Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1331456imm;
        Fri, 27 Jul 2018 15:34:24 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfK9NvNNUAN52CmI3xkz39wGJLktIhDhExOWIkucYFzX1OP5Syx/SPC6p2JL92SL6p1xR/m
X-Received: by 2002:a62:464f:: with SMTP id t76-v6mr8421654pfa.118.1532730864283;
        Fri, 27 Jul 2018 15:34:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532730864; cv=none;
        d=google.com; s=arc-20160816;
        b=FfiyU9LjmnqMsY3/EbNKTgdRy+bDvrc6EphzCcxa5+efCzzau9rreemoHB2zAEGlHo
         xB7bT2qcFW/pOTH3JdNplLKeT1mXS64cDp0W54QBa3A7qxfnJsJgd4yE7WM/hnLkzmxr
         goE47taC1xPHRyZfednMsjyBHKSGdIvWSyV04kQRqW1ZFHbx7I9+BYy+5uumxd02pl2w
         xhAbkRHmMwIoYB1OmyvM5TVryhyHjhL7+HFEB7agBXQc3tU0SupseMwXXWempWVZEUQv
         kaFGqTB6N96R9CgdB2wcQxGUIzFdu9eMVKCwtCEhK2B+yr/a1g8vbYFVEOGR8UwkDNja
         DRfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=mn/STYWo5cyHfiNV7ZgAvo/Pn8J0sWwTzWclIs1kjdo=;
        b=oAOwFLDYC6F3HxRIW4zC/FtcS9x34dQUwpqmsAmu0d2zjXzRBTF+8/5ZN7R4fbENpU
         ucAVPScW9pYdkL8U+ne9AlEAL9FzfLgn4/aY4mJO2OObmW7vnQk5zk9c5ApY7qK1YxmF
         HFi7MkTsKw5wZ2vxTByb5+0PThdvbrxjnPc0FOJHfACbd4oI9dQfdo77TXY68k4wQ//p
         Lm6tQ5OgctdxEuUD42yFeI4Mruo9FtWyilO/9HBv0ij6T4jbt7xBTmwyWWqSsvz4CgZk
         27RMSPi2A3OMlC5N1i0Qwhb3D5q4av/K2IN4kjMNuhoxgBVMqt6vY4D8HrOlPXqOe1lO
         +amw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VpIYtGmZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k23-v6si4551793pgl.633.2018.07.27.15.34.09;
        Fri, 27 Jul 2018 15:34:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=VpIYtGmZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388922AbeG0X5T (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 27 Jul 2018 19:57:19 -0400
Received: from mail-oi0-f68.google.com ([209.85.218.68]:34791 "EHLO
        mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388527AbeG0X5T (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Jul 2018 19:57:19 -0400
Received: by mail-oi0-f68.google.com with SMTP id 13-v6so11739276ois.1
        for <linux-kernel@vger.kernel.org>; Fri, 27 Jul 2018 15:33:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=mn/STYWo5cyHfiNV7ZgAvo/Pn8J0sWwTzWclIs1kjdo=;
        b=VpIYtGmZ0OIQDOYNOgiECMHtrzb54FZYE5+D5ugs2cC5Lkmh6p6Eud/b+2qXQHnVVT
         JGc9Pws7Q548IWKhI8ivvB2Wdzlh4tz11lg03pstuOh3ED8/YXw06kcv4JCv3RtBfUSO
         v17c7Zt9RvzoUoPgjDdJ66Fq1g9R2k+s1Ygzu9ilfOpwyD/D25YaczYzM1mbPPCYRT19
         7iq5fRDoiRt1JruV23Zjz/WXosvI5kJ5m3s4zlbLOB6Qj1kfarJoU6wpbh7dL/Bx+QxD
         NvdaQmvdTQd5IpwDzZ/vBzAo40AX9DonLQV0AuWKgw3U2qIB1cDsFZhiZ1aIvx3nBUPG
         bmtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=mn/STYWo5cyHfiNV7ZgAvo/Pn8J0sWwTzWclIs1kjdo=;
        b=qAVA5uFQVTIk7uTD7IkTH8Hr1KsvyUZIGUtpbJjwN+XpUpKmezRfdWOrN5ZPL3GrxQ
         EDUcPsEb3g6YdJlhzKTDN2hcJ2q9r84b6BvpidWFQegppNRZ43nPVNYFEupuO00zt5hV
         0m6kBVuorcdrdvm4RE5+FcnBf59yA1hjxe8y/h8VTRiBO+JuAiC7FG1LNh26QudxloqL
         GDPXiH3QFoKSTA70pK7sVA57D6xiY2NbIY/zeK66+26C/wmGZ1e5X4MekTZGWbKvFNVq
         QzRDnWreNvH0tVQ03kOlN44gDgWnSVy5uaGSe+hikz0cYxPz3vtyABJpvYaaCqNwoEqX
         uMxA==
X-Gm-Message-State: AOUpUlF0ToTSS40RvXg15iK1daVOVVxuprybMd0wzzQav6GXIbdtVauY
        dTivOFviGCSVO2pnoN1E+nFWoh8x6FltfiG1TJEcYQ==
X-Received: by 2002:aca:e089:: with SMTP id x131-v6mr7912904oig.221.1532730800385;
 Fri, 27 Jul 2018 15:33:20 -0700 (PDT)
MIME-Version: 1.0
References: <153271267980.9458.7640156373438016898.stgit@warthog.procyon.org.uk>
 <153271287586.9458.6001928723332685410.stgit@warthog.procyon.org.uk>
In-Reply-To: <153271287586.9458.6001928723332685410.stgit@warthog.procyon.org.uk>
From:   Jann Horn <jannh@google.com>
Date:   Sat, 28 Jul 2018 00:32:53 +0200
Message-ID: <CAG48ez2f+J+UeFN0u1Hpfq3tFXJbi7ckts8sua3eY4jDwnh6-Q@mail.gmail.com>
Subject: Re: [PATCH 29/38] vfs: syscall: Add fsconfig() for configuring and
 managing a context [ver #10]
To:     David Howells <dhowells@redhat.com>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Linux API <linux-api@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        linux-fsdevel@vger.kernel.org,
        kernel list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jul 27, 2018 at 7:34 PM David Howells <dhowells@redhat.com> wrote:
>
> Add a syscall for configuring a filesystem creation context and triggering
> actions upon it, to be used in conjunction with fsopen, fspick and fsmount.
>
>     long fsconfig(int fs_fd, unsigned int cmd, const char *key,
>                   const void *value, int aux);
>
> Where fs_fd indicates the context, cmd indicates the action to take, key
> indicates the parameter name for parameter-setting actions and, if needed,
> value points to a buffer containing the value and aux can give more
> information for the value.
[...]
> +SYSCALL_DEFINE5(fsconfig,
> +               int, fd,
> +               unsigned int, cmd,
> +               const char __user *, _key,
> +               const void __user *, _value,
> +               int, aux)
> +{
[...]
> +       switch (cmd) {
[...]
> +       case fsconfig_set_binary:
> +               if (!_key || !_value || aux <= 0 || aux > 1024 * 1024)
> +                       return -EINVAL;
> +               break;
[...]
> +       }
> +
> +       f = fdget(fd);
> +       if (!f.file)
> +               return -EBADF;
> +       ret = -EINVAL;
> +       if (f.file->f_op != &fscontext_fops)
> +               goto out_f;

We should probably add an fdget_typed(fd, fops) helper, or something
like that, to file.h at some point... there are probably dozens of
such invocations across the kernel at this point, each one with a
couple lines of boilerplate to deal with the two separate error paths.

[...]
> +       case fsconfig_set_binary:
> +               param.type = fs_value_is_blob;
> +               param.size = aux;
> +               param.blob = memdup_user_nul(_value, aux);
> +               if (IS_ERR(param.blob)) {
> +                       ret = PTR_ERR(param.blob);
> +                       goto out_key;
> +               }
> +               break;

This means that a namespace admin (iow, an unprivileged user) can
allocate 1MB of unswappable kmalloc memory per userspace task, right?
Using userfaultfd or FUSE, you can then stall the task as long as you
want while it has that allocation. Is that problematic, or is that
normal?