Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2123409rwd; Mon, 15 May 2023 07:34:08 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Zn+AgEp5/aeafIhRQf8/Vr2Xn+ltL8tD59OZ8i1JzyVwp7S96p6yUBQfd8g3qaKL+d1tx X-Received: by 2002:a17:903:22c9:b0:1a5:22a6:4e6a with SMTP id y9-20020a17090322c900b001a522a64e6amr41898602plg.51.1684161248221; Mon, 15 May 2023 07:34:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684161248; cv=none; d=google.com; s=arc-20160816; b=HTQxx1xfQtEYrW9jOiotUwGJSwsNTETpuwyBWOrgQC4QyZqxa1UEFR1pg0Le5/LOf0 S7KAthjuKksUCtlM/IsJTfERThrnC1GupvJS4KEaXZHdx06Li067t3V/uqXRr4sYZTa3 3fcck2bgE3129x/fc0lvC4I0kud8XE+rZIfIDV0F22+zprItSIzNfcDL3DI1KqlxqX9O fJVaOamtl3RsWZINRuBk+ls56Ve23W7ZWUXCQOeTRlCOzvQBCZzcPtD5UHlKq5UyUseg FmGvoCrJ8E5DoKotFOSBD78STZ/A2K8P4QH4Ea3fChy+xq/j2oUgzS+MchJBc2upxCSS sq1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=ppVyFGTleG0uV5qrwyuyzbwOGiTPSdwv0HSD6ZTUdHA=; b=Ih5hLYwlfvXOwhaGHrnIabzuUzwf8Jemz+4dFMTEuxu0zR993ye1hVWSn+TlwOQGjU 8iLRhtp+VF1CU9NH9jmQBwzTTou2Zsk/xa0MxNA0Yqd8xq3MPPrAy19dp0tiYSaFFXb2 sVj7oayBt8+lq0RnnTuKynS09P39vxlSR/BHE6eGA/WoY/0EkgcwISPW6fXWkCnkI29T KZQrX8LxHnyYosvpYiqWLPO4ILxn+HSUvMUC8EkIOIZ97Yn/ZhZz5foywJWxTzVjAKS0 MtqrFgbjLoDCwdohAZ/WQ3ccnd+RrydAmns8kqLNOL8hFOqn4rlN+Oeqe4B/znu26+Ip i0KA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Vqpf0hY1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u8-20020a17090282c800b0019ca5ddecfesi16104576plz.92.2023.05.15.07.33.52; Mon, 15 May 2023 07:34:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=Vqpf0hY1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240586AbjEOOVa (ORCPT + 99 others); Mon, 15 May 2023 10:21:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239804AbjEOOVV (ORCPT ); Mon, 15 May 2023 10:21:21 -0400 Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com [IPv6:2607:f8b0:4864:20::934]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B33403A9B; Mon, 15 May 2023 07:20:58 -0700 (PDT) Received: by mail-ua1-x934.google.com with SMTP id a1e0cc1a2514c-783b92ddbb0so358937241.1; Mon, 15 May 2023 07:20:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684160458; x=1686752458; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ppVyFGTleG0uV5qrwyuyzbwOGiTPSdwv0HSD6ZTUdHA=; b=Vqpf0hY1OSXAfbyCkLaVdobIWRo+Ylc5gQ58cvxZijNGVqy8NZM26ONjavWlaIj8hl sxcsZRJDABMIpaHJtnlARir32khiKKlG4bvjIOHJe/Hk4C1CDX2jn84SrtqCxoWMNarW q/2i5Z5oBi4g1qbcXj+EK8G5Xzmh0sC/0gV89Jbq8olaU7IMMr+WDbD7r7gR1VtmK7DU uGvxAodrVsfFlTwT21Qxe6t5xmtzIrWAFCYy8Zknj8Rek+hZGWboK5eXK2+WiI9rirFq 6m/16Or+wveWdYVe/dB93HEJAWHq6dgKyfGyLvKPRjhzudSVn5kFdi/E9rW75B2A1HJV hI6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684160458; x=1686752458; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ppVyFGTleG0uV5qrwyuyzbwOGiTPSdwv0HSD6ZTUdHA=; b=SKxxrHhqib2SeVw/Mt7k4wd3R3sbuUrt61HOvTkW/WM3f44KzCy7Kq5BV7YAWVVRrE KNzxtYUmc6BWSccL3R3etzEcFRSfygCyUiFozQKqIDv9xjDUz7YzPZwQdObBTZCky5c5 2dhr8YqINUggswPmbYuiNfJqHB8CbJWptO4n6Ien9APCfEGgSlnKo1nNwrRmT2soPUak ax4i/C080Xg+eUWhJjUawuGY8cb4LBgEilsNqNPcZWwka602+3ia35jlfCOxjI619T7r shnUZOO/HCKSZ3BlEoeD7aixPRjh7YzE0ldv+ozpmf63u8nb2fo0umRctnrvNAtUMKnc RcGQ== X-Gm-Message-State: AC+VfDy0NnDkWgqD17Kv62qr+RGcoOaWuPMHY6u8T3lBkqMqIu1gPLVQ tREwbHaIjgXAXL9rjmvSZHOt+8qSp7MPZpaXPgg= X-Received: by 2002:a05:6102:3cd:b0:430:ce0:ae90 with SMTP id n13-20020a05610203cd00b004300ce0ae90mr12150065vsq.14.1684160457669; Mon, 15 May 2023 07:20:57 -0700 (PDT) MIME-Version: 1.0 References: <20230511150802.737477-1-cgzones@googlemail.com> <20230515-kopfgeld-umkurven-f27be4b68a26@brauner> <20230515-banal-vergab-a7abb53169b5@brauner> In-Reply-To: <20230515-banal-vergab-a7abb53169b5@brauner> From: Amir Goldstein Date: Mon, 15 May 2023 17:20:46 +0300 Message-ID: Subject: Re: [RFC PATCH v2] fs/xattr: add *at family syscalls To: Christian Brauner Cc: =?UTF-8?Q?Christian_G=C3=B6ttsche?= , x86@kernel.org, linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, sparclinux@vger.kernel.org, linux-fsdevel@vger.kernel.org, audit@vger.kernel.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, Jan Kara , jlayton@kernel.org, cyphar@cyphar.com, Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 15, 2023 at 4:52=E2=80=AFPM Christian Brauner wrote: > > On Mon, May 15, 2023 at 04:04:21PM +0300, Amir Goldstein wrote: > > On Mon, May 15, 2023 at 1:33=E2=80=AFPM Christian Brauner wrote: > > > > > > On Thu, May 11, 2023 at 05:08:02PM +0200, Christian G=C3=B6ttsche wro= te: > > > > Add the four syscalls setxattrat(), getxattrat(), listxattrat() and > > > > removexattrat(). Those can be used to operate on extended attribut= es, > > > > especially security related ones, either relative to a pinned direc= tory > > > > or on a file descriptor without read access, avoiding a > > > > /proc//fd/ detour, requiring a mounted procfs. > > > > > > > > One use case will be setfiles(8) setting SELinux file contexts > > > > ("security.selinux") without race conditions. > > > > > > > > Add XATTR flags to the private namespace of AT_* flags. > > > > > > > > Use the do_{name}at() pattern from fs/open.c. > > > > > > > > Use a single flag parameter for extended attribute flags (currently > > > > XATTR_CREATE and XATTR_REPLACE) and *at() flags to not exceed six > > > > syscall arguments in setxattrat(). > > > > > > > > Previous approach ("f*xattr: allow O_PATH descriptors"): https://lo= re.kernel.org/all/20220607153139.35588-1-cgzones@googlemail.com/ > > > > v1 discussion: https://lore.kernel.org/all/20220830152858.14866-2-c= gzones@googlemail.com/ > > > > > > > > Signed-off-by: Christian G=C3=B6ttsche > > > > CC: x86@kernel.org > > > > CC: linux-alpha@vger.kernel.org > > > > CC: linux-kernel@vger.kernel.org > > > > CC: linux-arm-kernel@lists.infradead.org > > > > CC: linux-ia64@vger.kernel.org > > > > CC: linux-m68k@lists.linux-m68k.org > > > > CC: linux-mips@vger.kernel.org > > > > CC: linux-parisc@vger.kernel.org > > > > CC: linuxppc-dev@lists.ozlabs.org > > > > CC: linux-s390@vger.kernel.org > > > > CC: linux-sh@vger.kernel.org > > > > CC: sparclinux@vger.kernel.org > > > > CC: linux-fsdevel@vger.kernel.org > > > > CC: audit@vger.kernel.org > > > > CC: linux-arch@vger.kernel.org > > > > CC: linux-api@vger.kernel.org > > > > CC: linux-security-module@vger.kernel.org > > > > CC: selinux@vger.kernel.org > > > > --- > > > > > > Fwiw, your header doesn't let me see who the mail was directly sent t= o > > > so I'm only able to reply to lists which is a bit pointless... > > > > > > > v2: > > > > - squash syscall introduction and wire up commits > > > > - add AT_XATTR_CREATE and AT_XATTR_REPLACE constants > > > > > > > +#define AT_XATTR_CREATE 0x1 /* setxattrat(2): set= value, fail if attr already exists */ > > > > +#define AT_XATTR_REPLACE 0x2 /* setxattrat(2): set value, = fail if attr does not exist */ > > > > > > We really shouldn't waste any AT_* flags for this. Otherwise we'll ru= n > > > out of them rather quickly. Two weeks ago we added another AT_* flag > > > which is up for merging for v6.5 iirc and I've glimpsed another AT_* > > > flag proposal in one of the talks at last weeks Vancouver conference > > > extravaganza. > > > > > > Even if we reuse 0x200 for AT_XATTR_CREATE (like we did for AT_EACCES= S > > > and AT_REMOVEDIR) we still need another bit for AT_XATTR_REPLACE. > > > > > > Plus, this is really ugly since AT_XATTR_{CREATE,REPLACE} really isn'= t > > > in any way related to lookup and we're mixing it in with lookup > > > modifying flags. > > > > > > So my proposal for {g,s}etxattrat() would be: > > > > > > struct xattr_args { > > > __aligned_u64 value; > > > __u32 size; > > > __u32 cmd; > > > }; > > > > > > So everything's nicely 64bit aligned in the struct. Use the @cmd memb= er > > > to set either XATTR_REPLACE or XATTR_CREATE and treat it as a proper > > > enum and not as a flag argument like the old calls did. > > > > > > So then we'd have: > > > > > > setxattrat(int dfd, const char *path, const char __user *name, > > > struct xattr_args __user *args, size_t size, unsigned int = flags) > > > getxattrat(int dfd, const char *path, const char __user *name, > > > struct xattr_args __user *args, size_t size, unsigned int = flags) > > > > > > The current in-kernel struct xattr_ctx would be renamed to struct > > > kernel_xattr_args and then we do the usual copy_struct_from_user() > > > dance: > > > > > > struct xattr_args args; > > > err =3D copy_struct_from_user(&args, sizeof(args), uargs, usize); > > > > > > and then go on to handle value/size for setxattrat()/getxattrat() > > > accordingly. > > > > > > getxattr()/setxattr() aren't meaningfully filterable by seccomp alrea= dy > > > so there's not point in not using a struct. > > > > > > If that isn't very appealing then another option is to add a new flag > > > namespace just for setxattrat() similar to fspick() and move_mount() > > > duplicating the needed lookup modifying flags. > > > Thoughts? > > > > Here is a thought: I am not sure if I am sorry we did not discuss this = API > > issue in LSFMM or happy that we did not waste our time on this... :-/ > > > > I must say that I dislike redefined flag namespace like FSPICK_* > > just as much as I dislike overloading the AT_* namespace and TBH, > > I am not crazy about avoiding this problem with xattr_args either. > > > > A more sane solution IMO could have been: > > - Use lower word of flags for generic AT_ flags > > - Use the upper word of flags for syscall specific flags > > We'd have 16 lower bits for AT_* flags and upper 16 bits for non-AT_* > flags. That might be ok but it isn't great because if we ever extend > AT_* flags into the upper 16 bits that are generally useful for all > AT_* flag taking system calls we'd not be able to use them. And at the > rate people keep suggesting new AT_* flags that issue might arise > quicker than we might think. > > And we really don't want 64 bit flag arguments because of 32 bit > architectures as that gets really ugly to handle cleanly (Arnd has > talked a lot about issues in this area before). > > > > > So if it were up to me, I would vote starting this practice: > > > > + /* Start of syscall specific range */ > > + #define AT_XATTR_CREATE 0x10000 /* setxattrat(2): set > > value, fail if attr already exists */ > > + #define AT_XATTR_REPLACE 0x20000 /* setxattrat(2): set > > value, fail if attr does not exist */ > > > > Which coincidentally happens to be inline with my AT_HANDLE_FID patch..= . > > This is different though. The reason AT_HANDLE_FID is acceptable is > because we need the ability to extend an existing system call and we're > reusing a bit that is already used in two other system calls. So we > avoid adding a new system call just to add another flag argument and > we're also not using up an additional AT_* bit. This makes it bearable > imho. But here we're talking about new system calls where we can avoid > this problem arising in the first place. > > > > > Sure, we will have some special cases like MOVE_MOUNT_* and > > legacy pollution to the lower AT_ flags word, but as a generic solution > > for syscalls that need the common AT_ lookup flags and just a few > > private flags, that seems like the lesser evil to me. > > It is fine to do this in some cases but we shouldn't encourage mixing > distinct flag namespaces let alone advertising this as a generic > solution imho. The AT_XATTR_* flags aren't even flags they behave like > an enum. OK. I see your point. Also, wrt struct xattr_args, there is sort of a precedent with XFS_IOC_ATTRMULTI_BY_HANDLE ioctl, struct xfs_attr_multiop and flags XFS_IOC_ATTR_{CREATE,REPLACE}. Just a nit, I would use xattr_args field names that are the same as setxattr() arg names, so s/cmd/flags. Thanks, Amir.