Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp324744imm; Thu, 14 Jun 2018 21:20:08 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK4DaKu6BMvsxbrVbn1PuZTwFzlma3qpXS/Q0R2GPsQH8XODyn76QlahYnk4B8CedW4GFya X-Received: by 2002:a62:8d5:: with SMTP id 82-v6mr84796pfi.154.1529036408679; Thu, 14 Jun 2018 21:20:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529036408; cv=none; d=google.com; s=arc-20160816; b=bPgqjB5LJR013Dq4IRM9giwf6jmV5tUmEcWxNNEDppIPEr4buZVOS8FeRPFezJvhvR FJvA+aJIMgzQxbCGyhuBYA2QR+PXn6PlkUqF80ec7ebA3TNKfQ7XFH0dMr+A85gPifyD aFo3zkEckGhbGHrV3SzOoI06vSXvFFh1v+rJYeNm9EWxFlR45cHT8O34T+5daJREKYgY rpYDFll+pSoC87aaopALazkSJGCDfgGLi8TPDU1CAv/CSSGeNO5j2QVYELm0Tae6F5DZ jmBYb1AeVMhP0L4DkBT536FNqfc77EfQ0lnf5fI9ZHuWMUcbd2s5fv3bSDEnoUHZnZHT Jrzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=5rgwD5l7uFjps1sDrz0ILJoK/dJZFxaTLjMXdilUnw8=; b=Z4J2EVGBe0l4eW0VnNm333EHvs3+5/2SpPFk59ZiwaiK9Vn8UjekfeAQTWl6mfUu+P MbcyU6YAgFwTE8fqwqNRwPpxrbFZGhPSxVNi5ex0eDD9j//vWK9fxarj3cFHuJsO1Q2l vG/+6FmXOrjkpWKEen6cGjxzxyHVw6gdjAcTMWJ7pjILQXPtINJ2wGLwvyx9gufG9kOH T1rk73V3zIHPCrzVLwbgJU58DdxLcwFV+JjGfPQrsXyFoBd2ddtbkVIaVFM7wDf+Y1Cz yd7UoCbbxAhn5LD0ADhkZvYlP1tvi1Jnk+vzpFIGOX/pi6SycxoyQePevdIdhsqcMN/Z ECnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si5590225pgp.134.2018.06.14.21.19.40; Thu, 14 Jun 2018 21:20:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754735AbeFOETJ (ORCPT + 99 others); Fri, 15 Jun 2018 00:19:09 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:60455 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750890AbeFOETH (ORCPT ); Fri, 15 Jun 2018 00:19:07 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fTgCS-0008GM-Cn; Thu, 14 Jun 2018 22:19:00 -0600 Received: from 97-119-124-205.omah.qwest.net ([97.119.124.205] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fTgCR-0002Bg-J1; Thu, 14 Jun 2018 22:19:00 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: David Howells Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org References: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> Date: Thu, 14 Jun 2018 23:18:50 -0500 In-Reply-To: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> (David Howells's message of "Fri, 25 May 2018 01:05:23 +0100") Message-ID: <87in6kptqt.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1fTgCR-0002Bg-J1;;;mid=<87in6kptqt.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.124.205;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/tEwAtKhk/Ea2JRa3ATONR1uVuVu3AQkY= X-SA-Exim-Connect-IP: 97.119.124.205 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa04.xmission.com X-Spam-Level: ** X-Spam-Status: No, score=2.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_XMDrugObfuBody_14, XMNoVowels,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.2 T_XMDrugObfuBody_14 obfuscated drug references X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;David Howells X-Spam-Relay-Country: X-Spam-Timing: total 321 ms - load_scoreonly_sql: 0.07 (0.0%), signal_user_changed: 4.3 (1.3%), b_tie_ro: 2.9 (0.9%), parse: 1.48 (0.5%), extract_message_metadata: 6 (1.9%), get_uri_detail_list: 3.3 (1.0%), tests_pri_-1000: 6 (1.9%), tests_pri_-950: 1.85 (0.6%), tests_pri_-900: 1.48 (0.5%), tests_pri_-400: 28 (8.8%), check_bayes: 27 (8.4%), b_tokenize: 10 (3.2%), b_tok_get_all: 8 (2.5%), b_comp_prob: 3.6 (1.1%), b_tok_touch_all: 2.9 (0.9%), b_finish: 0.80 (0.2%), tests_pri_0: 251 (78.1%), check_dkim_signature: 0.84 (0.3%), check_dkim_adsp: 5 (1.6%), tests_pri_500: 7 (2.3%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 00/32] VFS: Introduce filesystem context [ver #8] X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org David Howells writes: > Here are a set of patches to create a filesystem context prior to setting > up a new mount, populating it with the parsed options/binary data, creating > the superblock and then effecting the mount. This is also used for remount > since much of the parsing stuff is common in many filesystems. Dave, I have read through these patches and I noticed a significant issue. Today in mount_bdev we do something that looks like: mount_bdev(...) { s = sget(..., bdev); if (s->s_root) { /* Noop */ } else { err = fill_super(s, ...); if (err) { deactivate_locked_super(s); return ERR_PTR(err); } s->s_flags |= SB_ATTIVE; bdev->bd_super = s; } return dget(s->s_root); } The key point is that we don't process the mount options at all if a super block already exists in the kernel. Similar to what your fscontext changes are doing (after parsing the options). Your fscontext changes do not improve upon this area of the mount api at all and that concerns me. This is an area where people can and already do shoot themselves in their feet. The real world security issue we had in with this involved devpts. The devpts filesystem requires the mode and gid parameters for new ttys to be specified to be posix compliant. People were setting up chroot environments and mounting devpts with the wrong arguments. As these two devpts mounts shared a super block a change of arguments on one was a change of arguments on the other. Which mean the chroots were periodically breaking the primary devpts and causing new terminals to be opened with essentially unusable permissions. Fun when you are trying to ssh in to a box. Creating a new mount and finding an old mount are the same operation in the kernel today. This is fundamentally confusing. In the new api could we please separate these two operations? Perhaps someting like: x create x find With the "x create" case failing if the filesystem already exists, still allowing "x find"? And with the "x find" case failing if the superblock is not already created in the kernel. That should make it clear to a userspace program what is going on and give it a chance to mount a filesystem anyway. In a similar vein could we please clarify the rules for changing mount options for an existing superblock are in the new api? Today mount assumes that it has to provide all of the existing options to reconfigure a mount. What people want to do and what most filesystems support is just specifying the options that need to be changed. Can we please make this the rule of how this are expected to work for fscontext? That only changing mount options need to be specified before: "x reconfigure" Eric