Re: [PATCH v2] eventfs: Fix file and directory uid and gid ownership

[Masami Hiramatsu (Google) <mhiramat@kernel.org>]

On Thu, 21 Dec 2023 19:07:57 -0500
Steven Rostedt <rostedt@goodmis.org> wrote:

> From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
> 
> It was reported that when mounting the tracefs file system with a gid
> other than root, the ownership did not carry down to the eventfs directory
> due to the dynamic nature of it.
> 
> A fix was done to solve this, but it had two issues.
> 
> (a) if the attr passed into update_inode_attr() was NULL, it didn't do
>     anything. This is true for files that have not had a chown or chgrp
>     done to itself or any of its sibling files, as the attr is allocated
>     for all children when any one needs it.
> 
>  # umount /sys/kernel/tracing
>  # mount -o rw,seclabel,relatime,gid=1000 -t tracefs nodev /mnt
> 
>  # ls -ld /mnt/events/sched
> drwxr-xr-x 28 root rostedt 0 Dec 21 13:12 /mnt/events/sched/
> 
>  # ls -ld /mnt/events/sched/sched_switch
> drwxr-xr-x 2 root rostedt 0 Dec 21 13:12 /mnt/events/sched/sched_switch/
> 
> But when checking the files:
> 
>  # ls -l /mnt/events/sched/sched_switch
> total 0
> -rw-r----- 1 root root 0 Dec 21 13:12 enable
> -rw-r----- 1 root root 0 Dec 21 13:12 filter
> -r--r----- 1 root root 0 Dec 21 13:12 format
> -r--r----- 1 root root 0 Dec 21 13:12 hist
> -r--r----- 1 root root 0 Dec 21 13:12 id
> -rw-r----- 1 root root 0 Dec 21 13:12 trigger
> 
> (b) When the attr does not denote the UID or GID, it defaulted to using
>     the parent uid or gid. This is incorrect as changing the parent
>     uid or gid will automatically change all its children.
> 
>  # chgrp tracing /mnt/events/timer
> 
>  # ls -ld /mnt/events/timer
> drwxr-xr-x 2 root tracing 0 Dec 21 14:34 /mnt/events/timer
> 
>  # ls -l /mnt/events/timer
> total 0
> -rw-r----- 1 root root    0 Dec 21 14:35 enable
> -rw-r----- 1 root root    0 Dec 21 14:35 filter
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 hrtimer_cancel
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 hrtimer_expire_entry
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 hrtimer_expire_exit
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 hrtimer_init
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 hrtimer_start
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 itimer_expire
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 itimer_state
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 tick_stop
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 timer_cancel
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 timer_expire_entry
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 timer_expire_exit
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 timer_init
> drwxr-xr-x 2 root tracing 0 Dec 21 14:35 timer_start
> 
> At first it was thought that this could be easily fixed by just making the
> default ownership of the superblock when it was mounted. But this does not
> handle the case of:
> 
>  # chgrp tracing instances
>  # mkdir instances/foo
> 
> If the superblock was used, then the group ownership would be that of what
> it was when it was mounted, when it should instead be "tracing".
> 
> Instead, set a flag for the top level eventfs directory ("events") to flag
> which eventfs_inode belongs to it.
> 
> Since the "events" directory's dentry and inode are never freed, it does
> not need to use its attr field to restore its mode and ownership. Use the
> this eventfs_inode's attr as the default ownership for all the files and
> directories underneath it.
> 
> When the events eventfs_inode is created, it sets its ownership to its
> parent uid and gid. As the events directory is created at boot up before
> it gets mounted, this will always be uid=0 and gid=0. If it's created via
> an instance, then it will take the ownership of the instance directory.
> 
> When the file system is mounted, it will update all the gids if one is
> specified. This will have a callback to update the events evenfs_inode's
> default entries.
> 
> When a file or directory is created under the events directory, it will
> walk the ei->dentry parents until it finds the evenfs_inode that belongs
> to the events directory to retrieve the default uid and gid values.
> 
> Link: https://lore.kernel.org/all/CAHk-=wiwQtUHvzwyZucDq8=Gtw+AnwScyLhpFswrQ84PjhoGsg@mail.gmail.com/
> 

Looks good to me.

Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Tested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>

Thank you,

> Cc: stable@vger.kernel.org
> Fixes: 0dfc852b6fe3 ("eventfs: Have event files and directories default to parent uid and gid")
> Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
> Changes since v1: https://lore.kernel.org/linux-trace-kernel/20231221173812.51fe6113@gandalf.local.home
> 
> - While writing kselftests to test ownership, I found a bug. The remount
>   option allows for an update of the gid. If it is specified, then all
>   dentries are traversed in tracefs and eventfs and the gid is updated.
> 
>   The bug is that a eventfs that does not have a dentry, but had its gid
>   updated, the old gid is still stored, and when the dentry is created, it
>   will use the stored gid.
> 
>   Instead, check all eventfs_inodes that do not have a dentry, and traverse
>   its children to make sure their gids are updated as well.
> 
>  fs/tracefs/event_inode.c | 105 +++++++++++++++++++++++++++++++++++----
>  fs/tracefs/inode.c       |   6 +++
>  fs/tracefs/internal.h    |   2 +
>  3 files changed, 103 insertions(+), 10 deletions(-)
> 
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 2ccc849a5bda..6e005a83114f 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -113,7 +113,14 @@ static int eventfs_set_attr(struct mnt_idmap *idmap, struct dentry *dentry,
>  	 * determined by the parent directory.
>  	 */
>  	if (dentry->d_inode->i_mode & S_IFDIR) {
> -		update_attr(&ei->attr, iattr);
> +		/*
> +		 * The events directory dentry is never freed, unless its
> +		 * part of an instance that is deleted. It's attr is the
> +		 * default for its child files and directories.
> +		 * Do not update it. It's not used for its own mode or ownership
> +		 */
> +		if (!ei->is_events)
> +			update_attr(&ei->attr, iattr);
>  
>  	} else {
>  		name = dentry->d_name.name;
> @@ -148,28 +155,93 @@ static const struct file_operations eventfs_file_operations = {
>  	.release	= eventfs_release,
>  };
>  
> +/* Return the evenfs_inode of the "events" directory */
> +static struct eventfs_inode *eventfs_find_events(struct dentry *dentry)
> +{
> +	struct eventfs_inode *ei;
> +
> +	mutex_lock(&eventfs_mutex);
> +	do {
> +		/* The parent always has an ei, except for events itself */
> +		ei = dentry->d_parent->d_fsdata;
> +
> +		/*
> +		 * If the ei is being freed, the ownership of the children
> +		 * doesn't matter.
> +		 */
> +		if (ei->is_freed) {
> +			ei = NULL;
> +			break;
> +		}
> +
> +		dentry = ei->dentry;
> +	} while (!ei->is_events);
> +	mutex_unlock(&eventfs_mutex);
> +
> +	return ei;
> +}
> +
>  static void update_inode_attr(struct dentry *dentry, struct inode *inode,
>  			      struct eventfs_attr *attr, umode_t mode)
>  {
> -	if (!attr) {
> -		inode->i_mode = mode;
> +	struct eventfs_inode *events_ei = eventfs_find_events(dentry);
> +
> +	if (!events_ei)
> +		return;
> +
> +	inode->i_mode = mode;
> +	inode->i_uid = events_ei->attr.uid;
> +	inode->i_gid = events_ei->attr.gid;
> +
> +	if (!attr)
>  		return;
> -	}
>  
>  	if (attr->mode & EVENTFS_SAVE_MODE)
>  		inode->i_mode = attr->mode & EVENTFS_MODE_MASK;
> -	else
> -		inode->i_mode = mode;
>  
>  	if (attr->mode & EVENTFS_SAVE_UID)
>  		inode->i_uid = attr->uid;
> -	else
> -		inode->i_uid = d_inode(dentry->d_parent)->i_uid;
>  
>  	if (attr->mode & EVENTFS_SAVE_GID)
>  		inode->i_gid = attr->gid;
> -	else
> -		inode->i_gid = d_inode(dentry->d_parent)->i_gid;
> +}
> +
> +static void update_gid(struct eventfs_inode *ei, kgid_t gid, int level)
> +{
> +	struct eventfs_inode *ei_child;
> +
> +	/* at most we have events/system/event */
> +	if (WARN_ON_ONCE(level > 3))
> +		return;
> +
> +	ei->attr.gid = gid;
> +
> +	if (ei->entry_attrs) {
> +		for (int i = 0; i < ei->nr_entries; i++) {
> +			ei->entry_attrs[i].gid = gid;
> +		}
> +	}
> +
> +	/*
> +	 * Only eventfs_inode with dentries are updated, make sure
> +	 * all eventfs_inodes are updated. If one of the children
> +	 * do not have a dentry, this function must traverse it.
> +	 */
> +	list_for_each_entry_srcu(ei_child, &ei->children, list,
> +				 srcu_read_lock_held(&eventfs_srcu)) {
> +		if (!ei_child->dentry)
> +			update_gid(ei_child, gid, level + 1);
> +	}
> +}
> +
> +void eventfs_update_gid(struct dentry *dentry, kgid_t gid)
> +{
> +	struct eventfs_inode *ei = dentry->d_fsdata;
> +	int idx;
> +
> +	idx = srcu_read_lock(&eventfs_srcu);
> +	update_gid(ei, gid, 0);
> +	srcu_read_unlock(&eventfs_srcu, idx);
>  }
>  
>  /**
> @@ -860,6 +932,8 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
>  	struct eventfs_inode *ei;
>  	struct tracefs_inode *ti;
>  	struct inode *inode;
> +	kuid_t uid;
> +	kgid_t gid;
>  
>  	if (security_locked_down(LOCKDOWN_TRACEFS))
>  		return NULL;
> @@ -884,11 +958,20 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
>  	ei->dentry = dentry;
>  	ei->entries = entries;
>  	ei->nr_entries = size;
> +	ei->is_events = 1;
>  	ei->data = data;
>  	ei->name = kstrdup_const(name, GFP_KERNEL);
>  	if (!ei->name)
>  		goto fail;
>  
> +	/* Save the ownership of this directory */
> +	uid = d_inode(dentry->d_parent)->i_uid;
> +	gid = d_inode(dentry->d_parent)->i_gid;
> +
> +	/* This is used as the default ownership of the files and directories */
> +	ei->attr.uid = uid;
> +	ei->attr.gid = gid;
> +
>  	INIT_LIST_HEAD(&ei->children);
>  	INIT_LIST_HEAD(&ei->list);
>  
> @@ -897,6 +980,8 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
>  	ti->private = ei;
>  
>  	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
> +	inode->i_uid = uid;
> +	inode->i_gid = gid;
>  	inode->i_op = &eventfs_root_dir_inode_operations;
>  	inode->i_fop = &eventfs_file_operations;
>  
> diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
> index ae648deed019..62524b20964e 100644
> --- a/fs/tracefs/inode.c
> +++ b/fs/tracefs/inode.c
> @@ -210,6 +210,7 @@ static void set_gid(struct dentry *parent, kgid_t gid)
>  	next = this_parent->d_subdirs.next;
>  resume:
>  	while (next != &this_parent->d_subdirs) {
> +		struct tracefs_inode *ti;
>  		struct list_head *tmp = next;
>  		struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
>  		next = tmp->next;
> @@ -218,6 +219,11 @@ static void set_gid(struct dentry *parent, kgid_t gid)
>  
>  		change_gid(dentry, gid);
>  
> +		/* If this is the events directory, update that too */
> +		ti = get_tracefs(dentry->d_inode);
> +		if (ti && (ti->flags & TRACEFS_EVENT_INODE))
> +			eventfs_update_gid(dentry, gid);
> +
>  		if (!list_empty(&dentry->d_subdirs)) {
>  			spin_unlock(&this_parent->d_lock);
>  			spin_release(&dentry->d_lock.dep_map, _RET_IP_);
> diff --git a/fs/tracefs/internal.h b/fs/tracefs/internal.h
> index ccee18ca66c7..899e447778ac 100644
> --- a/fs/tracefs/internal.h
> +++ b/fs/tracefs/internal.h
> @@ -62,6 +62,7 @@ struct eventfs_inode {
>  		struct rcu_head		rcu;
>  	};
>  	unsigned int			is_freed:1;
> +	unsigned int			is_events:1;
>  	unsigned int			nr_entries:31;
>  };
>  
> @@ -77,6 +78,7 @@ struct inode *tracefs_get_inode(struct super_block *sb);
>  struct dentry *eventfs_start_creating(const char *name, struct dentry *parent);
>  struct dentry *eventfs_failed_creating(struct dentry *dentry);
>  struct dentry *eventfs_end_creating(struct dentry *dentry);
> +void eventfs_update_gid(struct dentry *dentry, kgid_t gid);
>  void eventfs_set_ei_status_free(struct tracefs_inode *ti, struct dentry *dentry);
>  
>  #endif /* _TRACEFS_INTERNAL_H */
> -- 
> 2.42.0
> 


-- 
Masami Hiramatsu (Google) <mhiramat@kernel.org>