUX_FANOTIFY_H */
151