lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240703010215.2013266-1-drosen@google.com>
Date: Tue,  2 Jul 2024 18:02:14 -0700
From: Daniel Rosenberg <drosen@...gle.com>
To: Miklos Szeredi <miklos@...redi.hu>, Amir Goldstein <amir73il@...il.com>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	kernel-team@...roid.com, Daniel Rosenberg <drosen@...gle.com>
Subject: [PATCH 0/1] Fuse Passthrough cache issues

I've been attempting to recreate Android's usage of Fuse Passthrough with the
version now merged in the kernel, and I've run into a couple issues. The first
one was pretty straightforward, and I've included a patch, although I'm not
convinced that it should be conditional, and it may need to do more to ensure
that the cache is up to date.

If your fuse daemon is running with writeback cache enabled, writes with
passthrough files will cause problems. Fuse will invalidate attributes on
write, but because it's in writeback cache mode, it will ignore the requested
attributes when the daemon provides them. The kernel is the source of truth in
this case, and should update the cached values during the passthrough write.

The other issue I ran into is the restriction on opening a file in passthrough
and non passthrough modes. In Android, one of our main usecases for passthrough
is location metadata redaction. Apps without the location permission get back
nulled out data when they read image metadata location. If an app has that
permission, it can open the file in passthrough mode, but otherwise the daemon
opens the file in normal fuse mode where it can do the redaction.

Currently in passthrough, this behavior is explicitly blocked. What's needed to
allow this? The page caches can contain different data, but in this case that's
a feature, not a bug. They could theoretically be backed by entirely different
things, although that would be fairly confusing. I would think the main thing
we'd need would be to invalidate areas of the cache when writing in passthrough
mode to give the daemon the opportunity to react to what's there now, and also
something in the other direction. Might make more sense as something the daemon
can opt into.

Any thoughts on these issues? And does the proposed fix make sense to you?



Daniel Rosenberg (1):
  fuse: Keep attributes consistent with Passthrough

 fs/fuse/passthrough.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)


base-commit: 73e931504f8e0d42978bfcda37b323dbbd1afc08
-- 
2.45.2.803.g4e1b14247a-goog


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ