| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <175080113326.2280845.18404947256630567790@noble.neil.brown.name> Date: Wed, 25 Jun 2025 07:38:53 +1000 From: "NeilBrown" <neil@...wn.name> To: Mickaël Salaün <mic@...ikod.net> Cc: "Song Liu" <song@...nel.org>, bpf@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, brauner@...nel.org, kernel-team@...a.com, andrii@...nel.org, eddyz87@...il.com, ast@...nel.org, daniel@...earbox.net, martin.lau@...ux.dev, viro@...iv.linux.org.uk, jack@...e.cz, kpsingh@...nel.org, mattbobrowski@...gle.com, m@...wtm.org, Günther Noack <gnoack@...gle.com> Subject: Re: [PATCH v5 bpf-next 0/5] bpf path iterator On Wed, 25 Jun 2025, Mickaël Salaün wrote: > On Fri, Jun 20, 2025 at 02:59:17PM -0700, Song Liu wrote: > > Hi Christian, Mickaël, and folks, > > > > Could you please share your comments on this version? Does this > > look sane? > > This looks good to me but we need to know what is the acceptable next > step to support RCU. If we can go with another _rcu helper, I'm good > with the current approach, otherwise we need to figure out a way to > leverage the current helper to make it compatible with callers being in > a RCU read-side critical section while leveraging safe path walk (i.e. > several calls to path_walk_parent). Can you spell out the minimum that you need? My vague impression is that you want to search up from a given strut path, no further then some other given path, looking for a dentry that matches some rule. Is that correct? In general, the original dentry could be moved away from under the dentry you find moments after the match is reported. What mechanisms do you have in place to ensure this doesn't happen, or that it doesn't matter? Would it be sufficient to have an iterator which reported successive ancestors in turn, or reported that you need to restart because something changed? Would you need to know that a restart happened or would it be acceptable to transparently start again at the parent of the starting point? Or do you really need a "one step at a time" interface? Do you need more complex movements around the tree, or is just walking up sufficient? If this has been discussed or documented elsewhere I'd be happy for you just to provide a reference, and I can come back with follow-up questions if needed. Thanks, NeilBrown > > > > > Thanks, > > Song > > > > On Mon, Jun 16, 2025 at 11:11 PM Song Liu <song@...nel.org> wrote: > > > > > > In security use cases, it is common to apply rules to VFS subtrees. > > > However, filtering files in a subtree is not straightforward [1]. > > > > > > One solution to this problem is to start from a path and walk up the VFS > > > tree (towards the root). Among in-tree LSMs, Landlock uses this solution. > > > > > > > [...] > > >
Powered by blists - more mailing lists