Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp173721rdb;
        Fri, 5 Jan 2024 06:26:46 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFxI7OXuv7BBSukYtdOlQIPbBiFYnrFsGoccjlBdPHi32m8y1gQf1q9PpuBlp5dgsiObbW+
X-Received: by 2002:a17:90a:9c06:b0:28c:5a10:f32d with SMTP id h6-20020a17090a9c0600b0028c5a10f32dmr1881610pjp.76.1704464805429;
        Fri, 05 Jan 2024 06:26:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704464805; cv=none;
        d=google.com; s=arc-20160816;
        b=jcRNCqslaPZxjlgD8rf/oFWx3RD5U/YScReA6bQI4fvWl6BKDjMGun8QI8hoVl5diM
         SFp8agP50jJeFeiMKyGrwfSsPmp9cuzDo1DO61np94bkZtjARkGGNPv6HMHCBp1pyirV
         cKK1tui1pQiy1LUXdofmSgzc/z/YF1fojc+TqPC7fo8kda2KROwYhP1D/qCFvPgYR+E1
         eUNbG15aWXUiwR782C4+ejUNFUlTQRWe3Vlh0sXnTnGMQ3Sx5gjC3PEpiLZK7Q5cHSXq
         P9X8aDYUcbmytYk9u5b0HNsOghKLZbft0OWe+XEOFlVRF4Izy1hrpgaKxRIACPspTzA7
         9FvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=oEqwQGoctzxr5xftp4obQbyWVd/RqetJWISBmArhrEk=;
        fh=pbTvbSzKVXwl6UjSbmpoEg4/VBj6mMO4UksO4l0Be74=;
        b=G7kZnJj66/RXRRpjjy01uquKhtH97h/xfJhbbfAAKFwBsYyo7TUz5BvgUXbsmmqGD2
         xwg4apv+RT9WN0RWZX5N4sRr86lKCFyYW3hOSwwC8YKIAXN2/ANyGvxX2ULMMrEYmrK/
         M0LGAE/JBGWugqAcrdZbpnzg219YD9EEw7mJdWqfPW8x6hqM8Qa/TvZQHY5lKtDC0MMQ
         mOkqSgOEftj24CtD7aA666Ak5brEwlYWqEbabhIEipleO5mhtLx+PnGooX6n7tJ/EN0M
         IAadGjCbp74ih5iSwe9IC5bTMIdu9hfFpOjLGe9caXEo6NLMPKJY7S++toTsIRA4ehKr
         LprA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dm0zaC+K;
       spf=pass (google.com: domain of linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id u7-20020a17090a450700b0028d00f2479fsi921410pjg.113.2024.01.05.06.26.45
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 05 Jan 2024 06:26:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=dm0zaC+K;
       spf=pass (google.com: domain of linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-17920-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 14CF02856F7
	for <linux.lists.archive@gmail.com>; Fri,  5 Jan 2024 14:26:45 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 433C22D7AD;
	Fri,  5 Jan 2024 14:26:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dm0zaC+K"
X-Original-To: linux-kernel@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F8C32D7A7;
	Fri,  5 Jan 2024 14:26:34 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 88058C433C7;
	Fri,  5 Jan 2024 14:26:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1704464794;
	bh=2P6hxdoePoEWFrBd8qdykuqOskTZur3E5s/TzD9/Kf8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=dm0zaC+K8TFVMUKvLhwb2WqU25tstzG56X+MJwDu/tyO6OoHe99yFHpk0xJJPeyVE
	 S37yGN5olSRW3fgqQfFwMpJrVnK0p0/SpgKSgBCy4oON9m6omcnv1SHI89KFBqLSAe
	 4fzz4YC/UJePyHHDKw/2XnMslC4j0BP5rG+1POKKKghsEzFTa3zo2LPtHTGu5bPtBC
	 48apqSzfkbfW9n3GOLpNQdStzRIdwnOlaKooK5iY1qm/aq2Z3DwX7FhUr+K2tURLts
	 o/tnGHvXvDVIQWdbpCGpkRO/EHUSCQ9t30Ivw4D8PGs1xCaD//k/LDu+xTx3xa8NBL
	 K38/iHxdBNYeg==
Date: Fri, 5 Jan 2024 15:26:28 +0100
From: Christian Brauner <brauner@kernel.org>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Linux Trace Kernel <linux-trace-kernel@vger.kernel.org>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Al Viro <viro@ZenIV.linux.org.uk>, linux-fsdevel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] tracefs/eventfs: Use root and instance inodes as default
 ownership
Message-ID: <20240105-wegstecken-sachkenntnis-6289842d6d01@brauner>
References: <20240103203246.115732ec@gandalf.local.home>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20240103203246.115732ec@gandalf.local.home>

On Wed, Jan 03, 2024 at 08:32:46PM -0500, Steven Rostedt wrote:
> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> 
> Instead of walking the dentries on mount/remount to update the gid values of
> all the dentries if a gid option is specified on mount, just update the root
> inode. Add .getattr, .setattr, and .permissions on the tracefs inode
> operations to update the permissions of the files and directories.
> 
> For all files and directories in the top level instance:
> 
>  /sys/kernel/tracing/*
> 
> It will use the root inode as the default permissions. The inode that
> represents: /sys/kernel/tracing (or wherever it is mounted).
> 
> When an instance is created:
> 
>  mkdir /sys/kernel/tracing/instance/foo
> 
> The directory "foo" and all its files and directories underneath will use
> the default of what foo is when it was created. A remount of tracefs will
> not affect it.

That kinda sounds like eventfs should actually be a separate filesystem.
But I don't know enough about the relationship between the two concepts.

> 
> If a user were to modify the permissions of any file or directory in
> tracefs, it will also no longer be modified by a change in ownership of a
> remount.

Very odd semantics and I would recommend to avoid that. It's just plain
weird imo.

> 
> The events directory, if it is in the top level instance, will use the
> tracefs root inode as the default ownership for itself and all the files and
> directories below it.
> 
> For the events directory in an instance ("foo"), it will keep the ownership
> of what it was when it was created, and that will be used as the default
> ownership for the files and directories beneath it.
> 
> Link: https://lore.kernel.org/linux-trace-kernel/CAHk-=wjVdGkjDXBbvLn2wbZnqP4UsH46E3gqJ9m7UG6DpX2+WA@mail.gmail.com/
> 
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---

So tracefs supports remounting with different uid/gid mount options and
then actually wades through _all_ of the inodes and changes their
ownership internally? What's the use-case for this? Containers?

Aside from optimizing this and the special semantics for this eventfs
stuff that you really should think twice of doing, here's one idea for
an extension that might alleviate some of the pain:

If you need flexible dynamic ownership change to e.g., be able to
delegate (all, a directory, a single file of) tracefs to
unprivileged/containers/whatever then you might want to consider
supporting idmapped mounts for tracefs. Because then you can do stuff
like:

user1@localhost:~/data/scripts$ sudo mount --bind -o X-mount.idmap='g:0:1000:1 u:0:1234:1' /run/ /mnt
user1@localhost:~/data/scripts$ ls -ln /run/
total 12
drwxr-xr-x  2 0  0   40 Jan  5 12:12 credentials
drwx------  2 0  0   40 Jan  5 11:57 cryptsetup
drwxr-xr-x  2 0  0   60 Jan  5 11:57 dbus
drwx------  6 0  0  280 Jan  5 11:57 incus_agent
prw-------  1 0  0    0 Jan  5 11:57 initctl
drwxrwxrwt  4 0  0   80 Jan  5 11:57 lock
drwxr-xr-x  3 0  0   60 Jan  5 11:57 log
drwx------  2 0  0   40 Jan  5 11:57 lvm
-r--r--r--  1 0  0   33 Jan  5 11:57 machine-id
-rw-r--r--  1 0  0  101 Jan  5 11:58 motd.dynamic
drwxr-xr-x  2 0  0   40 Jan  5 11:57 mount
drwx------  2 0  0   40 Jan  5 11:57 multipath
drwxr-xr-x  2 0  0   40 Jan  5 11:57 sendsigs.omit.d
lrwxrwxrwx  1 0  0    8 Jan  5 11:57 shm -> /dev/shm
drwx--x--x  2 0  0   40 Jan  5 11:57 sudo
drwxr-xr-x 24 0  0  660 Jan  5 14:30 systemd
drwxr-xr-x  6 0  0  140 Jan  5 14:30 udev
drwxr-xr-x  4 0  0   80 Jan  5 11:58 user
-rw-rw-r--  1 0 43 2304 Jan  5 15:15 utmp

user1@localhost:~/data/scripts$ ls -ln /mnt/
total 12
drwxr-xr-x  2 1234  1000   40 Jan  5 12:12 credentials
drwx------  2 1234  1000   40 Jan  5 11:57 cryptsetup
drwxr-xr-x  2 1234  1000   60 Jan  5 11:57 dbus
drwxr-xr-x  2 1234  1000   40 Jan  5 11:57 incus_agent
prw-------  1 1234  1000    0 Jan  5 11:57 initctl
drwxr-xr-x  2 1234  1000   40 Jan  5 11:57 lock
drwxr-xr-x  3 1234  1000   60 Jan  5 11:57 log
drwx------  2 1234  1000   40 Jan  5 11:57 lvm
-r--r--r--  1 1234  1000   33 Jan  5 11:57 machine-id
-rw-r--r--  1 1234  1000  101 Jan  5 11:58 motd.dynamic
drwxr-xr-x  2 1234  1000   40 Jan  5 11:57 mount
drwx------  2 1234  1000   40 Jan  5 11:57 multipath
drwxr-xr-x  2 1234  1000   40 Jan  5 11:57 sendsigs.omit.d
lrwxrwxrwx  1 1234  1000    8 Jan  5 11:57 shm -> /dev/shm
drwx--x--x  2 1234  1000   40 Jan  5 11:57 sudo
drwxr-xr-x 24 1234  1000  660 Jan  5 14:30 systemd
drwxr-xr-x  6 1234  1000  140 Jan  5 14:30 udev
drwxr-xr-x  4 1234  1000   80 Jan  5 11:58 user
-rw-rw-r--  1 1234 65534 2304 Jan  5 15:15 utmp

Where you can see that ownership of this tmpfs instance in this example
is changed. I'm not trying to advocate here but this will probably
ultimately be nicer for your users because it means that a container
manager or whatever can be handed a part of tracefs (or all of it) and
the ownership and access rights for that thing is correct. And you can
get rid of that gid based access completely.

You can change uids, gids, or both. You can specify up to 340 individual
mappings it's quite flexible.

Because then you can have a single tracefs superblock and have multiple
mounts with different ownership for the relevant parts of tracefs that
you want to delegate to whoever. If you need an ownership change you can
then just create another idmapped mount with the new ownership and then
use MOVE_MOUNT_BENEATH + umount to replace that mount.

Probably even know someone that would implement this for you (not me) if
that sounds like something that would cover some of the use-case for the
proposed change here. But maybe I just misunderstood things completely.