From: Andreas Gruenbacher <agruen@suse.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: jjohansen@suse.de, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, chrisw@sous-sol.org,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts
Date: Sun, 15 Apr 2007 19:40:21 +0200 [thread overview]
Message-ID: <200704151940.22528.agruen@suse.de> (raw)
In-Reply-To: <20070412105825.15f4df39@the-village.bc.nu>
On Thursday 12 April 2007 11:58, Alan Cox wrote:
> > Third, sys_getcwd() shouldn't return disconnected paths. The patch checks
for
> > that, and makes it fail with -ENOENT in that case
>
> That is a fairly significant and sudden change to the existing
> kernel/user interface.
Well, this is not meant for 2.6.21. I hope it is possible to change it in
early 2.6.22; otherwise if we can't fix mistakes from the past we are pretty
doomed.
The problem with unreachable paths is that they are meaningless to the
process -- the unreachable path does not really work as a path anymore, it
could at best serve some informational value -- at worst it could lead to
hard to track down misbehavior. ENOENT is a documented error code for
``directory has been unlinked''. The man page does not mention unreachable
paths, but the documentation can easily be changed.
What's an unreachable path to one process may be a reachable path for another,
or may not be reachable at all (such as the rootfs).
> > Fourth, this now allows us to tell unreachable mount points from reachable
> > ones when generating the /proc/mounts and /proc/$pid/mountstats files.
> > Unreachable mount points are not interesting to processes (they can't get
> > there, anyway), so we hide unreachable mounts. In particular, ordinary
>
> This is untrue. The process can get there (via fd passing with another
> task)
Process can access file descriptors which are unreachable via path name just
fine indeed, but those fds still don't have a valid path in the context of
that process.
Mount points in /proc/mounts as well as paths returned by getcwd() are
relative to the chroot of the querying process, and listing a mount point
that is unreachable by that process just doesn't help anybody -- that
particular process cannot do anything with them anyway.
> and the process can be producing output for the human operators, who most
> definitely need to know and see this stuff.
We are only talking about mount points unreachable by a particular process;
this does not mean that the mount point isn't reachable by other processes.
Human operators can choose the context from which they are looking
at /proc/mounts. If they are looking form the "real" root, the will see all
mounts that any process can reach (in that namespace).
The rootfs is an example of a mount point that is not reachable by any process
(after the initrd init process): listing it in /proc/mounts is totally
pointless, for example -- the rootfs has no meaning to any of those
processes. (From the point of view of the initrd init process the rootfs is
reachable of course, and so it also shows up in /proc/mounts.)
Another context in which the current /proc/mounts doesn't make sense is chroot
environments: right now if you have proc mounted on /proc as usual as well as
in a chroot, from the point of view of the "real" root, /proc/mounts will
contain something like this (omitting all other mounts):
proc /proc proc rw 0 0
proc /chroot/proc proc rw 0 0
>From the point of view of the chroot, we get:
proc /proc proc rw 0 0
proc /proc proc rw 0 0
So there is no way to tell what's really mounted where (and how) from within
the chroot. That's really quite broken.
Now it would be possible to use some other syntax to disambiguate unreachable
mounts in /proc/mounts, like letting such paths start with "//", or removing
leading slashes in those cases. At least removing leading slashes is quite
likely to break applications though, and such a hack wouldn't really help
anybody.
Whatever syntax we could come up with, those paths would be meaningless in the
given context. They may be meaningful in other context -- exactly if the
paths are reachable.
> I don't think this is fit to apply in current form. The hiding of mounts
> and mountstats is the wrong approach. The changes to getcwd behaviour
> bother me too as we are changing user space behaviour without warning.
Which kind of warning do you have in mind?
Thanks,
Andreas
next prev parent reply other threads:[~2007-04-15 17:40 UTC|newest]
Thread overview: 159+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-12 9:08 [AppArmor 00/41] AppArmor security module overview jjohansen
2007-04-12 9:08 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook jjohansen
2007-04-12 10:06 ` Christoph Hellwig
2007-04-16 16:11 ` [nameidata 1/2] Don't pass NULL nameidata to vfs_create Andreas Gruenbacher
2007-04-16 16:21 ` Christoph Hellwig
2007-04-16 16:40 ` Andreas Gruenbacher
2007-04-16 16:45 ` Christoph Hellwig
2007-04-17 12:09 ` Andreas Gruenbacher
2007-05-11 15:59 ` Andreas Gruenbacher
2007-04-16 16:25 ` Matthew Wilcox
2007-04-16 16:29 ` [nameidata 2/2] Pass no useless nameidata to the create, lookup, and permission IOPs Andreas Gruenbacher
2007-04-16 16:39 ` Christoph Hellwig
2007-04-16 16:42 ` Randy Dunlap
2007-04-16 16:44 ` Andreas Gruenbacher
2007-04-16 16:50 ` Randy Dunlap
2007-04-12 10:12 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook Al Viro
2007-05-23 19:06 ` Andreas Gruenbacher
2007-05-24 1:28 ` James Morris
2007-05-24 9:16 ` Andreas Gruenbacher
2007-05-24 12:51 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook Tetsuo Handa
[not found] ` <200705241112.41101.agruen@suse.de>
2007-05-24 13:19 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook James Morris
2007-05-24 18:10 ` Andreas Gruenbacher
2007-05-24 18:40 ` Al Viro
2007-05-24 21:56 ` Andreas Gruenbacher
2007-05-24 18:58 ` Casey Schaufler
2007-05-25 4:14 ` Andreas Gruenbacher
2007-05-25 5:17 ` Jeremy Maitin-Shepard
2007-05-25 17:43 ` Casey Schaufler
2007-05-25 18:10 ` Jeremy Maitin-Shepard
2007-05-25 18:13 ` Jeremy Maitin-Shepard
2007-05-25 19:06 ` Casey Schaufler
2007-05-26 1:40 ` Tetsuo Handa
2007-05-26 12:10 ` Andreas Gruenbacher
2007-05-26 22:58 ` Casey Schaufler
2007-05-27 1:33 ` Valdis.Kletnieks
2007-05-25 20:00 ` Andreas Gruenbacher
2007-05-25 20:27 ` Casey Schaufler
2007-05-26 5:27 ` Crispin Cowan
2007-05-26 13:34 ` Alan Cox
2007-05-26 14:05 ` Andreas Gruenbacher
2007-05-26 18:41 ` James Morris
2007-05-26 5:20 ` Kyle Moffett
2007-05-26 11:46 ` Andreas Gruenbacher
2007-05-26 12:09 ` Tetsuo Handa
2007-05-26 13:41 ` Andreas Gruenbacher
2007-05-26 14:44 ` Tetsuo Handa
2007-05-26 16:52 ` Andreas Gruenbacher
2007-05-26 18:16 ` Kyle Moffett
2007-05-26 18:45 ` [AppArmor 01/41] " James Morris
2007-05-26 23:08 ` Toshiharu Harada
2007-05-27 2:10 ` Kyle Moffett
2007-05-27 2:37 ` Valdis.Kletnieks
2007-05-27 5:32 ` Kyle Moffett
2007-05-28 20:38 ` Pavel Machek
2007-05-29 2:00 ` Kyle Moffett
2007-05-27 7:25 ` Toshiharu Harada
2007-05-27 13:35 ` Kyle Moffett
2007-05-28 10:41 ` Toshiharu Harada
2007-05-29 1:54 ` Kyle Moffett
2007-05-29 21:17 ` Valdis.Kletnieks
2007-05-30 5:52 ` Crispin Cowan
2007-05-24 14:40 ` Pavel Machek
2007-05-30 10:06 ` Alan Cox
2007-05-30 2:38 ` Toshiharu Harada
2007-05-27 8:34 ` Cliffe
2007-05-27 13:07 ` Kyle Moffett
2007-05-27 16:12 ` Casey Schaufler
2007-05-25 8:01 ` Toshiharu Harada
2007-04-12 9:08 ` [AppArmor 02/41] Remove redundant check from proc_setattr() jjohansen
2007-04-12 9:08 ` [AppArmor 03/41] Remove redundant check from proc_sys_setattr() jjohansen
2007-04-12 10:10 ` Alan Cox
2007-04-12 9:08 ` [AppArmor 04/41] Pass struct file down to remove_suid and children jjohansen
2007-04-12 9:08 ` [AppArmor 05/41] Add a vfsmount parameter to notify_change() jjohansen
2007-04-12 9:08 ` [AppArmor 06/41] Pass struct vfsmount to the inode_setattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 07/41] Add struct vfsmount parameter to vfs_mkdir() jjohansen
2007-04-12 9:08 ` [AppArmor 08/41] Pass struct vfsmount to the inode_mkdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 09/41] Add a struct vfsmount parameter to vfs_mknod() jjohansen
2007-04-12 9:08 ` [AppArmor 10/41] Pass struct vfsmount to the inode_mknod LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 11/41] Add a struct vfsmount parameter to vfs_symlink() jjohansen
2007-04-12 9:08 ` [AppArmor 12/41] Pass struct vfsmount to the inode_symlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 13/41] Pass struct vfsmount to the inode_readlink " jjohansen
2007-04-12 9:08 ` [AppArmor 14/41] Add struct vfsmount parameters to vfs_link() jjohansen
2007-04-12 9:08 ` [AppArmor 15/41] Pass the struct vfsmounts to the inode_link LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 16/41] Add a struct vfsmount parameter to vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 17/41] Pass struct vfsmount to the inode_rmdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 18/41] call lsm hook before unhashing dentry in vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 19/41] Add a struct vfsmount parameter to vfs_unlink() jjohansen
2007-04-12 9:08 ` [AppArmor 20/41] Pass struct vfsmount to the inode_unlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 21/41] Add struct vfsmount parameters to vfs_rename() jjohansen
2007-04-12 9:08 ` [AppArmor 22/41] Pass struct vfsmount to the inode_rename LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 23/41] Add a struct vfsmount parameter to vfs_setxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 24/41] Pass struct vfsmount to the inode_setxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 25/41] Add a struct vfsmount parameter to vfs_getxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 26/41] Pass struct vfsmount to the inode_getxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 27/41] Add a struct vfsmount parameter to vfs_listxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 28/41] Pass struct vfsmount to the inode_listxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 29/41] Add a struct vfsmount parameter to vfs_removexattr() jjohansen
2007-04-12 9:08 ` [AppArmor 30/41] Pass struct vfsmount to the inode_removexattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts jjohansen
2007-04-12 9:58 ` Alan Cox
2007-04-15 17:40 ` Andreas Gruenbacher [this message]
2007-04-16 21:57 ` Alan Cox
2007-04-17 1:35 ` Andreas Gruenbacher
2007-04-17 17:21 ` Alan Cox
2007-04-19 23:23 ` [d_path 0/7] Fixes to d_path: Respin Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 1/7] Fix __d_path() for lazy unmounts and make it unambiguous Andreas Gruenbacher
2007-04-20 9:32 ` Alan Cox
2007-04-19 23:23 ` [d_path 2/7] Make d_path() consistent across mount operations Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 3/7] Add d_namespace_path() to compute namespace relative pathnames Andreas Gruenbacher
2007-04-21 12:57 ` Tetsuo Handa
2007-04-21 16:16 ` Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 4/7] Make getcwd() only return valid paths Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 5/7] Remove duplicate proc code Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 6/7] Filter out disconnected paths from /proc/mounts Andreas Gruenbacher
2007-04-20 9:34 ` Alan Cox
2007-04-19 23:23 ` [d_path 7/7] Distinguish between connected and disconnected paths in d_path() Andreas Gruenbacher
2007-04-20 9:30 ` [d_path 0/7] Fixes to d_path: Respin Alan Cox
2007-04-20 11:45 ` Andreas Gruenbacher
2007-04-20 15:15 ` Ulrich Drepper
2007-04-20 15:21 ` Andreas Gruenbacher
2007-04-20 15:24 ` Ulrich Drepper
2007-04-20 16:40 ` Andreas Gruenbacher
2007-04-20 19:17 ` Ulrich Drepper
2007-04-20 20:44 ` Miklos Szeredi
2007-04-21 19:04 ` Andreas Gruenbacher
2007-04-21 19:46 ` Ulrich Drepper
2007-04-22 9:10 ` Christoph Hellwig
2007-04-22 15:48 ` Andreas Gruenbacher
2007-04-17 6:30 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts Rob Meijer
2007-04-12 9:08 ` [AppArmor 32/41] Make d_path() consistent across mount operations jjohansen
2007-04-12 9:08 ` [AppArmor 33/41] Add d_namespace_path() to obtain namespace relative pathnames jjohansen
2007-04-12 10:49 ` Al Viro
2007-04-12 9:08 ` [AppArmor 34/41] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames jjohansen
2007-04-12 9:08 ` [AppArmor 35/41] Pass struct file down the inode_*xattr security LSM hooks jjohansen
2007-04-12 9:08 ` [AppArmor 36/41] Export audit subsystem for use by modules jjohansen
2007-04-12 9:08 ` [AppArmor 37/41] AppArmor: Main Part jjohansen
2007-04-12 10:37 ` Alan Cox
2007-04-13 8:17 ` Andreas Gruenbacher
2007-04-13 8:48 ` Andreas Gruenbacher
2007-04-13 8:52 ` Nick Piggin
2007-04-12 9:08 ` [AppArmor 38/41] AppArmor: Module and LSM hooks jjohansen
2007-04-12 10:21 ` Alan Cox
2007-04-16 21:37 ` John Johansen
2007-04-12 9:08 ` [AppArmor 39/41] AppArmor: Profile loading and manipulation, pathname matching jjohansen
2007-04-12 10:28 ` Alan Cox
2007-04-12 13:46 ` Andi Kleen
2007-04-15 14:21 ` Andreas Gruenbacher
2007-04-16 6:27 ` Andi Kleen
2007-04-16 20:56 ` John Johansen
2007-04-16 7:39 ` Pavel Machek
2007-04-16 22:00 ` Alan Cox
2007-04-16 22:11 ` John Johansen
2007-04-12 9:08 ` [AppArmor 40/41] AppArmor: all the rest jjohansen
2007-04-12 10:32 ` Al Viro
2007-04-12 11:32 ` Al Viro
2007-04-12 9:08 ` [AppArmor 41/41] Add AppArmor LSM to security/Makefile jjohansen
2007-04-12 10:33 ` [AppArmor 00/41] AppArmor security module overview Shaya Potter
2007-04-12 13:50 ` Pavel Machek
2007-04-13 8:04 ` Rob Meijer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200704151940.22528.agruen@suse.de \
--to=agruen@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chrisw@sous-sol.org \
--cc=jjohansen@suse.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).