| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOQ4uxhJ53h+1AjtF4B64onqvRfZsJ3n1OFikyJpXAPTyX45iQ@mail.gmail.com> Date: Thu, 27 Mar 2025 21:57:34 +0100 From: Amir Goldstein <amir73il@...il.com> To: Pali Rohár <pali@...nel.org> Cc: Andrey Albershteyn <aalbersh@...hat.com>, Richard Henderson <richard.henderson@...aro.org>, Matt Turner <mattst88@...il.com>, Russell King <linux@...linux.org.uk>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Geert Uytterhoeven <geert@...ux-m68k.org>, Michal Simek <monstr@...str.eu>, Thomas Bogendoerfer <tsbogend@...ha.franken.de>, "James E.J. Bottomley" <James.Bottomley@...senpartnership.com>, Helge Deller <deller@....de>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>, Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>, Yoshinori Sato <ysato@...rs.sourceforge.jp>, Rich Felker <dalias@...c.org>, John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>, "David S. Miller" <davem@...emloft.net>, Andreas Larsson <andreas@...sler.com>, Andy Lutomirski <luto@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Chris Zankel <chris@...kel.net>, Max Filippov <jcmvbkbc@...il.com>, Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, Arnd Bergmann <arnd@...db.de>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-m68k@...ts.linux-m68k.org, linux-mips@...r.kernel.org, linux-parisc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-s390@...r.kernel.org, linux-sh@...r.kernel.org, sparclinux@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-api@...r.kernel.org, linux-arch@...r.kernel.org, selinux@...r.kernel.org, Andrey Albershteyn <aalbersh@...nel.org>, linux-xfs@...r.kernel.org Subject: Re: [PATCH v4 0/3] fs: introduce getfsxattrat and setfsxattrat syscalls On Thu, Mar 27, 2025 at 8:26 PM Pali Rohár <pali@...nel.org> wrote: > > On Thursday 27 March 2025 12:47:02 Amir Goldstein wrote: > > On Sun, Mar 23, 2025 at 11:32 AM Pali Rohár <pali@...nel.org> wrote: > > > > > > On Sunday 23 March 2025 09:45:06 Amir Goldstein wrote: > > > > On Fri, Mar 21, 2025 at 8:50 PM Andrey Albershteyn <aalbersh@...hat.com> wrote: > > > > > > > > > > This patchset introduced two new syscalls getfsxattrat() and > > > > > setfsxattrat(). These syscalls are similar to FS_IOC_FSSETXATTR ioctl() > > > > > except they use *at() semantics. Therefore, there's no need to open the > > > > > file to get an fd. > > > > > > > > > > These syscalls allow userspace to set filesystem inode attributes on > > > > > special files. One of the usage examples is XFS quota projects. > > > > > > > > > > XFS has project quotas which could be attached to a directory. All > > > > > new inodes in these directories inherit project ID set on parent > > > > > directory. > > > > > > > > > > The project is created from userspace by opening and calling > > > > > FS_IOC_FSSETXATTR on each inode. This is not possible for special > > > > > files such as FIFO, SOCK, BLK etc. Therefore, some inodes are left > > > > > with empty project ID. Those inodes then are not shown in the quota > > > > > accounting but still exist in the directory. This is not critical but in > > > > > the case when special files are created in the directory with already > > > > > existing project quota, these new inodes inherit extended attributes. > > > > > This creates a mix of special files with and without attributes. > > > > > Moreover, special files with attributes don't have a possibility to > > > > > become clear or change the attributes. This, in turn, prevents userspace > > > > > from re-creating quota project on these existing files. > > > > > > > > > > Christian, if this get in some mergeable state, please don't merge it > > > > > yet. Amir suggested these syscalls better to use updated struct fsxattr > > > > > with masking from Pali Rohár patchset, so, let's see how it goes. > > > > > > > > Andrey, > > > > > > > > To be honest I don't think it would be fair to delay your syscalls more > > > > than needed. > > > > > > I agree. > > > > > > > If Pali can follow through and post patches on top of your syscalls for > > > > next merge window that would be great, but otherwise, I think the > > > > minimum requirement is that the syscalls return EINVAL if fsx_pad > > > > is not zero. we can take it from there later. > > > > > > IMHO SYS_getfsxattrat is fine in this form. > > > > > > For SYS_setfsxattrat I think there are needed some modifications > > > otherwise we would have problem again with backward compatibility as > > > is with ioctl if the syscall wants to be extended in future. > > > > > > I would suggest for following modifications for SYS_setfsxattrat: > > > > > > - return EINVAL if fsx_xflags contains some reserved or unsupported flag > > > > > > - add some flag to completely ignore fsx_extsize, fsx_projid, and > > > fsx_cowextsize fields, so SYS_setfsxattrat could be used just to > > > change fsx_xflags, and so could be used without the preceding > > > SYS_getfsxattrat call. > > > > > > What do you think about it? > > > > I think all Andrey needs to do now is return -EINVAL if fsx_pad is not zero. > > > > You can use this later to extend for the semantics of flags/fields mask > > and we can have a long discussion later on what this semantics should be. > > > > Right? > > > > Amir. > > It is really enough? I don't know. Let's see... > All new extensions later would have to be added > into fsx_pad fields, and currently unused bits in fsx_xflags would be > unusable for extensions. I am working under the assumption that the first extension would be to support fsx_xflags_mask and from there, you could add filesystem flags support checks and then new flags. Am I wrong? Obviously, fsx_xflags_mask would be taken from fsx_pad space. After that extension is implemented, calling SYS_setfsxattrat() with a zero fsx_xflags_mask would be silly for programs that do not do the legacy get+set. So when we introduce fsx_xflags_mask, we could say that a value of zero means that the mask is not being checked at all and unknown flags in set syscall are ignored (a.k.a legacy ioctl behavior). Programs that actually want to try and set without get will have to set a non zero fsx_xflags_mask to do something useful. I don't think this is great. I would rather that the first version of syscalls will require the mask and will always enforce filesystems supported flags. If you can get those patches (on top of current series) posted and reviewed in time for the next merge window, including consensus on the actual semantics, that would be the best IMO. But I am just preparing a plan B in case you do not have time to work on the patches or if consensus on the API extensions is not reached on time. I think that for plan B, the minimum is to verify zero pad field and that is something that this syscall has to do anyway, because this is the way that backward compact APIs work. If you want the syscall to always return -EINVAL for setting xflags that are currently undefined I agree that would be nice as well. Thanks, Amir.
Powered by blists - more mailing lists