From: Al Viro <viro@ZenIV.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [git pull] apparmor fix for __d_path() misuse
Date: Wed, 7 Dec 2011 06:54:38 +0000 [thread overview]
Message-ID: <20111207065437.GB2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <201112070544.pB75iX12072157@www262.sakura.ne.jp>
On Wed, Dec 07, 2011 at 02:44:33PM +0900, Tetsuo Handa wrote:
> Excuse me, what "once the race window is over" means?
> Does
>
> do {
> pos = d_absolute_path(path, buffer, buflen - 1);
> } while (pos == ERR_PTR(-EINVAL));
>
> work (i.e. racing with "umount -l" is a temporary failure)?
I said "what your original use of __d_path() would stabilize to". IOW,
that's what you'd get after all ->mnt_parent in the chain are killed
by release_mounts(). And no, since the moment that release_mounts()
started there was *no* *absolute* *path* *at* *all*.
>From that moment on, the point you are looking at is not connected to any
global root. Or to anything still mounted, of course. What changes is
how little of what used to be the path to root remains; very shortly
it's down to just path->mnt not connected to *anything*. __d_path() call
as you have it in the current tree will report the remaining (shrinking)
part of path, eventually settling to just the part from path->mnt->root
to path->dentry. d_absolute_path() will be giving you ERR_PTR(-EINVAL)
all along; the thing it is supposed to give you does not exist anymore.
Racing with umount -l is temporary in a sense that as soon as a vfsmount
detached by umount -l ceases being busy, it gets killed. If you stand
there, holding a reference and looking for a path connecting it to something
mounted, well... (a) such path won't appear and (b) vfsmount will remain
busy for as long as you are holding that reference...
The real question is what pathname do you _want_ in this situation. Define
that and we'll be able to do something about it; if you really are asking
for "whatever this code used to do, modulo races", then what you want is
if (pos == ERR_PTR(-EINVAL)) {
/* it got unmounted; just report what's left and be quiet */
struct path root = {path->mnt, path->mnt->root};
pos = __d_path(path, &root, buf, buflen - 1);
if (!pos) /* it's really, *REALLY* screwed up somehow */
return ERR_PTR(-EINVAL);
}
and that's it. But at that point I would start seriously thinking about the
usefulness of checks done on that tail of pathname, false negatives, etc.
We could, I guess, make d_absolute_path() do just that on such paths as an
automatic fallback [1]. apparmor's use of our_mnt(path->mnt) would've caught
those, so we are not introducing false negatives there.
However, I *really* wonder if that's the right thing to do in any sense.
BTW, what your current code does if you have a file bound on another
file, open it, umount -l it, let the dust settle and then do some operation
that triggers tomoyo_get_absolute_path() on it? Because you'll be getting
a vfsmount/dentry pair that has
* dentry == vfsmount->mnt_root
* vfsmount->mnt_parent == vfsmount
* dentry->d_inode being a non-directory
and there is nothing whatsoever in what remains of the pathname. Not a single
component. IOW, you'll get "/" in buf. Might be good in a testsuite - is
there any code in security/tomoyo that would be relying on assumption that
only directory might have a name entirely without components?
next prev parent reply other threads:[~2011-12-07 6:54 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-06 15:48 [git pull] apparmor fix for __d_path() misuse Al Viro
2011-12-06 16:41 ` Al Viro
2011-12-06 17:21 ` Linus Torvalds
2011-12-06 19:54 ` Linus Torvalds
2011-12-06 20:53 ` Al Viro
2011-12-06 21:07 ` Linus Torvalds
2011-12-06 21:41 ` Al Viro
2011-12-06 22:48 ` John Johansen
2011-12-06 22:19 ` John Johansen
2011-12-06 22:41 ` Al Viro
2011-12-06 23:12 ` John Johansen
2011-12-06 23:45 ` Linus Torvalds
2011-12-07 0:09 ` John Johansen
2011-12-07 0:16 ` Al Viro
2011-12-07 0:39 ` Al Viro
2011-12-07 0:42 ` Linus Torvalds
2011-12-07 1:10 ` Al Viro
2011-12-07 1:37 ` Al Viro
2011-12-07 1:44 ` Al Viro
2011-12-07 2:21 ` Linus Torvalds
2011-12-07 3:23 ` Al Viro
2011-12-07 3:11 ` John Johansen
2011-12-07 4:26 ` John Johansen
2011-12-07 4:45 ` Al Viro
2011-12-07 4:59 ` Al Viro
2011-12-07 3:26 ` Tetsuo Handa
2011-12-07 3:42 ` Al Viro
2011-12-07 5:01 ` Tetsuo Handa
2011-12-07 5:19 ` Al Viro
2011-12-07 5:44 ` Tetsuo Handa
2011-12-07 6:54 ` Al Viro [this message]
2011-12-07 8:59 ` Tetsuo Handa
2011-12-07 16:32 ` Al Viro
2011-12-07 17:51 ` Al Viro
2011-12-07 0:39 ` Linus Torvalds
2011-12-07 0:52 ` Al Viro
2011-12-07 1:11 ` Linus Torvalds
2011-12-07 1:23 ` Al Viro
2011-12-07 2:02 ` Linus Torvalds
2011-12-07 2:17 ` Al Viro
2011-12-07 2:29 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111207065437.GB2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=john.johansen@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).