fanotify: call fanotify_events_supported() before path_permission() and security_path...

The latter trigger LSM (e.g. SELinux) checks, which will log a denial
when permission is denied, so it's better to do them after validity
checks to avoid logging a denial when the operation would fail anyway.

Fixes: 0b3b094ac9a7 ("fanotify: Disallow permission events for proc filesystem")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20260216150625.793013-3-omosnace@redhat.com
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 5d030fbb2dffebbe3bd664a5f4b90b4ce93d5f59..ae904451dfc0955d6b2c84f07730e5adac293edc 100644 (file)
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1210,6 +1210,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
 
                *path = fd_file(f)->f_path;
                path_get(path);
+               ret = 0;
        } else {
                unsigned int lookup_flags = 0;
 
@@ -1219,22 +1220,7 @@ static int fanotify_find_path(int dfd, const char __user *filename,
                        lookup_flags |= LOOKUP_DIRECTORY;
 
                ret = user_path_at(dfd, filename, lookup_flags, path);
-               if (ret)
-                       goto out;
        }
-
-       /* you can only watch an inode if you have read permissions on it */
-       ret = path_permission(path, MAY_READ);
-       if (ret) {
-               path_put(path);
-               goto out;
-       }
-
-       ret = security_path_notify(path, mask, obj_type);
-       if (ret)
-               path_put(path);
-
-out:
        return ret;
 }
 
@@ -2058,6 +2044,15 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
                        goto path_put_and_out;
        }
 
+       /* you can only watch an inode if you have read permissions on it */
+       ret = path_permission(&path, MAY_READ);
+       if (ret)
+               goto path_put_and_out;
+
+       ret = security_path_notify(&path, mask, obj_type);
+       if (ret)
+               goto path_put_and_out;
+
        if (fid_mode) {
                ret = fanotify_test_fsid(path.dentry, flags, &__fsid);
                if (ret)