Received: by 2002:a05:7208:2202:b0:86:316c:7444 with SMTP id s2csp864053rbb; Sat, 1 Jun 2024 01:12:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWTySTKTJVs/b54w/lrxg6Xtzr7fWsZLLli7VpGYF0QM/nBscHk3+mmxbDm5oPI4JAlh03mVNQIeON8Yi8O5LdCqp0KtxVBhZdSKcJVWA== X-Google-Smtp-Source: AGHT+IHEUFD++nenvpvcS56g+8kHB4+6EA+2zLVu0x47oNXLfmj/sbFiv6vfHJ8jy4M7HY8UnUVC X-Received: by 2002:a05:6e02:17cb:b0:374:7fec:a3ee with SMTP id e9e14a558f8ab-3748b9924c2mr46472185ab.19.1717229578074; Sat, 01 Jun 2024 01:12:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717229578; cv=pass; d=google.com; s=arc-20160816; b=0JASnubRZBe2Y5Uf+pEGl0h+IRjimOEgJDHnaQyIZ2wYOzt/lgvDqXpcp5Y2LqqiLP pEpvjUvh57pfxWajUF1U/3M8xoHW1CodPuquo+jJKJRS8UdWsUhiIQOaghcrli7OxRN3 L6yxBNmoPZ30XS7QP6UABSmTboQAK8u4eWoi68T6+cIU29E9mr55Acowck1pKpnXbuOH QXrGx7kpUhClDBILSf6IGfDvKh4TiAtfPRzetjIWdC7eQG2T2RJqGELvsM3Vv9Hr/Fk8 mzht6l6CWUFx7px3QVTNvEc4lUqfhQYvCFZ1DJIss9nSqAyQx3wKI2cz3lcjWGXq2eMB 4MfQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=LMFNHZx2OS+11E4fqkCWlelAlM1P1mIosQaCLmNtFR4=; fh=o4B/2ykZvIu+Jjx/4B1tvsUR4b//oMRla+f/Uaj7OXI=; b=VoMPs7leIIEYeplc5bzWxXqDd1EgnozXJOJ1ygcFpouK0t1N8OVRFx+J8KebabHG4Z qK+9L+L/TGgfLhIpNW+7McbIbSKckF4yrmd2i7r7MQMqSi3i1TYQgqN4PNVsDlSAjBk1 y+Vuf+cc90N4qDzrotcwW4mBpxfeI1QxL6nOckxWjDj7slUN38OEdG2Y5+EDbPU8ZeA1 XbDd5xDwXx+S6Pqs/XHHbVZuY2t2zFBhy1rGSp1lj1HypoS/3/X5H9QLMUZcRYmTpgxL GrglxyUtzU509lDEVOjYAcN3epb5OQbKqHvXa1/eMnmyQfyaNNK7yP0UGbMPMQZL6QqM 8Ehw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=SxrpDJHg; arc=pass (i=1 spf=pass spfdomain=cyphar.com dkim=pass dkdomain=cyphar.com dmarc=pass fromdomain=cyphar.com); spf=pass (google.com: domain of linux-nfs+bounces-3516-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3516-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c35c181cc9si2917656a12.686.2024.06.01.01.12.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 Jun 2024 01:12:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs+bounces-3516-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=SxrpDJHg; arc=pass (i=1 spf=pass spfdomain=cyphar.com dkim=pass dkdomain=cyphar.com dmarc=pass fromdomain=cyphar.com); spf=pass (google.com: domain of linux-nfs+bounces-3516-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3516-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 347EE28846F for ; Sat, 1 Jun 2024 08:12:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 909BE1BC39; Sat, 1 Jun 2024 08:12:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cyphar.com header.i=@cyphar.com header.b="SxrpDJHg" X-Original-To: linux-nfs@vger.kernel.org Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88514182AE; Sat, 1 Jun 2024 08:12:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.151 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717229573; cv=none; b=Pnx+Ussx7d18479wVODtTlMiiNh7GtXZLc1GRu2tEZOuTaEHYS9S66LZA9LVxqTLuza06SbcevEfY/KoENAE5piB3IGPuigP32uFSIqtVXg33RiqGtOaQn2iOYDzdem/YK6eeTY9TZ74NxwsJJYbzQ3RvWQhYScv0fUnKqFq3+4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717229573; c=relaxed/simple; bh=LMFNHZx2OS+11E4fqkCWlelAlM1P1mIosQaCLmNtFR4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=D/OL2TG/YbIdp0q9mVeTnYErYBMFx2Zpyo7b0leAjOUyLB3WHL0G8a8sG8IstCkiAAi+MOPDjlliTm1Jkc1CqbJ64clp3I4Dg+2tkCSiMpnknwPCE0AtZ5yjBagxetKVLytU7Uk79qP7IgYgOnT/O72hl9xmT2H34tBjMnYUDVM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cyphar.com; spf=pass smtp.mailfrom=cyphar.com; dkim=pass (2048-bit key) header.d=cyphar.com header.i=@cyphar.com header.b=SxrpDJHg; arc=none smtp.client-ip=80.241.56.151 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cyphar.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cyphar.com Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4Vrt5W24kgz9scH; Sat, 1 Jun 2024 10:12:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001; t=1717229567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=LMFNHZx2OS+11E4fqkCWlelAlM1P1mIosQaCLmNtFR4=; b=SxrpDJHgUtluler1JGk8nbuRCkNIYoh0Mb/8TDntRHxtK43Cm2m4Th+NayLYW4zcvtubsW PQi0yAPSfjNhLRBnbqG+BwmkG/cfJjS1FH604dZBWW4WJEpUzSmicvpHkbLQH8pw4q21uR O7ZlC6qz0k4osz+EjXLbCgXwaiVKN013z+8iLNX4s4veQbcPXMWsO573P0TJ4Xp5gEABN6 M6G7tXCBbsAw8HSMNjqImCyev+JjsB3Zz+nqirjstRIsJLRNuIZSPOxLT8ASSAeS+toaXR yGFdSlNYew44o2RnsYC+0193surm6O19EYSlbw6N20+/IPRJVmp6bkfkFIgpNA== Date: Sat, 1 Jun 2024 01:12:31 -0700 From: Aleksa Sarai To: Miklos Szeredi Cc: Christoph Hellwig , Christian Brauner , Jan Kara , Alexander Viro , Chuck Lever , Jeff Layton , Amir Goldstein , Alexander Aring , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Subject: Re: [PATCH RFC v2] fhandle: expose u64 mount id to name_to_handle_at(2) Message-ID: <20240529.013815-fishy.value.nervous.brutes-FzobWXrzoo2@cyphar.com> References: <20240527133430.ifjo2kksoehtuwrn@quack3> <20240528-wachdienst-weitreichend-42f8121bf764@brauner> <20240528-gesell-evakuieren-899c08cbfa06@brauner> <20240528-gipfel-dilemma-948a590a36fd@brauner> Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vqvnbffrehhkwad2" Content-Disposition: inline In-Reply-To: --vqvnbffrehhkwad2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024-05-28, Miklos Szeredi wrote: > On Tue, 28 May 2024 at 15:24, Christoph Hellwig wrote: > > > > On Tue, May 28, 2024 at 02:04:16PM +0200, Christian Brauner wrote: > > > Can you please explain how opening an fd based on a handle returned f= rom > > > name_to_handle_at() and not using a mount file descriptor for > > > open_by_handle_at() would work? > > > > Same as NFS file handles: > > > > name_to_handle_at returns a handle that includes a file system > > identifier. > > > > open_by_handle_at looks up the superblock based on that identifier. >=20 > The open file needs a specific mount, holding the superblock is not suffi= cient. Not to mention that providing a mount fd is what allows for extensions like Christian's proposed method of allowing restricted forms of open_by_handle_at() to be used by unprivileged users. If file handles really are going to end up being the "correct" mechanism of referencing inodes by userspace, then future API designs really need to stop assuming that the user is capable(CAP_DAC_READ_SEARCH). Being able to open any file in any superblock the kernel knows about (presumably using a kernel-internal mount if we are getting rid of the mount fd) is also capable(CAP_SYS_ADMIN) territory. Would the idea be to sign or MAC every file handle to avoid userspace being able to brute-force the file handle of anything the system sees? What happens if the key has to change? Then the handles aren't globally unique anymore... --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --vqvnbffrehhkwad2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHQEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZlrX6wAKCRAol/rSt+lE b2bqAP0T/6Iuty/9sh3poXGM+BjEe4lGjwd3ua5vliIiOVnAAwD4hT34tVHtbEh1 ROagk+0w0w57LSeHB7EhfS36MZ0YAQ== =MuBc -----END PGP SIGNATURE----- --vqvnbffrehhkwad2--