* permission checking for F_SET_RW_HINT @ 2024-11-22 12:29 Christoph Hellwig 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig 2024-11-22 12:29 ` [PATCH 2/2] fs: require FMODE_WRITE " Christoph Hellwig 0 siblings, 2 replies; 10+ messages in thread From: Christoph Hellwig @ 2024-11-22 12:29 UTC (permalink / raw) Cc: Al Viro, Christian Brauner, Jan Kara, Jens Axboe, linux-fsdevel Hi all I've been expanding test coverage for F_SET_RW_HINT, and noticed that right now there is no permission checking whatsoever. Patch 1 fixes that by requiring the owner or capable to set the write hint. Patch 2 also requires an fd open for write, which is a bit more arguable but still feels right. Diffstat: fcntl.c | 5 +++++ 1 file changed, 5 insertions(+) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] fs: require inode_owner_or_capable for F_SET_RW_HINT 2024-11-22 12:29 permission checking for F_SET_RW_HINT Christoph Hellwig @ 2024-11-22 12:29 ` Christoph Hellwig 2024-11-22 12:45 ` Jan Kara ` (2 more replies) 2024-11-22 12:29 ` [PATCH 2/2] fs: require FMODE_WRITE " Christoph Hellwig 1 sibling, 3 replies; 10+ messages in thread From: Christoph Hellwig @ 2024-11-22 12:29 UTC (permalink / raw) Cc: Al Viro, Christian Brauner, Jan Kara, Jens Axboe, linux-fsdevel F_SET_RW_HINT controls data placement in the file system and / or device and should not be available to everyone who can read a given file. Signed-off-by: Christoph Hellwig <hch@lst.de> --- fs/fcntl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fcntl.c b/fs/fcntl.c index 22dd9dcce7ec..7fc6190da342 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -375,6 +375,9 @@ static long fcntl_set_rw_hint(struct file *file, unsigned int cmd, u64 __user *argp = (u64 __user *)arg; u64 hint; + if (!inode_owner_or_capable(file_mnt_idmap(file), inode)) + return -EPERM; + if (copy_from_user(&hint, argp, sizeof(hint))) return -EFAULT; if (!rw_hint_valid(hint)) -- 2.45.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] fs: require inode_owner_or_capable for F_SET_RW_HINT 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig @ 2024-11-22 12:45 ` Jan Kara 2024-11-25 14:16 ` Christian Brauner 2024-11-25 14:17 ` (subset) " Christian Brauner 2 siblings, 0 replies; 10+ messages in thread From: Jan Kara @ 2024-11-22 12:45 UTC (permalink / raw) To: Christoph Hellwig Cc: Al Viro, Christian Brauner, Jan Kara, Jens Axboe, linux-fsdevel On Fri 22-11-24 13:29:24, Christoph Hellwig wrote: > F_SET_RW_HINT controls data placement in the file system and / or > device and should not be available to everyone who can read a given file. > > Signed-off-by: Christoph Hellwig <hch@lst.de> Makes sense. Feel free to add: Reviewed-by: Jan Kara <jack@suse.cz> Honza > --- > fs/fcntl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fcntl.c b/fs/fcntl.c > index 22dd9dcce7ec..7fc6190da342 100644 > --- a/fs/fcntl.c > +++ b/fs/fcntl.c > @@ -375,6 +375,9 @@ static long fcntl_set_rw_hint(struct file *file, unsigned int cmd, > u64 __user *argp = (u64 __user *)arg; > u64 hint; > > + if (!inode_owner_or_capable(file_mnt_idmap(file), inode)) > + return -EPERM; > + > if (copy_from_user(&hint, argp, sizeof(hint))) > return -EFAULT; > if (!rw_hint_valid(hint)) > -- > 2.45.2 > -- Jan Kara <jack@suse.com> SUSE Labs, CR ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/2] fs: require inode_owner_or_capable for F_SET_RW_HINT 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig 2024-11-22 12:45 ` Jan Kara @ 2024-11-25 14:16 ` Christian Brauner 2024-11-25 14:17 ` (subset) " Christian Brauner 2 siblings, 0 replies; 10+ messages in thread From: Christian Brauner @ 2024-11-25 14:16 UTC (permalink / raw) To: Christoph Hellwig; +Cc: Al Viro, Jan Kara, Jens Axboe, linux-fsdevel On Fri, Nov 22, 2024 at 01:29:24PM +0100, Christoph Hellwig wrote: > F_SET_RW_HINT controls data placement in the file system and / or > device and should not be available to everyone who can read a given file. > > Signed-off-by: Christoph Hellwig <hch@lst.de> > --- > fs/fcntl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fcntl.c b/fs/fcntl.c > index 22dd9dcce7ec..7fc6190da342 100644 > --- a/fs/fcntl.c > +++ b/fs/fcntl.c > @@ -375,6 +375,9 @@ static long fcntl_set_rw_hint(struct file *file, unsigned int cmd, > u64 __user *argp = (u64 __user *)arg; > u64 hint; > > + if (!inode_owner_or_capable(file_mnt_idmap(file), inode)) > + return -EPERM; > + Bah, nice catch. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: (subset) [PATCH 1/2] fs: require inode_owner_or_capable for F_SET_RW_HINT 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig 2024-11-22 12:45 ` Jan Kara 2024-11-25 14:16 ` Christian Brauner @ 2024-11-25 14:17 ` Christian Brauner 2 siblings, 0 replies; 10+ messages in thread From: Christian Brauner @ 2024-11-25 14:17 UTC (permalink / raw) To: Christoph Hellwig Cc: Christian Brauner, Al Viro, Jan Kara, Jens Axboe, linux-fsdevel On Fri, 22 Nov 2024 13:29:24 +0100, Christoph Hellwig wrote: > F_SET_RW_HINT controls data placement in the file system and / or > device and should not be available to everyone who can read a given file. > > Applied to the vfs.fixes branch of the vfs/vfs.git tree. Patches in the vfs.fixes branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.fixes [1/2] fs: require inode_owner_or_capable for F_SET_RW_HINT https://git.kernel.org/vfs/vfs/c/b6512519496e ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 2/2] fs: require FMODE_WRITE for F_SET_RW_HINT 2024-11-22 12:29 permission checking for F_SET_RW_HINT Christoph Hellwig 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig @ 2024-11-22 12:29 ` Christoph Hellwig 2024-11-22 12:53 ` Jan Kara 1 sibling, 1 reply; 10+ messages in thread From: Christoph Hellwig @ 2024-11-22 12:29 UTC (permalink / raw) Cc: Al Viro, Christian Brauner, Jan Kara, Jens Axboe, linux-fsdevel F_SET_RW_HINT controls the placement of written file data. A read-only fd should not allow for that. Signed-off-by: Christoph Hellwig <hch@lst.de> --- fs/fcntl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/fcntl.c b/fs/fcntl.c index 7fc6190da342..12f60c42743a 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -377,6 +377,8 @@ static long fcntl_set_rw_hint(struct file *file, unsigned int cmd, if (!inode_owner_or_capable(file_mnt_idmap(file), inode)) return -EPERM; + if (!(file->f_mode & FMODE_WRITE)) + return -EBADF; if (copy_from_user(&hint, argp, sizeof(hint))) return -EFAULT; -- 2.45.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] fs: require FMODE_WRITE for F_SET_RW_HINT 2024-11-22 12:29 ` [PATCH 2/2] fs: require FMODE_WRITE " Christoph Hellwig @ 2024-11-22 12:53 ` Jan Kara 2024-11-22 16:15 ` Christoph Hellwig 0 siblings, 1 reply; 10+ messages in thread From: Jan Kara @ 2024-11-22 12:53 UTC (permalink / raw) To: Christoph Hellwig Cc: Al Viro, Christian Brauner, Jan Kara, Jens Axboe, linux-fsdevel On Fri 22-11-24 13:29:25, Christoph Hellwig wrote: > F_SET_RW_HINT controls the placement of written file data. A read-only > fd should not allow for that. > > Signed-off-by: Christoph Hellwig <hch@lst.de> Here I'm not so sure. Firstly, since you are an owner this doesn't add any additional practical restriction. Secondly, you are not changing anything on disk, just IO hints in memory... Thirdly, we generally don't require writeable fd even to do file attribute changes (like with fchmod, fchown, etc.). So although the check makes some sense, it seems to be mostly inconsistent with how we treat similar stuff. Honza > --- > fs/fcntl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/fcntl.c b/fs/fcntl.c > index 7fc6190da342..12f60c42743a 100644 > --- a/fs/fcntl.c > +++ b/fs/fcntl.c > @@ -377,6 +377,8 @@ static long fcntl_set_rw_hint(struct file *file, unsigned int cmd, > > if (!inode_owner_or_capable(file_mnt_idmap(file), inode)) > return -EPERM; > + if (!(file->f_mode & FMODE_WRITE)) > + return -EBADF; > > if (copy_from_user(&hint, argp, sizeof(hint))) > return -EFAULT; > -- > 2.45.2 > -- Jan Kara <jack@suse.com> SUSE Labs, CR ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] fs: require FMODE_WRITE for F_SET_RW_HINT 2024-11-22 12:53 ` Jan Kara @ 2024-11-22 16:15 ` Christoph Hellwig 2024-11-22 16:40 ` Matthew Wilcox 0 siblings, 1 reply; 10+ messages in thread From: Christoph Hellwig @ 2024-11-22 16:15 UTC (permalink / raw) To: Jan Kara Cc: Christoph Hellwig, Al Viro, Christian Brauner, Jens Axboe, linux-fsdevel On Fri, Nov 22, 2024 at 01:53:42PM +0100, Jan Kara wrote: > Here I'm not so sure. Firstly, since you are an owner this doesn't add any > additional practical restriction. Secondly, you are not changing anything > on disk, just IO hints in memory... Thirdly, we generally don't require > writeable fd even to do file attribute changes (like with fchmod, fchown, > etc.). So although the check makes some sense, it seems to be mostly > inconsistent with how we treat similar stuff. As I said I'm not quite convince either, so just doing the first one is probably fine. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] fs: require FMODE_WRITE for F_SET_RW_HINT 2024-11-22 16:15 ` Christoph Hellwig @ 2024-11-22 16:40 ` Matthew Wilcox 2024-11-25 14:23 ` Christian Brauner 0 siblings, 1 reply; 10+ messages in thread From: Matthew Wilcox @ 2024-11-22 16:40 UTC (permalink / raw) To: Christoph Hellwig Cc: Jan Kara, Al Viro, Christian Brauner, Jens Axboe, linux-fsdevel On Fri, Nov 22, 2024 at 05:15:47PM +0100, Christoph Hellwig wrote: > On Fri, Nov 22, 2024 at 01:53:42PM +0100, Jan Kara wrote: > > Here I'm not so sure. Firstly, since you are an owner this doesn't add any > > additional practical restriction. Secondly, you are not changing anything > > on disk, just IO hints in memory... Thirdly, we generally don't require > > writeable fd even to do file attribute changes (like with fchmod, fchown, > > etc.). So although the check makes some sense, it seems to be mostly > > inconsistent with how we treat similar stuff. > > As I said I'm not quite convince either, so just doing the first one > is probably fine. We do require FMODE_WRITE to do a dedupe, which isn't exactly the same but is similar in concept (we're not changing the content of the file; we're changing how it's laid out on storage). So I think it's reasonable to require FMODE_WRITE to set the write hints. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/2] fs: require FMODE_WRITE for F_SET_RW_HINT 2024-11-22 16:40 ` Matthew Wilcox @ 2024-11-25 14:23 ` Christian Brauner 0 siblings, 0 replies; 10+ messages in thread From: Christian Brauner @ 2024-11-25 14:23 UTC (permalink / raw) To: Matthew Wilcox Cc: Christoph Hellwig, Jan Kara, Al Viro, Jens Axboe, linux-fsdevel On Fri, Nov 22, 2024 at 04:40:31PM +0000, Matthew Wilcox wrote: > On Fri, Nov 22, 2024 at 05:15:47PM +0100, Christoph Hellwig wrote: > > On Fri, Nov 22, 2024 at 01:53:42PM +0100, Jan Kara wrote: > > > Here I'm not so sure. Firstly, since you are an owner this doesn't add any > > > additional practical restriction. Secondly, you are not changing anything > > > on disk, just IO hints in memory... Thirdly, we generally don't require > > > writeable fd even to do file attribute changes (like with fchmod, fchown, > > > etc.). So although the check makes some sense, it seems to be mostly > > > inconsistent with how we treat similar stuff. > > > > As I said I'm not quite convince either, so just doing the first one > > is probably fine. > > We do require FMODE_WRITE to do a dedupe, which isn't exactly the same > but is similar in concept (we're not changing the content of the file; > we're changing how it's laid out on storage). So I think it's reasonable > to require FMODE_WRITE to set the write hints. I tend to agree with Jan. I think the dedupe case is different because you actually use the file to perform a write(-like) operation whereas toggling write hints is just setting an option. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-11-25 14:23 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-11-22 12:29 permission checking for F_SET_RW_HINT Christoph Hellwig 2024-11-22 12:29 ` [PATCH 1/2] fs: require inode_owner_or_capable " Christoph Hellwig 2024-11-22 12:45 ` Jan Kara 2024-11-25 14:16 ` Christian Brauner 2024-11-25 14:17 ` (subset) " Christian Brauner 2024-11-22 12:29 ` [PATCH 2/2] fs: require FMODE_WRITE " Christoph Hellwig 2024-11-22 12:53 ` Jan Kara 2024-11-22 16:15 ` Christoph Hellwig 2024-11-22 16:40 ` Matthew Wilcox 2024-11-25 14:23 ` Christian Brauner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.