Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2333614imm; Tue, 10 Jul 2018 18:34:30 -0700 (PDT) X-Google-Smtp-Source: AAOMgpf8SpnOqeLwNOMoDGwTjNPKuFRAbYCW0Jqh2HQ+v0AoG2ZwD2Og7fBU73cguhvlGhb3F0q8 X-Received: by 2002:a62:4494:: with SMTP id m20-v6mr27835744pfi.205.1531272870796; Tue, 10 Jul 2018 18:34:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531272870; cv=none; d=google.com; s=arc-20160816; b=YF5P7DKuuYlVLisC7nDiven6P0cbtt+Isrjp14n0OMtmTiQnRAPKj8qd6zh1EmHBSi GLCk+mgAHo6g0UqIRSqGjimG1u/PCLmgahN04Ra5HaPQ4efwFie6E8btDO1zdlI8exCN KRMbaBuY2hyMhYBhBx7RJa2Jjl2oduobzyUTEae/XlZYtCDcQnccjA/v0i0Jjdzk0LU8 94muQME0eYEgz6kCDP2K04sXuc8WHYBDvuPoRWhqdkmP144UiZ2SlWuPq/4MZQd9s69K xbgeraXuMiWDnt/C6uEVFOIHlYQ9O49uGL5YseiYikH83ryCxo9/pw8ANhsZvPqGQxtq Xz9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=arrdT1A2RX6lmf9YbD/Ac5mq2miH9qHvOV6YtC1j7zM=; b=Uc9tc9Ei7EGLZ8ZDPLAhjAfmz7P9ctqsbrKKGxVfVFEDAmi0pxr0aCtx0Hv4vfqDL3 ZIhoAAERv7mHiV+BX9w/LxxS3lYHJFxdB31HcN3HjA3Zp/u5X5xKu324xFbCBsJtmUyp cE/xSXKEiAJs+1aKQ7MRrnhi2u6rSdn/QpCnN0P1DM4I/+XOy+irsEf0LaIyed3l+c6g d5TS+KRpQB5vGH0C9R35FZBtp8yqQXsDzAYEiHOlRmU9pAi70gSuXENCyW8kH/Jz5IdT KDi6Vutl9jmeEaHhXKhazVunFWjoN7fKbSCfthXydOcojbfbFhkVuhB0AX5TnKC3cjaj Xo9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1HueN9Lr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u76-v6si20500083pfj.58.2018.07.10.18.34.14; Tue, 10 Jul 2018 18:34:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1HueN9Lr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732376AbeGKBf1 (ORCPT + 99 others); Tue, 10 Jul 2018 21:35:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:34872 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732330AbeGKBf0 (ORCPT ); Tue, 10 Jul 2018 21:35:26 -0400 Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7BFB420C0B for ; Wed, 11 Jul 2018 01:33:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1531272818; bh=+au7OntvqVVuVHhw5ec4CQ5+HFIy9XBFAh1TdysroFU=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=1HueN9LrIVfD16HH+HWWhc4pX9d5QnG7A+nFud98ZVK53uwabuS7SsTH/jTWvULgO L32gVvotuwQhANVc6OUkrplJXNleoAg/J0gtsk2OnHSp6Dc7YxNSFJnPPpRmAmKRqC Ipl0QXBCYu5AEe+8/B2uS7BwPAP5rqr6HrPNeZOk= Received: by mail-wm0-f41.google.com with SMTP id 69-v6so790556wmf.3 for ; Tue, 10 Jul 2018 18:33:38 -0700 (PDT) X-Gm-Message-State: APt69E0dSDexqmOFuX+51KUhiWvmSexPDeVZHbJYO1Pq9BoE+dpktRwY lKa5IZuuKGT3xSXJWGOyct7e8YnEa10mQ5K66sYHsQ== X-Received: by 2002:a1c:34c9:: with SMTP id b192-v6mr16964990wma.21.1531272816921; Tue, 10 Jul 2018 18:33:36 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:d548:0:0:0:0:0 with HTTP; Tue, 10 Jul 2018 18:33:16 -0700 (PDT) In-Reply-To: <20180711011520.GL30522@ZenIV.linux.org.uk> References: <153126248868.14533.9751473662727327569.stgit@warthog.procyon.org.uk> <153126264966.14533.3388004240803696769.stgit@warthog.procyon.org.uk> <686E805C-81F3-43D0-A096-50C644C57EE3@amacapital.net> <20180711011520.GL30522@ZenIV.linux.org.uk> From: Andy Lutomirski Date: Tue, 10 Jul 2018 18:33:16 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 24/32] vfs: syscall: Add fsopen() to prepare for superblock creation [ver #9] To: Al Viro Cc: Linus Torvalds , David Howells , Linux API , linux-fsdevel , Linux Kernel Mailing List , Jann Horn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 10, 2018 at 6:15 PM, Al Viro wrote: > On Tue, Jul 10, 2018 at 06:05:49PM -0700, Linus Torvalds wrote: >> Yeah, Andy is right that we should *not* make "write()" have side effect= s. >> >> Use it to queue things by all means, but not "do" things. Not unless >> there's a very sane security model. >> >> On Tue, Jul 10, 2018 at 4:59 PM Andy Lutomirski wr= ote: >> > >> > I think the right solution is one of: >> > >> > (a) Pass a netlink-formatted blob to fsopen() and do the whole thing i= n one syscall. I don=E2=80=99t mean using netlink sockets =E2=80=94 just th= e nlattr format. Or you could use a different format. The part that matter= s is using just one syscall to do the whole thing. >> >> Please no. Not another nasty marshalling thing. >> >> > (b) Keep the current structure but use a new syscall instead of write(= ). >> > >> > (c) Keep using write() but literally just buffer the data. Then have a= new syscall to commit it. In other words, replace =E2=80=9Cx=E2=80=9D wit= h a syscall and call all the fs_context_operations helpers in that context = instead of from write(). >> >> But yeah, b-or-c sounds fine. > > Umm... How about "use credentials of opener for everything"? If you want to audit every single filesystem for any code that uses credentials for anything and add all the right kernel APIs and make sure the filesystem uses them and somehow keep screwups from getting added down the line, then okay I guess. As far as I know, we don't even *have* an API for "open this device node using this struct cred *". I kind of want to add a hack to set some poison bit in current->cred in sys_write() and clear it on the way out. Sigh. --Andy