Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp546473rwe; Fri, 14 Apr 2023 06:45:51 -0700 (PDT) X-Google-Smtp-Source: AKy350YBZ9pVG4nWpSNlhT8ip8yfHq9dxjZJ8nxc+wTRh6w5vZWb6DKDKs2SzuTXGftNY7ME8sHa X-Received: by 2002:a05:6808:5c6:b0:38b:a59c:1437 with SMTP id d6-20020a05680805c600b0038ba59c1437mr3131965oij.52.1681479951650; Fri, 14 Apr 2023 06:45:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681479951; cv=none; d=google.com; s=arc-20160816; b=IXTfcrdipH/8VDPqIY1X44p9zmAjkbOCFbeRlSUvOkjQ1bLp/B46Ck5pJc0dXUjG5j Ja56i8HqKkFykhkKbZ9h5clBoz+3JD4EEwe2xnn1t7voAAicrD+IpXnp31m7JzzeVhPO XODqb6NQJhuKdF0RszAXaZcgtof7/WULskp3OoMAkktSIyCQSnqRx3ZxSyMTmBuM0f0F B27krn4hn5kUrJzb+X5yemBSzPZfyr0BHAGrp5tchatpowsKFMiFLSW4UsZxJSr+SxbT c/xjwA05/KIemIwRd1dLWNPN1ymvUO4lciTNgp1wzppgVc6FduXSUacszwYYh2EKO2P9 G8PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=crJ7gDrAkXXRxW4VzsIU00CnW/ivqlAgUPwhdn7VgHE=; b=Aa1+mOCd+ylZ1rFaJGg4EneglDDnh4VpmHM43E8QD+kRO7faGLqD/u6xORhlQ5rCzj lQJb2Lh0YVFbcETEkJNyVAuv5kngrjaGUSu+y/WyxL8Tut9UBRPI27Apdoo5ulYFZ+8Z wT19Bp1oLI93LBZTNFfEZOYLWFq2viwyBh/pSJQQ3PjlrrOh1gJwsaLqCriTL0HT98Jn YXtLwryy0YE/ZfyGN3cq+TV1ibPU2Fu9n5NXW5hLqrxTZCTSbTaM2NuoZ59VUHGm3QHV ein0BgbgG7mjLgwbQ3Diexrq1K6oe4AwzBn2Dw7EVqQFsvSfAy2n8VwxXKpdbyKHxZBj ScEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SEsHDQVC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l9-20020acabb09000000b0038462069516si1188104oif.261.2023.04.14.06.45.30; Fri, 14 Apr 2023 06:45:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SEsHDQVC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229911AbjDNNlT (ORCPT + 99 others); Fri, 14 Apr 2023 09:41:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34438 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229625AbjDNNlS (ORCPT ); Fri, 14 Apr 2023 09:41:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91F2B9767; Fri, 14 Apr 2023 06:41:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 22F376481B; Fri, 14 Apr 2023 13:41:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76A83C4339B; Fri, 14 Apr 2023 13:41:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1681479667; bh=OQSBRh1Pyn9f1qpl5ItWY38UJ7ErfhmCLeQGiieKP3U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=SEsHDQVCCSqfwwGSVMzY6ea+SPRafgN6d8m0KgbS2kqV00DU7cY2TINDgaIARyurQ hG6FZO1nIsgQFYjKtrs6/8D4gZdMP9P3LuziWjaavz8YzIiH3GhPhMHaPTb6jG/9To yTmK8vi2G21ZD14CYaQwB6t8pr+getC8vkrxlUU1aGE/RWQegpWy5er0HuEqz8ugRQ 2LgUa4BbhLoKCybEuhI/ETTuRioEi7B6VmQylqUBACLJEfjEJ9eNaXYNgs6wDTkYTO dWaVof6Z6nH7UShViqn3vi1V0j1DoneMSidOKx8hE0LUOkfbOPNaFNu55PlY6RwXdf We3g5+danuP4Q== Date: Fri, 14 Apr 2023 15:41:02 +0200 From: Christian Brauner To: Jeff Layton Cc: Al Viro , NeilBrown , Dave Wysochanski , linux-fsdevel , linux-nfs , David Howells , Christoph Hellwig Subject: Re: allowing for a completely cached umount(2) pathwalk Message-ID: <20230414-sowas-unmittelbar-67fdae9ca5cd@brauner> References: <95ee689c76bf034fa2fe9fade0bccdb311f3a04f.camel@kernel.org> <168142566371.24821.15867603327393356000@noble.neil.brown.name> <20230414024312.GF3390869@ZenIV> <2631cb9c05087ddd917679b7cebc58cb42cd2de6.camel@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <2631cb9c05087ddd917679b7cebc58cb42cd2de6.camel@kernel.org> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, Apr 14, 2023 at 06:06:38AM -0400, Jeff Layton wrote: > On Fri, 2023-04-14 at 03:43 +0100, Al Viro wrote: > > On Fri, Apr 14, 2023 at 08:41:03AM +1000, NeilBrown wrote: > > > > > The path name that appears in /proc/mounts is the key that must be used > > > to find and unmount a filesystem. When you do that "find"ing you are > > > not looking up a name in a filesystem, you are looking up a key in the > > > mount table. > > > > No. The path name in /proc/mounts is *NOT* a key - it's a best-effort > > attempt to describe the mountpoint. Pathname resolution does not work > > in terms of "the longest prefix is found and we handle the rest within > > that filesystem". > > > > > We could, instead, create an api that is given a mount-id (first number > > > in /proc/self/mountinfo) and unmounts that. Then /sbin/umount could > > > read /proc/self/mountinfo, find the mount-id, and unmount it - all > > > without ever doing path name lookup in the traditional sense. > > > > > > But I prefer your suggestion. LOOKUP_MOUNTPOINT could be renamed > > > LOOKUP_CACHED, and it only finds paths that are in the dcache, never > > > revalidates, at most performs simple permission checks based on cached > > > content. > > > > umount /proc/self/fd/42/barf/something > > > > Does any of that involve talking to the server? I don't necessarily see > a problem with doing the above. If "something" is in cache then that > should still work. > > The main idea here is that we want to avoid communicating with the > backing store during the umount(2) pathwalk. > > > Discuss. > > > > OTON, umount-by-mount-id is an interesting idea, but we'll need to decide > > what would the right permissions be for it. > > > > But please, lose the "mount table is a mapping from path prefix to filesystem" > > notion - it really, really is not. IIRC, there are systems that work that way, > > but it's nowhere near the semantics used by any Unices, all variants of Linux > > included. > > I'm not opposed to something by umount-by-mount-id either. All of this > seems like something that should probably rely on CAP_SYS_ADMIN. The permission model needs to account for the fact that mount ids are global and as such you could in principle unmount any mount in any mount namespace. IOW, you can circumvent lookup restrictions completely. So we could resolve the mnt-id to an FMODE_PATH and then very roughly with no claim to solving everything: may_umount_by_mnt_id(struct path *opath) { struct path root; bool reachable; // caller in principle able to circumvent lookup restrictions if (!may_cap_dac_readsearch()) return false; // caller can mount in their mountns if (!may_mount()) return false; // target mount and caller in the same mountns if (!check_mnt()) return false; // caller could in principle reach mount from it's root get_fs_root(current->fs, &root); reachable = is_path_reachable(real_mount(opath->mnt), opath->dentry, &root); path_put(&root); return reachable; } However, that still means that we have laxer restrictions on unmounting by mount-id then on unmount with lookup as for lookup just having CAP_DAC_READ_SEARCH isn't enough. Usually - at least for filesytems without custom permission handlers - we also establish that the inode can be mapped into the caller's idmapping. So that would mean that unmounting by mount-id would allow you to unmount mounts in cases where you wouldn't with umount. That might be fine though as that's ultimately the goal here in a way. One could also see a very useful feature in this where you require capable(CAP_DAC_READ_SEARCH) and capable(CAP_SYS_ADMIN) and then allow unmounting any mount in the system by mount-id. This would obviously be very useful for privileged service managers but I haven't thought this through.