From: Song Liu <songliubraving@meta.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Song Liu <song@kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
Kernel Team <kernel-team@meta.com>,
"andrii@kernel.org" <andrii@kernel.org>,
"eddyz87@gmail.com" <eddyz87@gmail.com>,
"ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"martin.lau@linux.dev" <martin.lau@linux.dev>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"brauner@kernel.org" <brauner@kernel.org>,
"jack@suse.cz" <jack@suse.cz>,
"kpsingh@kernel.org" <kpsingh@kernel.org>,
"mattbobrowski@google.com" <mattbobrowski@google.com>,
"repnop@google.com" <repnop@google.com>,
"jlayton@kernel.org" <jlayton@kernel.org>,
Josef Bacik <josef@toxicpanda.com>,
"mic@digikod.net" <mic@digikod.net>,
"gnoack@google.com" <gnoack@google.com>
Subject: Re: [PATCH v3 fanotify 1/2] fanotify: Introduce fanotify filter
Date: Sun, 24 Nov 2024 19:08:40 +0000 [thread overview]
Message-ID: <08768205-68CE-499B-A6DC-25E3E530AF91@fb.com> (raw)
In-Reply-To: <CAOQ4uxgKoCztsPZ-X-annfrDwetpy1fcRJz-RdD-pAdMQKVH=Q@mail.gmail.com>
> On Nov 23, 2024, at 10:25 PM, Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Sat, Nov 23, 2024 at 12:00 AM Song Liu <song@kernel.org> wrote:
[...]
>>
>> To make fanotify filters more flexible, a filter can take arguments at
>> attach time.
>>
>> sysfs entry /sys/kernel/fanotify_filter is added to help users know
>> which fanotify filters are available. At the moment, these files are
>> added for each filter: flags, desc, and init_args.
>
> It's a shame that we have fanotify knobs at /proc/sys/fs/fanotify/ and
> in sysfs, but understand we don't want to make more use of proc for this.
>
> Still I would add the filter files under a new /sys/fs/fanotify/ dir and not
> directly under /sys/kernel/
I don't have a strong preference either way. We can create it under
/sys/fs/fanotify if that makes more sense.
>
>>
>> Signed-off-by: Song Liu <song@kernel.org>
>> ---
>> fs/notify/fanotify/Kconfig | 13 ++
>> fs/notify/fanotify/Makefile | 1 +
>> fs/notify/fanotify/fanotify.c | 44 +++-
>> fs/notify/fanotify/fanotify_filter.c | 289 +++++++++++++++++++++++++++
>> fs/notify/fanotify/fanotify_user.c | 7 +
>> include/linux/fanotify.h | 128 ++++++++++++
>> include/linux/fsnotify_backend.h | 6 +-
>> include/uapi/linux/fanotify.h | 36 ++++
>> 8 files changed, 520 insertions(+), 4 deletions(-)
>> create mode 100644 fs/notify/fanotify/fanotify_filter.c
[...]
>>
>> BUILD_BUG_ON(FAN_ACCESS != FS_ACCESS);
>> BUILD_BUG_ON(FAN_MODIFY != FS_MODIFY);
>> @@ -921,6 +924,39 @@ static int fanotify_handle_event(struct fsnotify_group *group, u32 mask,
>> pr_debug("%s: group=%p mask=%x report_mask=%x\n", __func__,
>> group, mask, match_mask);
>>
>> + if (FAN_GROUP_FLAG(group, FANOTIFY_FID_BITS))
>> + fsid = fanotify_get_fsid(iter_info);
>> +
>> +#ifdef CONFIG_FANOTIFY_FILTER
>> + filter_hook = srcu_dereference(group->fanotify_data.filter_hook, &fsnotify_mark_srcu);
>
> Do we actually need the sleeping rcu protection for calling the hook?
> Can regular rcu read side be nested inside srcu read side?
I was thinking the filter function can still sleep, for example, to
read an xattr.
>
> Jan,
>
> I don't remember why srcu is needed since we are not holding it
> when waiting for userspace anymore?
>
>> + if (filter_hook) {
>> + struct fanotify_filter_event filter_event = {
>> + .mask = mask,
>> + .data = data,
>> + .data_type = data_type,
>> + .dir = dir,
>> + .file_name = file_name,
>> + .fsid = &fsid,
>> + .match_mask = match_mask,
>> + };
[...]
>> +
>> + spin_lock(&filter_list_lock);
>> + filter_ops = fanotify_filter_find(args.name);
>> + if (!filter_ops || !try_module_get(filter_ops->owner)) {
>> + spin_unlock(&filter_list_lock);
>> + ret = -ENOENT;
>> + goto err_free_hook;
>> + }
>> + spin_unlock(&filter_list_lock);
>> +
>> + if (!capable(CAP_SYS_ADMIN) && (filter_ops->flags & FAN_FILTER_F_SYS_ADMIN_ONLY)) {
>
> 1. feels better to opt-in for UNPRIV (and maybe later on) rather than
> make it the default.
Sure.
> 2. need to check that filter_ops->flags has only "known" flags
Agreed.
> 3. probably need to add filter_ops->version check in case we want to
> change the ABI
I think we can let the author of the filter handle versioning
inside filter_init function. Many users may not need any logic
for compatibility.
>
>> + ret = -EPERM;
>> + goto err_module_put;
>> + }
>> +
[...]
>> +
>> +/*
>> + * fanotify_filter_del - Delete a filter from fsnotify_group.
>> + */
>> +void fanotify_filter_del(struct fsnotify_group *group)
>> +{
>> + struct fanotify_filter_hook *filter_hook;
>> +
>> + fsnotify_group_lock(group);
>> + filter_hook = group->fanotify_data.filter_hook;
>> + if (!filter_hook)
>> + goto out;
>> +
>> + rcu_assign_pointer(group->fanotify_data.filter_hook, NULL);
>> + fanotify_filter_hook_free(filter_hook);
>
> The read side is protected with srcu and there is no srcu/rcu delay of freeing.
> You will either need something along the lines of
> fsnotify_connector_destroy_workfn() with synchronize_srcu()
Yeah, we do need a synchronize_srcu() here. I will fix this in
the next version.
> or use regular rcu delay and read side (assuming that it can be nested inside
> srcu read side?).
Thanks for the review!
Song
next prev parent reply other threads:[~2024-11-24 19:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 22:59 [PATCH v3 fanotify 0/2] Fanotify in kernel filter Song Liu
2024-11-22 22:59 ` [PATCH v3 fanotify 1/2] fanotify: Introduce fanotify filter Song Liu
2024-11-24 6:25 ` Amir Goldstein
2024-11-24 19:08 ` Song Liu [this message]
2024-11-28 16:37 ` Jan Kara
2024-11-25 11:01 ` kernel test robot
2024-11-26 0:06 ` kernel test robot
2024-11-22 22:59 ` [PATCH v3 fanotify 2/2] samples/fanotify: Add a sample fanotify fiter Song Liu
2024-11-24 5:07 ` Amir Goldstein
2024-11-24 18:59 ` Song Liu
2024-11-27 0:50 ` Alexei Starovoitov
2024-11-27 2:16 ` Song Liu
2024-11-28 17:10 ` Jan Kara
2024-12-02 17:38 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08768205-68CE-499B-A6DC-25E3E530AF91@fb.com \
--to=songliubraving@meta.com \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@meta.com \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=repnop@google.com \
--cc=song@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox