Received: by 10.192.165.148 with SMTP id m20csp4992042imm; Tue, 8 May 2018 19:27:17 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrvD3ZNqv2nGR3L5GvmeILJZy14ddoKkyWXmel2D0AIsR6db83foRsSrtfGbwfN6jWnqm93 X-Received: by 10.98.194.199 with SMTP id w68mr41813159pfk.174.1525832837031; Tue, 08 May 2018 19:27:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525832836; cv=none; d=google.com; s=arc-20160816; b=xN9JVUKYxPuQWNRNvU+Mui4vsokOB7ANPkZ0cKtupaJzs4RWwiMxo6wpyk+xghcS78 L69Usz7Le6FpKmBq9he5ly1QXv63OxLjwRZFHfH8ZYF4wSOlY9IIDjhYKkUykjW3zA/k gE1Xbbqq+b1LH3+0zvd+Xv/5C1wBDT97TZu7N29/GwkIGKwHHx4G/WGQAuAiStQ3h1zb DvpFxKfHHCTAx0h9q+qOwZ8WiTfglClAfWuDHNWE8cQohyeUIgJb7jYSHbDcJIhIwLx3 bgVb6idgVdpK1lVyu07k/diuJq1QMtkWfdQDRwtJxamYGnJpzCHXG3K9L/DUTfHrCha4 C+aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=ig51Vxl5gNbPaacdhxrwaNpBfMHnt0WKLu5JF2ZEGfE=; b=w70pe6ELSlidkuDa+jKDDzrSVT70M3Ml+EPLCCFCQU3NgdZ3is2m8uE5dpVVbXRb5J WFkdRTcmkaLRyltS16mP5AUva9jKybJUQL/SBLMbWyARDEIlcGJINBhR0v2Nzp+/O972 70WBY5cfb3HmSzJz6xPMi90HtqL9lXsRMu/LFaprZjjSXlTUWS03F1ZnehRdNIE4RX0M NxQOr6AkWvs5ryZON5C1vB5NIduK0L+iqOYtmzM5Q3Yl5XNaeVrV1WEXT59XIlfFmA/m pd+SF9I/DBxphm2jWqTMx1GfDS/DM+NCutxp+/EvUvuZKIE1dXpzM9vAIitqRNiZDoR0 g4lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=he4SnP4U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y73-v6si20812694pgd.390.2018.05.08.19.27.02; Tue, 08 May 2018 19:27:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=he4SnP4U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933590AbeEICZj (ORCPT + 99 others); Tue, 8 May 2018 22:25:39 -0400 Received: from mail-pg0-f65.google.com ([74.125.83.65]:39747 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932526AbeEICZd (ORCPT ); Tue, 8 May 2018 22:25:33 -0400 Received: by mail-pg0-f65.google.com with SMTP id e1-v6so10629027pga.6; Tue, 08 May 2018 19:25:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ig51Vxl5gNbPaacdhxrwaNpBfMHnt0WKLu5JF2ZEGfE=; b=he4SnP4UM6EkPigTa1t3d4FHTlg1kqh8LJ3W9zR05LSB550c5fZ9Na/+DCsQPtNBPv M+xiAYwdYQDL4VtSz/crSOTVIBjHXns/Ewkg4QXTJmsDmjYk8EE5tStXQQoTs4iAUqIo ur5crFLDqGRory/DUvKorYZ1Ga+2Ww57gNQ20x+5uTBx6Lxv1uV83sl439R1CrZ1UQi3 9a0cpMtchl3zVHjKKMq21Uh8muX55xkHQw5lCf7XzbXCYiPGgzZqw82EIgwtoDgodzvA goHP67qv0SKtZ40pmFcrJ0lnLUWnINd3havJW6wtWM/vVUwTPlE4iihKOqRm+9ndyG6O yVTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ig51Vxl5gNbPaacdhxrwaNpBfMHnt0WKLu5JF2ZEGfE=; b=U9Tk8DUF2NyCPosK0ZI9M7qNPVuuCMe/GiqV+OQb5Em7W6SM6CnDTMFx5AHEU2OGf1 M55DCfxan1wLyzH7qrMmaAZVl9A7VG7Y5yScia265YXIk1+Q1Bh/nd7UghRXHTH/4FNO ogv7uwhlWyaCTrM7YDQ415OAwCarEj7zOG87udOn3K8eA2yRqi/cfrfACIWLn6pEMfXt E4majzGPlxNF93WW0GciY/qKzK26rr0OUFGDDjHZQaCiRLj1y7Hd8dtHSK4M2Z5A0aDV prWYf9xl7KMIQYQlbEmD+ZuPC4leOPHqIumMqK42OLNW/yTsfFLB5DzGkBoORhk7RMEC fqaQ== X-Gm-Message-State: ALQs6tB+Q03shsse7eZGPm8rKZ+SalUHvN7ljXY1xg/gikINR03vY3zz Ec9ROyzUfTen+zux1R+Ozb0= X-Received: by 2002:a63:7419:: with SMTP id p25-v6mr14462842pgc.13.1525832732468; Tue, 08 May 2018 19:25:32 -0700 (PDT) Received: from ast-mbp ([2620:10d:c090:180::1:917f]) by smtp.gmail.com with ESMTPSA id w19-v6sm37893766pgv.59.2018.05.08.19.25.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 May 2018 19:25:31 -0700 (PDT) Date: Tue, 8 May 2018 19:25:28 -0700 From: Alexei Starovoitov To: "Luis R. Rodriguez" Cc: Eric Paris , Matthew Auld , Josh Triplett , "Kirill A. Shutemov" , Joonas Lahtinen , Chris Wilson , Stephen Smalley , "Eric W. Biederman" , Mimi Zohar , Alexei Starovoitov , davem@davemloft.net, daniel@iogearbox.net, torvalds@linux-foundation.org, gregkh@linuxfoundation.org, luto@amacapital.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com, Al Viro , David Howells , Kees Cook , Andrew Morton , Dominik Brodowski , Hugh Dickins , Jann Horn , Jani Nikula , Rodrigo Vivi , David Airlie , "Rafael J. Wysocki" , Linux FS Devel , pjones@redhat.com, mjg59@google.com, linux-security-module , linux-integrity@vger.kernel.org Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper Message-ID: <20180509022526.hertzfpvy7apz6ny@ast-mbp> References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-2-ast@kernel.org> <20180504195642.GB12838@wotan.suse.de> <20180505013710.2fb2k6e5uotd22kr@ast-mbp> <20180507183931.GV27853@wotan.suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180507183931.GV27853@wotan.suse.de> User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 07, 2018 at 06:39:31PM +0000, Luis R. Rodriguez wrote: > > > Are you saying make 'static struct vfsmount *shm_mnt;' > > global and use it here? so no init_tmpfs() necessary? > > I think that can work, but feels that having two > > tmpfs mounts (one for shmem and one for umh) is cleaner. > > No, but now that you mention it... if a shared vfsmount is not used the > /sys/kernel/mm/transparent_hugepage/shmem_enabled knob for using huge pages > would not be followed for umh modules. For the i915 driver this was *why* > they ended up adding shmem_file_setup_with_mnt(), they wanted huge pages to > support huge-gtt-pages. What is the rationale behind umh.c using it for > umh modules? > > Users of shmem_kernel_file_setup() spawned later out of the desire to > *avoid* LSMs since it didn't make sense in their case as their inodes > are never exposed to userspace. Such is the case for ipc/shm.c and > security/keys/big_key.c. Refer to commit c7277090927a5 ("security: shmem: > implement kernel private shmem inodes") and then commit e1832f2923ec9 > ("ipc: use private shmem or hugetlbfs inodes for shm segments"). > > In this new umh usermode modules case we are: > > a) actually mapping data already extracted by the kernel somehow from > a file somehow, presumably from /lib/modules/ path somewhere, but > again this is not visible to umc.c, as it just gets called with: > > fork_usermode_blob(void *data, size_t len, struct umh_info *info) > > b) Creating the respective tmpfs file with shmem_file_setup_with_mnt() > with our on our own shared struct vfsmount *umh_fs. > > c) Populating the file created and stuffing it with our data passed > > d) Calling do_execve_file() on it. > > Its not clear to me why you used shmem_file_setup_with_mnt() in this case. What > are the gains? It would make sense to use shmem_kernel_file_setup() to avoid an > LSM check on step b) *but* only if we already had a proper LSM check on step > a). > > I checked how you use fork_usermode_blob() in a) and in this case the kernel > module bpfilter would be loaded first, and for that we already have an LSM > check / hook for that module. From my review then, the magic done on your > second patch to stuff the userspace application into the module should be > irrelevant to us from an LSM perspective. > > So, I can see a reason to use shmem_kernel_file_setup() but not I cannot > see a reason to be using shmem_file_setup_with_mnt() at the moment. That's a good idea. I will switch to using shmem_kernel_file_setup(). I guess I can use kernel_write() as well instead of populate_file(). I wonder why i915 had to use pagecache_write_begin() and the loop instead of kernel_write()... The only reason to copy into tmpfs file is to make that memory swappable. All standard shmem knobs should apply. > > > > +{ > > > > + size_t offset = 0; > > > > + int err; > > > > + > > > > + do { > > > > + unsigned int len = min_t(typeof(size), size, PAGE_SIZE); > > > > + struct page *page; > > > > + void *pgdata, *vaddr; > > > > + > > > > + err = pagecache_write_begin(file, file->f_mapping, offset, len, > > > > + 0, &page, &pgdata); > > > > + if (err < 0) > > > > + goto fail; > > > > + > > > > + vaddr = kmap(page); > > > > + memcpy(vaddr, data, len); > > > > + kunmap(page); > > > > + > > > > + err = pagecache_write_end(file, file->f_mapping, offset, len, > > > > + len, page, pgdata); > > > > + if (err < 0) > > > > + goto fail; > > > > + > > > > + size -= len; > > > > + data += len; > > > > + offset += len; > > > > + } while (size); > > > > > > Character for character, this looks like a wonderful copy and paste from > > > i915_gem_object_create_from_data()'s own loop which does the same exact > > > thing. Perhaps its time for a helper on mm/filemap.c with an export so > > > if a bug is fixed in one place its fixed in both places. > > > > yes, of course, but not right now. > > Once it all lands that will be the time to create common helper. > > It's not a good idea to mess with i915 in one patch set. > > Either way works with me, so long as its done. Will be gone due to switch to kernel_write(). > > > > > +int fork_usermode_blob(void *data, size_t len, struct umh_info *info) > > > > > > Please use umh_fork_blob() > > > > sorry, no. fork_usermode_blob() is much more descriptive name. > > Prefixing new umh.c symbols with umh_*() makes it very clear this came from > kernel/umh.c functionality. I've been dealing with other places in the kernel > that have conflated their own use of kernel/umh.c functionality what they > expose in both code and documentation, and correcting this has taken a long > time. Best avoid future confusion and be consistent with new exported symbols > for umc.c functionality. There is no confusion today. The most known umh api is a family of call_usermodehelper*() In this case it's not a 'call', it's a 'fork', since part of kernel module being forked as user mode process. I considered naming this function fork_usermodehelper(), but it's also not quite correct, since 'user mode helper' has predefined meaning of something that has the path whereas here it's a blob of bytes. Hence fork_usermode_blob() is more accurate and semantically correct name, whereas umh_fork_blob() is not. Notice I no longer call these new kernel modules as 'umh modules', since that's the wrong name for the same reasons. They are good ol' kernel modules. The new functionality allowed by this patch is: forking part of kernel module data as user mode process. A lot of umh logic is reused, but 'user mode helpers' and 'user mode blobs' are distinct kernel features. > I don't even want to test USB, I am just interesting in the *very* *very* > basic aspects of it. A simple lib/test_umh_module.c would do with a respective > check that its loaded, given this is a requirement from the API. It also helps > folks understand the core basic knobs without having to look at bfilter code. I agree that lib/test_usermode_blob.c must be available eventually. Right now we cannot add it to the tree, since we need to figure how interface between kernel and usermode_blob will work based on real world use case of bpfilter. Once it gets further along that would be the time to say: "look, here is the test for fork_usermode_blob() and here how others (usb drivers) can and should use it". Today is not the right time to fix the api. Such lib/test_usermode_blob.c would have to be constantly adjusted as we tweak bpfilter side becoming unnecessary burden of us bpfilter developers. Everyone really need to think of these patches as work in progress and internal details and api of fork_usermode_blob() will change.