Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp240614rdb;
        Fri, 6 Oct 2023 01:54:21 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF1ysemybU96SEbwiEM2DWzy2yww032EzbuheYgEhdMgtBqKeVcdUYFkCFS9MqRQUKMPpCn
X-Received: by 2002:a17:903:1252:b0:1c2:36a:52a5 with SMTP id u18-20020a170903125200b001c2036a52a5mr8452003plh.57.1696582460881;
        Fri, 06 Oct 2023 01:54:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696582460; cv=none;
        d=google.com; s=arc-20160816;
        b=sX3H2wPD8gKg69DqrY32m31pa7qid30ApfqUyySFedHUzmYKRT+hVKkvBhORB0st9V
         5EWWF6u0xp4/0NoIKrr596OdP2CJoSg9tTT8UZkeB+KHGJAxqPA2geTXCdifQPHn0lZ5
         0S53oDDpuU9V4xvCaztWCewnTAdFfoAcZWOavbR0SoMOpY03fxiPgXdFyFM3pOM+a3cv
         AIaZlS07mZh1x5pvVdYZ+gSehb0QmE2hLklPBDTs6U888lmDAJFRi2AOqDbULJjGZJs2
         WG6YIYr/0Qy3vLqWFUDJV/U3eZIAB3JJN7/6rNmtNW4dmMD1doqnZarnnlRUQKhjHrpN
         xWUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=3xGSg1ywEPdzy+7pm5ys+NDpYYhLyChWJlGKSbRiijw=;
        fh=Wx9ncBv8hhKrbJDJrugFhmYcszdkHEzq3nwaC/RGfcM=;
        b=F+gaIwGmuN9q2fdGZJBIFYcxsbADBs9iBJAtxSr/qwBLkInjVGBvTrV3V+IqmgDYFF
         bIwE/e8LIqaXjdMs5SQu2D+4VDjibcZHR7ez1qOatH8CbafpEKlYKD/gmVprhz76C28s
         alVqAg+/uNnPjr+qJCGDMwsT67bZ13T96+dyU+oq4jVugb10iXw56Hi4zNd+CAVYjor7
         vW4ixrq5l5DsFJkxt6C0tgHHLwap3UgZ9wM5L5P3B8oe8j3dIRlmi27bJ03sBpN9s2rz
         TyCv7zebRopj4aodS8K6xDdrQQlp0BrbhMW4CxcfsTtbviyiww8DI4vo54CJbzP3exyM
         3Ayw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@szeredi.hu header.s=google header.b=e9JOMdBd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8])
        by mx.google.com with ESMTPS id n6-20020a170903110600b001c624237977si3471114plh.252.2023.10.06.01.54.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 06 Oct 2023 01:54:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@szeredi.hu header.s=google header.b=e9JOMdBd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=szeredi.hu
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 741B3808A37C;
	Fri,  6 Oct 2023 01:54:18 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230358AbjJFIyF (ORCPT <rfc822;smith.dustin2017@gmail.com>
        + 99 others); Fri, 6 Oct 2023 04:54:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33714 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230398AbjJFIyE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Oct 2023 04:54:04 -0400
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65DDF9F
        for <linux-kernel@vger.kernel.org>; Fri,  6 Oct 2023 01:54:00 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-9b98a699f45so322211266b.3
        for <linux-kernel@vger.kernel.org>; Fri, 06 Oct 2023 01:54:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google; t=1696582439; x=1697187239; darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=3xGSg1ywEPdzy+7pm5ys+NDpYYhLyChWJlGKSbRiijw=;
        b=e9JOMdBddiy+e2X+XurG3ruDYEHCQk3UVKyXYxDFYF6XrhfOyP7Ato/eVIEGR8Logq
         81e6/dyfh73Lsst2k4dsDNpGBJCi7izTL7CPKkAFe4U2y+awEF+a7D+evT3y7n39fFWx
         lJs5HQgMTUkhEIyVnUfxn+0aQVgdBiP30I5CQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696582439; x=1697187239;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=3xGSg1ywEPdzy+7pm5ys+NDpYYhLyChWJlGKSbRiijw=;
        b=jmNYGf5Bp2Gr84318mEVZr+NgzzJDVwxVgpdlDcV76uYEyvT1VifuLrq5O7AacwAAh
         4KexGWrTALKJ3ZCaCTzQUUXSDzkDcXMeJgKFENM4MxYPyoPr/5oPgoQN7w07qHW26OCl
         X/TGyUfaC3nouQeUytjk5JEkjfZmzUinJ4xXGedz2Cn3G9/3TXXtDa1Lv2SUX1b/iqWI
         6rF9gAkLoRqtNALJ7L0PyG/jN9EYtB4a58GrnRoMz3kcyvnr9q9mUMPwVK2Vpz6bWLzk
         4h0Z250wZiyNBdbeJq/Tur/q8e5Id/6WpGzs+SrKGxAcyohHkOXdk6K3YtYQHA3Pqr2i
         SlLA==
X-Gm-Message-State: AOJu0Yy/L+RMCKWsLsHsH9g4J4ko9vYt2pMi9XyIb5qpWQEZSZkEDMPF
        lvsxM++JUECYT/4dJn+BeQ/lnEy0UEzycg2/937pxg==
X-Received: by 2002:a17:906:109e:b0:9b2:a7f2:f819 with SMTP id
 u30-20020a170906109e00b009b2a7f2f819mr6282014eju.31.1696582438701; Fri, 06
 Oct 2023 01:53:58 -0700 (PDT)
MIME-Version: 1.0
References: <20230928130147.564503-1-mszeredi@redhat.com> <20230928130147.564503-5-mszeredi@redhat.com>
 <CAHC9VhQD9r+Qf5Vz1XmxUdJJJO7HNTKdo8Ux=n+xkxr=JGFMrw@mail.gmail.com>
 <CAJfpegsPbDgaz46x4Rr9ZgCpF9rohVHsvuWtQ5LNAdiYU_D4Ww@mail.gmail.com>
 <a25f2736-1837-f4ca-b401-85db24f46452@themaw.net> <CAJfpegv78njkWdaShTskKXoGOpKAndvYYJwq7CLibiu+xmLCvg@mail.gmail.com>
 <CAHC9VhTwnjhfmkT5Rzt+SBf-8hyw4PYkbuPYnm6XLoyY7VAUiw@mail.gmail.com>
In-Reply-To: <CAHC9VhTwnjhfmkT5Rzt+SBf-8hyw4PYkbuPYnm6XLoyY7VAUiw@mail.gmail.com>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Fri, 6 Oct 2023 10:53:47 +0200
Message-ID: <CAJfpegsZqF4TnnFBsV-tzi=w_7M=To5DeAjyW=cei9YuG+qMfg@mail.gmail.com>
Subject: Re: [PATCH v3 4/4] add listmount(2) syscall
To:     Paul Moore <paul@paul-moore.com>
Cc:     Ian Kent <raven@themaw.net>, Miklos Szeredi <mszeredi@redhat.com>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-api@vger.kernel.org, linux-man@vger.kernel.org,
        linux-security-module@vger.kernel.org, Karel Zak <kzak@redhat.com>,
        David Howells <dhowells@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Christian Brauner <christian@brauner.io>,
        Amir Goldstein <amir73il@gmail.com>,
        Matthew House <mattlloydhouse@gmail.com>,
        Florian Weimer <fweimer@redhat.com>,
        Arnd Bergmann <arnd@arndb.de>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Fri, 06 Oct 2023 01:54:18 -0700 (PDT)

On Fri, 6 Oct 2023 at 04:56, Paul Moore <paul@paul-moore.com> wrote:

> > Also I cannot see the point in hiding some mount ID's from the list.
> > It seems to me that the list is just an array of numbers that in
> > itself doesn't carry any information.
>
> I think it really comes down to the significance of the mount ID, and
> I can't say I know enough of the details here to be entirely
> comfortable taking a hard stance on this.  Can you help me understand
> the mount ID concept a bit better?

Mount ID is a descriptor that allows referring to a specific struct
mount from userspace.

The old 32 bit mount id is allocated with IDA from a global pool.
Because it's non-referencing it doesn't allow uniquely identifying a
mount.  That was a design mistake that I made back in 2008, thinking
that the same sort of dense descriptor space as used for file
descriptors would work.  Originally it was used to identify the mount
and the parent mount in /proc/PID/mountinfo.  Later it was also added
to the following interfaces:

 - name_to_handle_at(2) returns 32 bit value
 - /proc/PID/FD/fdinfo
 - statx(2) returns 64 bit value

It was never used on the kernel interfaces as an input argument.

statmount(2) and listmount(2) require the mount to be identified by
userspace, so having a unique ID is important.  So the "[1/4] add
unique mount ID" adds a new 64 bit ID (still global) that is allocated
sequentially and only reused after reboot.   It is used as an input to
these syscalls.  It is returned by statx(2) if requested by
STATX_MNT_ID_UNIQUE and as an array of ID's by listmount(2).

I can see mild security problems with the global allocation, since a
task can observe mounts being done in other namespaces.  This doesn't
sound too serious, and the old ID has similar issues.  But I think
making the new ID be local to the mount namespace is also feasible.

> While I'm reasonably confident that we want a security_sb_statfs()
> control point in statmount(), it may turn out that we don't want/need
> a call in the listmount() case.  Perhaps your original patch was
> correct in the sense that we only want a single security_sb_statfs()
> call for the root (implying that the child mount IDs are attributes of
> the root/parent mount)?  Maybe it's something else entirely?

Mounts are arranged in a tree (I think it obvious how) and
listmount(2) just lists the IDs of the immediate children of a mount.

I don't see ID being an attribute of a mount, it's a descriptor.

Thanks,
Miklos