Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp5342413iob; Mon, 9 May 2022 14:17:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxV4jAZ+A/0Di+WYgeP/KHyAtXhzwWGp2NyeWcQ7x6D9qSR6lxKPeGpEIRGi7JQQ6anxqBx X-Received: by 2002:a17:906:9c82:b0:6e1:2c94:1616 with SMTP id fj2-20020a1709069c8200b006e12c941616mr16464490ejc.64.1652131038169; Mon, 09 May 2022 14:17:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652131038; cv=none; d=google.com; s=arc-20160816; b=DQ/FOu2G9EVXp1hd2ahec/CbdeHLZAXbKbP8kcnr/Lp0zQDMk7J34Pn3+YSgM3HYPY TBq6/T4kR7HdJ0/YsoM6J8caPNmqlwpsDCnziC8xauOFuAntmUMeU+vAlUnVIiL6wzIl zBJJPf4ZhZgQwL9tDl8qwZ5XAqjg86c3zVDxkJ0P5G2yawqsJa2ygTaKCPISbg4aXuuo oZqbqZbjJ8q7ZQ8dkCJX7x6Bl30BIqxRRhIoCB8POF6CtrZ/0uZq3Guy8q4FQiQZ9YbI DsU4ARJEP/lq+UK0qXrgM2ZvxnXR9uqMQZqfL1hcgoavLPdES93qTZiRTyUx7vcxsgBU yhAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=RsmhEkAgEyXfOYElK9/fvwLkbJDVPOt4f4VPAqCU69M=; b=zjyXCVWCBK31f3/rln9VSpIxlohu8sSeJIjV1GBqfI0h2YKq7zBmP0OF6AF5LjZwNY P8+5cYugsKkpY1jQAmvoP+Rva1Ym0LtwfrZxt2YyOQM3WM/+eBnr3B68e2GwAHZuLuZn qWu8mFJeLBgJPP630I/ip6AqnmO+n6OoUqJT6yS/I50oJ+ivNnuCW0xPPYMifVBt0Cs/ 5J+hnSTnZja3hTjL8Ah9yC2OOEThxRQ63EUIfBfqc98zjKiM4T12CIe6ohORVSJSoKWv WNY9DO8V061/mZBHYw9thtFgy/oxiYLz2N9LcuigzWFeGuy+mXlxpChq1Cj+/UcEOHKl IdHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y71-20020a50bb4d000000b00425d68387ccsi12571834ede.369.2022.05.09.14.16.54; Mon, 09 May 2022 14:17:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229507AbiEIUk1 (ORCPT + 99 others); Mon, 9 May 2022 16:40:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229553AbiEIUkS (ORCPT ); Mon, 9 May 2022 16:40:18 -0400 Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 143E920BD7; Mon, 9 May 2022 13:36:19 -0700 (PDT) Received: by mail.hallyn.com (Postfix, from userid 1001) id 3A8D89E3; Mon, 9 May 2022 15:36:18 -0500 (CDT) Date: Mon, 9 May 2022 15:36:18 -0500 From: "Serge E. Hallyn" To: "Serge E. Hallyn" Cc: Stefan Berger , linux-integrity@vger.kernel.org, zohar@linux.ibm.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, jpenumak@redhat.com, Christian Brauner , John Johansen , Matthew Garrett , Micah Morton , Kentaro Takeda , Jarkko Sakkinen Subject: Re: [PATCH v12 01/26] securityfs: rework dentry creation Message-ID: <20220509203618.GA31408@mail.hallyn.com> References: <20220420140633.753772-1-stefanb@linux.ibm.com> <20220420140633.753772-2-stefanb@linux.ibm.com> <20220509195414.GA30894@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220509195414.GA30894@mail.hallyn.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 09, 2022 at 02:54:14PM -0500, Serge E. Hallyn wrote: > On Wed, Apr 20, 2022 at 10:06:08AM -0400, Stefan Berger wrote: > > From: Christian Brauner > > > > When securityfs creates a new file or directory via > > securityfs_create_dentry() it will take an additional reference on the > > newly created dentry after it has attached the new inode to the new > > dentry and added it to the hashqueues. > > If we contrast this with debugfs which has the same underlying logic as > > securityfs. It uses a similar pairing as securityfs. Where securityfs > > has the securityfs_create_dentry() and securityfs_remove() pairing, > > debugfs has the __debugfs_create_file() and debugfs_remove() pairing. > > > > In contrast to securityfs, debugfs doesn't take an additional reference > > on the newly created dentry in __debugfs_create_file() which would need > > to be put in debugfs_remove(). > > > > The additional dget() isn't a problem per se. In the current > > implementation of securityfs each created dentry pins the filesystem via > > Is 'via' an extra word here or is there a missing word? > > I'll delay the rest of my response as the missing word may answer my > remaining question :) > > > until it is removed. Since it is virtually guaranteed that there is at > > least one user of securityfs that has created dentries the initial > > securityfs mount cannot go away until all dentries have been removed. > > > > Since most of the users of the initial securityfs mount don't go away > > until the system is shutdown the initial securityfs won't go away when > > unmounted. Instead a mount will usually surface the same superblock as > > before. The additional dget() doesn't matter in this scenario since it > > is required that all dentries have been cleaned up by the respective > > users before the superblock can be destroyed, i.e. superblock shutdown > > is tied to the lifetime of the associated dentries. > > > > However, in order to support ima namespaces we need to extend securityfs > > to support being mounted outside of the initial user namespace. For > > namespaced users the pinning logic doesn't make sense. Whereas in the > > initial namespace the securityfs instance and the associated data > > structures of its users can't go away for reason explained earlier users > > of non-initial securityfs instances do go away when the last users of > > the namespace are gone. > > > > So for those users we neither want to duplicate the pinning logic nor > > make the global securityfs instance display different information based > > on the namespace. Both options would be really messy and hacky. > > > > Instead we will simply give each namespace its own securityfs instance > > similar to how each ipc namespace has its own mqueue instance and all > > entries in there are cleaned up on umount or when the last user of the > > associated namespace is gone. > > > > This means that the superblock's lifetime isn't tied to the dentries. > > Instead the last umount, without any fds kept open, will trigger a clean > > shutdown. But now the additional dget() gets in the way. Instead of > > being able to rely on the generic superblock shutdown logic we would > > need to drop the additional dentry reference during superblock shutdown > > for all associated users. That would force the use of a generic > > coordination mechanism for current and future users of securityfs which > > is unnecessary. Simply remove the additional dget() in > > securityfs_dentry_create(). > > > > In securityfs_remove() we will call dget() to take an additional > > reference on the dentry about to be removed. After simple_unlink() or > > simple_rmdir() have dropped the dentry refcount we can call d_delete() > > which will either turn the dentry into negative dentry if our earlier > > dget() is the only reference to the dentry, i.e. it has no other users, > > or remove it from the hashqueues in case there are additional users. > > > > All of these changes should not have any effect on the userspace > > semantics of the initial securityfs mount. > > > > Signed-off-by: Christian Brauner > > Cc: John Johansen > > Cc: Matthew Garrett > > Cc: Micah Morton > > Cc: Kentaro Takeda > > Cc: James Morris > > Cc: Jarkko Sakkinen > > Signed-off-by: Stefan Berger > > Reviewed-by: Mimi Zohar > > --- > > security/inode.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/security/inode.c b/security/inode.c > > index 6c326939750d..13e6780c4444 100644 > > --- a/security/inode.c > > +++ b/security/inode.c > > @@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode, > > inode->i_fop = fops; > > } > > d_instantiate(dentry, inode); > > - dget(dentry); > > inode_unlock(dir); > > return dentry; > > > > @@ -302,10 +301,12 @@ void securityfs_remove(struct dentry *dentry) > > dir = d_inode(dentry->d_parent); > > inode_lock(dir); > > if (simple_positive(dentry)) { > > + dget(dentry); > > if (d_is_dir(dentry)) > > simple_rmdir(dir, dentry); Hm, so I realize your patch isn't introducing this, but is the fact that we ignore the possible -ENOTEMPTY return value of simple_rmdir() not a problem? > > else > > simple_unlink(dir, dentry); > > + d_delete(dentry); I'm mostly trying to convince myself that the fact that there is not a matching dput being removed (to match the dget being removed above) is ok. I do think it is, but that belief seems to dictate that right now dentries must never be being released. Otherwise, it seems like there must be cases where the next dput could be called on a dentry that has been freed. > > dput(dentry); > > } > > inode_unlock(dir); > > -- > > 2.34.1