[PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christian Brauner]

Hey,

Some filesystems like kernfs and pidfs support file handles as a
convenience to enable the use of name_to_handle_at(2) and
open_by_handle_at(2) but don't want to and cannot be reliably exported.
Add a flag that allows them to mark their export operations accordingly
and make NFS check for its presence.

@Amir, I'll reorder the patches such that this series comes prior to the
pidfs file handle series. Doing it that way will mean that there's never
a state where pidfs supports file handles while also being exportable.
It's probably not a big deal but it's definitely cleaner. It also means
the last patch in this series to mark pidfs as non-exportable can be
dropped. Instead pidfs export operations will be marked as
non-exportable in the patch that they are added in.

Thanks!
Christian

---
Christian Brauner (4):
      exportfs: add flag to indicate local file handles
      kernfs: restrict to local file handles
      ovl: restrict to exportable file handles
      pidfs: restrict to local file handles

 fs/kernfs/mount.c        | 1 +
 fs/nfsd/export.c         | 8 +++++++-
 fs/overlayfs/util.c      | 7 ++++++-
 fs/pidfs.c               | 1 +
 include/linux/exportfs.h | 1 +
 5 files changed, 16 insertions(+), 2 deletions(-)
---
base-commit: 74e20c5946ab3f8ad959ea34f63f21e157d3ebae
change-id: 20241201-work-exportfs-cd49bee773c5

[PATCH 1/4] exportfs: add flag to indicate local file handles

[Christian Brauner]

Some filesystems like kernfs and pidfs support file handles as a
convenience to use name_to_handle_at(2) and open_by_handle_at(2) but
don't want to and cannot be reliably exported. Add a flag that allows
them to mark their export operations accordingly.

Fixes: aa8188253474 ("kernfs: add exportfs operations")
Cc: stable <stable@kernel.org> # >= 4.14
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/nfsd/export.c         | 8 +++++++-
 include/linux/exportfs.h | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index eacafe46e3b673cb306bd3c7caabd3283a1e54b1..786551595cc1c2043e8c195c00ca72ef93c769d6 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -417,6 +417,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
 static int check_export(struct path *path, int *flags, unsigned char *uuid)
 {
 	struct inode *inode = d_inode(path->dentry);
+	const struct export_operations *nop;
 
 	/*
 	 * We currently export only dirs, regular files, and (for v4
@@ -449,11 +450,16 @@ static int check_export(struct path *path, int *flags, unsigned char *uuid)
 		return -EINVAL;
 	}
 
-	if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
+	if (!exportfs_can_decode_fh(nop)) {
 		dprintk("exp_export: export of invalid fs type.\n");
 		return -EINVAL;
 	}
 
+	if (nop && nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE) {
+		dprintk("exp_export: filesystem only supports non-exportable file handles.\n");
+		return -EINVAL;
+	}
+
 	if (is_idmapped_mnt(path->mnt)) {
 		dprintk("exp_export: export of idmapped mounts not yet supported.\n");
 		return -EINVAL;
diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h
index a087606ace194ccc9d1250f990ce55627aaf8dc5..40f78c8e4f31b97b2101b66634e8d1807c1bcc14 100644
--- a/include/linux/exportfs.h
+++ b/include/linux/exportfs.h
@@ -280,6 +280,7 @@ struct export_operations {
 						*/
 #define EXPORT_OP_FLUSH_ON_CLOSE	(0x20) /* fs flushes file data on close */
 #define EXPORT_OP_ASYNC_LOCK		(0x40) /* fs can do async lock request */
+#define EXPORT_OP_LOCAL_FILE_HANDLE		(0x80) /* fs only supports file handles, no proper export */
 	unsigned long	flags;
 };
 

-- 
2.45.2

[PATCH 2/4] kernfs: restrict to local file handles

[Christian Brauner]

The kernfs filesystem uses local file handles that cannot be
exported. Mark its export operations accordingly.

Fixes: aa8188253474 ("kernfs: add exportfs operations")
Cc: stable <stable@kernel.org> # >= 4.14
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/kernfs/mount.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
index 1358c21837f1a0fe1b109e39134e993d0ef83879..c6266ecc78a3ca767e3dcab24fde7c2b79f5370d 100644
--- a/fs/kernfs/mount.c
+++ b/fs/kernfs/mount.c
@@ -154,6 +154,7 @@ static const struct export_operations kernfs_export_ops = {
 	.fh_to_dentry	= kernfs_fh_to_dentry,
 	.fh_to_parent	= kernfs_fh_to_parent,
 	.get_parent	= kernfs_get_parent_dentry,
+	.flags		= EXPORT_OP_LOCAL_FILE_HANDLE,
 };
 
 /**

-- 
2.45.2

[PATCH 3/4] ovl: restrict to exportable file handles

[Christian Brauner]

Ensure that overlayfs only allows decoding exportable file handles.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/overlayfs/util.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 9aa7493b1e10365cbcc97fceab26d614a319727f..b498c74084f3950d8e4d9f63a804d1abe08258fc 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -83,10 +83,15 @@ void ovl_revert_creds(const struct cred *old_cred)
  */
 int ovl_can_decode_fh(struct super_block *sb)
 {
+	const struct export_operations *nop = sb->s_export_op;
+
 	if (!capable(CAP_DAC_READ_SEARCH))
 		return 0;
 
-	if (!exportfs_can_decode_fh(sb->s_export_op))
+	if (!exportfs_can_decode_fh(nop))
+		return 0;
+
+	if (nop && nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE)
 		return 0;
 
 	return sb->s_export_op->encode_fh ? -1 : FILEID_INO32_GEN;

-- 
2.45.2

[PATCH 4/4] pidfs: restrict to local file handles

[Christian Brauner]

The pidfs filesystem uses local file handles that cannot be exported.
Mark its export operations accordingly.

Signed-off-by: Christian Brauner <brauner@kernel.org>
---
 fs/pidfs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/pidfs.c b/fs/pidfs.c
index dde3e4e90ea968c12dba0a0d37c95e2218253369..29c894f2792b4a5360a0e1933f850bfaf08413eb 100644
--- a/fs/pidfs.c
+++ b/fs/pidfs.c
@@ -570,6 +570,7 @@ static const struct export_operations pidfs_export_operations = {
 	.fh_to_dentry	= pidfs_fh_to_dentry,
 	.open		= pidfs_export_open,
 	.permission	= pidfs_export_permission,
+	.flags          = EXPORT_OP_LOCAL_FILE_HANDLE,
 };
 
 static int pidfs_init_inode(struct inode *inode, void *data)

-- 
2.45.2

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Jeff Layton]

On Sun, 2024-12-01 at 14:12 +0100, Christian Brauner wrote:
> Hey,
> 
> Some filesystems like kernfs and pidfs support file handles as a
> convenience to enable the use of name_to_handle_at(2) and
> open_by_handle_at(2) but don't want to and cannot be reliably exported.
> Add a flag that allows them to mark their export operations accordingly
> and make NFS check for its presence.
> 
> @Amir, I'll reorder the patches such that this series comes prior to the
> pidfs file handle series. Doing it that way will mean that there's never
> a state where pidfs supports file handles while also being exportable.
> It's probably not a big deal but it's definitely cleaner. It also means
> the last patch in this series to mark pidfs as non-exportable can be
> dropped. Instead pidfs export operations will be marked as
> non-exportable in the patch that they are added in.
> 
> Thanks!
> Christian
> 
> ---
> Christian Brauner (4):
>       exportfs: add flag to indicate local file handles
>       kernfs: restrict to local file handles
>       ovl: restrict to exportable file handles
>       pidfs: restrict to local file handles
> 
>  fs/kernfs/mount.c        | 1 +
>  fs/nfsd/export.c         | 8 +++++++-
>  fs/overlayfs/util.c      | 7 ++++++-
>  fs/pidfs.c               | 1 +
>  include/linux/exportfs.h | 1 +
>  5 files changed, 16 insertions(+), 2 deletions(-)
> ---
> base-commit: 74e20c5946ab3f8ad959ea34f63f21e157d3ebae
> change-id: 20241201-work-exportfs-cd49bee773c5
> 

I've been following the pidfs filehandle discussion and this is exactly
what I was thinking we needed: a way to explicitly label certain
fstypes as unexportable via nfsd.

Reviewed-by: Jeff Layton <jlayton@kernel.org>

Re: [PATCH 1/4] exportfs: add flag to indicate local file handles

[Amir Goldstein]

On Sun, Dec 1, 2024 at 2:13 PM Christian Brauner <brauner@kernel.org> wrote:
>
> Some filesystems like kernfs and pidfs support file handles as a
> convenience to use name_to_handle_at(2) and open_by_handle_at(2) but
> don't want to and cannot be reliably exported. Add a flag that allows
> them to mark their export operations accordingly.
>
> Fixes: aa8188253474 ("kernfs: add exportfs operations")
> Cc: stable <stable@kernel.org> # >= 4.14
> Signed-off-by: Christian Brauner <brauner@kernel.org>
> ---
>  fs/nfsd/export.c         | 8 +++++++-
>  include/linux/exportfs.h | 1 +
>  2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index eacafe46e3b673cb306bd3c7caabd3283a1e54b1..786551595cc1c2043e8c195c00ca72ef93c769d6 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -417,6 +417,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
>  static int check_export(struct path *path, int *flags, unsigned char *uuid)
>  {
>         struct inode *inode = d_inode(path->dentry);
> +       const struct export_operations *nop;
>
>         /*
>          * We currently export only dirs, regular files, and (for v4
> @@ -449,11 +450,16 @@ static int check_export(struct path *path, int *flags, unsigned char *uuid)
>                 return -EINVAL;
>         }
>
> -       if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
> +       if (!exportfs_can_decode_fh(nop)) {
>                 dprintk("exp_export: export of invalid fs type.\n");
>                 return -EINVAL;
>         }
>
> +       if (nop && nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE) {
> +               dprintk("exp_export: filesystem only supports non-exportable file handles.\n");
> +               return -EINVAL;
> +       }
> +
>         if (is_idmapped_mnt(path->mnt)) {
>                 dprintk("exp_export: export of idmapped mounts not yet supported.\n");
>                 return -EINVAL;
> diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h
> index a087606ace194ccc9d1250f990ce55627aaf8dc5..40f78c8e4f31b97b2101b66634e8d1807c1bcc14 100644
> --- a/include/linux/exportfs.h
> +++ b/include/linux/exportfs.h
> @@ -280,6 +280,7 @@ struct export_operations {
>                                                 */
>  #define EXPORT_OP_FLUSH_ON_CLOSE       (0x20) /* fs flushes file data on close */
>  #define EXPORT_OP_ASYNC_LOCK           (0x40) /* fs can do async lock request */
> +#define EXPORT_OP_LOCAL_FILE_HANDLE            (0x80) /* fs only supports file handles, no proper export */
>         unsigned long   flags;
>  };

Please update Documentation/filesystems/nfs/exporting.rst.

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Sun, Dec 1, 2024 at 2:12 PM Christian Brauner <brauner@kernel.org> wrote:
>
> Hey,
>
> Some filesystems like kernfs and pidfs support file handles as a
> convenience to enable the use of name_to_handle_at(2) and
> open_by_handle_at(2) but don't want to and cannot be reliably exported.
> Add a flag that allows them to mark their export operations accordingly
> and make NFS check for its presence.
>
> @Amir, I'll reorder the patches such that this series comes prior to the
> pidfs file handle series. Doing it that way will mean that there's never
> a state where pidfs supports file handles while also being exportable.
> It's probably not a big deal but it's definitely cleaner. It also means
> the last patch in this series to mark pidfs as non-exportable can be
> dropped. Instead pidfs export operations will be marked as
> non-exportable in the patch that they are added in.

Yeh, looks good!

Apart from missing update to exporting.rst

Reviewed-by: Amir Goldstein <amir73il@gmail.com>

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Chuck Lever III]

> On Dec 1, 2024, at 8:28 AM, Jeff Layton <jlayton@kernel.org> wrote:
> 
> On Sun, 2024-12-01 at 14:12 +0100, Christian Brauner wrote:
>> Hey,
>> 
>> Some filesystems like kernfs and pidfs support file handles as a
>> convenience to enable the use of name_to_handle_at(2) and
>> open_by_handle_at(2) but don't want to and cannot be reliably exported.
>> Add a flag that allows them to mark their export operations accordingly
>> and make NFS check for its presence.
>> 
>> @Amir, I'll reorder the patches such that this series comes prior to the
>> pidfs file handle series. Doing it that way will mean that there's never
>> a state where pidfs supports file handles while also being exportable.
>> It's probably not a big deal but it's definitely cleaner. It also means
>> the last patch in this series to mark pidfs as non-exportable can be
>> dropped. Instead pidfs export operations will be marked as
>> non-exportable in the patch that they are added in.
>> 
>> Thanks!
>> Christian
>> 
>> ---
>> Christian Brauner (4):
>>      exportfs: add flag to indicate local file handles
>>      kernfs: restrict to local file handles
>>      ovl: restrict to exportable file handles
>>      pidfs: restrict to local file handles
>> 
>> fs/kernfs/mount.c        | 1 +
>> fs/nfsd/export.c         | 8 +++++++-
>> fs/overlayfs/util.c      | 7 ++++++-
>> fs/pidfs.c               | 1 +
>> include/linux/exportfs.h | 1 +
>> 5 files changed, 16 insertions(+), 2 deletions(-)
>> ---
>> base-commit: 74e20c5946ab3f8ad959ea34f63f21e157d3ebae
>> change-id: 20241201-work-exportfs-cd49bee773c5
>> 
> 
> I've been following the pidfs filehandle discussion and this is exactly
> what I was thinking we needed: a way to explicitly label certain
> fstypes as unexportable via nfsd.
> 
> Reviewed-by: Jeff Layton <jlayton@kernel.org>
> 

Acked-by: Chuck Lever <chuck.lever@oracle.com <mailto:chuck.lever@oracle.com>>

Though, I wonder if a similar but separate prohibition
mechanism might be necessary for other in-kernel network
file system server implementations (eg, ksmbd).


--
Chuck Lever

Re: [PATCH 1/4] exportfs: add flag to indicate local file handles

[Dave Chinner]

On Sun, Dec 01, 2024 at 02:12:25PM +0100, Christian Brauner wrote:
> Some filesystems like kernfs and pidfs support file handles as a
> convenience to use name_to_handle_at(2) and open_by_handle_at(2) but
> don't want to and cannot be reliably exported. Add a flag that allows
> them to mark their export operations accordingly.
> 
> Fixes: aa8188253474 ("kernfs: add exportfs operations")
> Cc: stable <stable@kernel.org> # >= 4.14
> Signed-off-by: Christian Brauner <brauner@kernel.org>
> ---
>  fs/nfsd/export.c         | 8 +++++++-
>  include/linux/exportfs.h | 1 +
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index eacafe46e3b673cb306bd3c7caabd3283a1e54b1..786551595cc1c2043e8c195c00ca72ef93c769d6 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -417,6 +417,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
>  static int check_export(struct path *path, int *flags, unsigned char *uuid)
>  {
>  	struct inode *inode = d_inode(path->dentry);
> +	const struct export_operations *nop;
>  
>  	/*
>  	 * We currently export only dirs, regular files, and (for v4
> @@ -449,11 +450,16 @@ static int check_export(struct path *path, int *flags, unsigned char *uuid)
>  		return -EINVAL;
>  	}
>  
> -	if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
> +	if (!exportfs_can_decode_fh(nop)) {

Where is nop initialised?

>  		dprintk("exp_export: export of invalid fs type.\n");
>  		return -EINVAL;
>  	}
>  
> +	if (nop && nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE) {

Also, please use () around & operations so we can understand that
this is not an accidental typo. i.e:

	if (nop && (nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE)) {

clearly expresses the intent of the code, and now it is obviously
correct at a glance.

-Dave.

-- 
Dave Chinner
david@fromorbit.com

Re: [PATCH 1/4] exportfs: add flag to indicate local file handles

[Christian Brauner]

On Mon, Dec 02, 2024 at 10:12:49AM +1100, Dave Chinner wrote:
> On Sun, Dec 01, 2024 at 02:12:25PM +0100, Christian Brauner wrote:
> > Some filesystems like kernfs and pidfs support file handles as a
> > convenience to use name_to_handle_at(2) and open_by_handle_at(2) but
> > don't want to and cannot be reliably exported. Add a flag that allows
> > them to mark their export operations accordingly.
> > 
> > Fixes: aa8188253474 ("kernfs: add exportfs operations")
> > Cc: stable <stable@kernel.org> # >= 4.14
> > Signed-off-by: Christian Brauner <brauner@kernel.org>
> > ---
> >  fs/nfsd/export.c         | 8 +++++++-
> >  include/linux/exportfs.h | 1 +
> >  2 files changed, 8 insertions(+), 1 deletion(-)
> > 
> > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> > index eacafe46e3b673cb306bd3c7caabd3283a1e54b1..786551595cc1c2043e8c195c00ca72ef93c769d6 100644
> > --- a/fs/nfsd/export.c
> > +++ b/fs/nfsd/export.c
> > @@ -417,6 +417,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
> >  static int check_export(struct path *path, int *flags, unsigned char *uuid)
> >  {
> >  	struct inode *inode = d_inode(path->dentry);
> > +	const struct export_operations *nop;
> >  
> >  	/*
> >  	 * We currently export only dirs, regular files, and (for v4
> > @@ -449,11 +450,16 @@ static int check_export(struct path *path, int *flags, unsigned char *uuid)
> >  		return -EINVAL;
> >  	}
> >  
> > -	if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
> > +	if (!exportfs_can_decode_fh(nop)) {
> 
> Where is nop initialised?

Yep, already fixed in tree yesterday. Thanks for catching this though!

> 
> >  		dprintk("exp_export: export of invalid fs type.\n");
> >  		return -EINVAL;
> >  	}
> >  
> > +	if (nop && nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE) {
> 
> Also, please use () around & operations so we can understand that
> this is not an accidental typo. i.e:
> 
> 	if (nop && (nop->flags & EXPORT_OP_LOCAL_FILE_HANDLE)) {
> 
> clearly expresses the intent of the code, and now it is obviously
> correct at a glance.

Done.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christian Brauner]

> Though, I wonder if a similar but separate prohibition
> mechanism might be necessary for other in-kernel network
> file system server implementations (eg, ksmbd).

Oh hm, interesting question.
I have no idea how ksmbd or 9p "exports" work. I really hope they don't
allow exporting arbitrary pseudo-fses.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Jeff Layton]

On Tue, 2024-12-03 at 10:08 +0100, Christian Brauner wrote:
> > Though, I wonder if a similar but separate prohibition
> > mechanism might be necessary for other in-kernel network
> > file system server implementations (eg, ksmbd).
> 
> Oh hm, interesting question.
> I have no idea how ksmbd or 9p "exports" work. I really hope they don't
> allow exporting arbitrary pseudo-fses.

SMB is path-based so there's no worry about filehandles there. It looks
like ksmbd keeps a set of ksmbd_share_config objects, that are
configured by userland. If someone deliberately shares stuff under
/proc, then I guess they get to keep all of the pieces. ;)

9P does use filehandles, but there is no in-kernel server, so far.
Wedson had one in development at one point [1], but I haven't heard
anything about it in a while.

[1]: https://kangrejos.com/Async%20Rust%20and%209p%20server.pdf
-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christoph Hellwig]

On Sun, Dec 01, 2024 at 02:12:24PM +0100, Christian Brauner wrote:
> Hey,
> 
> Some filesystems like kernfs and pidfs support file handles as a
> convenience to enable the use of name_to_handle_at(2) and
> open_by_handle_at(2) but don't want to and cannot be reliably exported.
> Add a flag that allows them to mark their export operations accordingly
> and make NFS check for its presence.
> 
> @Amir, I'll reorder the patches such that this series comes prior to the
> pidfs file handle series. Doing it that way will mean that there's never
> a state where pidfs supports file handles while also being exportable.
> It's probably not a big deal but it's definitely cleaner. It also means
> the last patch in this series to mark pidfs as non-exportable can be
> dropped. Instead pidfs export operations will be marked as
> non-exportable in the patch that they are added in.

Can you please invert the polarity?  Marking something as not supporting
is always awkward.  Clearly marking it as supporting something (and
writing down in detail what is required for that) is much better, even
it might cause a little more churn initially.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christian Brauner]

On Wed, Dec 04, 2024 at 04:38:28PM -0800, Christoph Hellwig wrote:
> On Sun, Dec 01, 2024 at 02:12:24PM +0100, Christian Brauner wrote:
> > Hey,
> > 
> > Some filesystems like kernfs and pidfs support file handles as a
> > convenience to enable the use of name_to_handle_at(2) and
> > open_by_handle_at(2) but don't want to and cannot be reliably exported.
> > Add a flag that allows them to mark their export operations accordingly
> > and make NFS check for its presence.
> > 
> > @Amir, I'll reorder the patches such that this series comes prior to the
> > pidfs file handle series. Doing it that way will mean that there's never
> > a state where pidfs supports file handles while also being exportable.
> > It's probably not a big deal but it's definitely cleaner. It also means
> > the last patch in this series to mark pidfs as non-exportable can be
> > dropped. Instead pidfs export operations will be marked as
> > non-exportable in the patch that they are added in.
> 
> Can you please invert the polarity?  Marking something as not supporting
> is always awkward.  Clearly marking it as supporting something (and
> writing down in detail what is required for that) is much better, even
> it might cause a little more churn initially.

Fine by me but let's do that as a cleanup on top, please. Especially
because we need to backport this to stable.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Thu, Dec 5, 2024 at 1:38 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Sun, Dec 01, 2024 at 02:12:24PM +0100, Christian Brauner wrote:
> > Hey,
> >
> > Some filesystems like kernfs and pidfs support file handles as a
> > convenience to enable the use of name_to_handle_at(2) and
> > open_by_handle_at(2) but don't want to and cannot be reliably exported.
> > Add a flag that allows them to mark their export operations accordingly
> > and make NFS check for its presence.
> >
> > @Amir, I'll reorder the patches such that this series comes prior to the
> > pidfs file handle series. Doing it that way will mean that there's never
> > a state where pidfs supports file handles while also being exportable.
> > It's probably not a big deal but it's definitely cleaner. It also means
> > the last patch in this series to mark pidfs as non-exportable can be
> > dropped. Instead pidfs export operations will be marked as
> > non-exportable in the patch that they are added in.
>
> Can you please invert the polarity?  Marking something as not supporting
> is always awkward.  Clearly marking it as supporting something (and
> writing down in detail what is required for that) is much better, even
> it might cause a little more churn initially.
>

Churn would be a bit annoying, but I guess it makes sense.
I agree with Christian that it should be done as cleanup to allow for
easier backport.

Please suggest a name for this opt-in flag.
EXPORT_OP_NFS_EXPORT???

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Darrick J. Wong]

On Thu, Dec 05, 2024 at 12:57:28PM +0100, Amir Goldstein wrote:
> On Thu, Dec 5, 2024 at 1:38 AM Christoph Hellwig <hch@infradead.org> wrote:
> >
> > On Sun, Dec 01, 2024 at 02:12:24PM +0100, Christian Brauner wrote:
> > > Hey,
> > >
> > > Some filesystems like kernfs and pidfs support file handles as a
> > > convenience to enable the use of name_to_handle_at(2) and
> > > open_by_handle_at(2) but don't want to and cannot be reliably exported.
> > > Add a flag that allows them to mark their export operations accordingly
> > > and make NFS check for its presence.
> > >
> > > @Amir, I'll reorder the patches such that this series comes prior to the
> > > pidfs file handle series. Doing it that way will mean that there's never
> > > a state where pidfs supports file handles while also being exportable.
> > > It's probably not a big deal but it's definitely cleaner. It also means
> > > the last patch in this series to mark pidfs as non-exportable can be
> > > dropped. Instead pidfs export operations will be marked as
> > > non-exportable in the patch that they are added in.
> >
> > Can you please invert the polarity?  Marking something as not supporting
> > is always awkward.  Clearly marking it as supporting something (and
> > writing down in detail what is required for that) is much better, even
> > it might cause a little more churn initially.
> >
> 
> Churn would be a bit annoying, but I guess it makes sense.
> I agree with Christian that it should be done as cleanup to allow for
> easier backport.
> 
> Please suggest a name for this opt-in flag.
> EXPORT_OP_NFS_EXPORT???

That's probably too specific to NFS--

AFAICT the goal here is to prevent exporting {pid,kern}fs file handles
to other nodes, correct?  Because we don't want to allow a process on
another computer to mess around with processes on the local computer?

How about:

/* file handles can be used by a process on another node */
#define EXPORT_OP_ALLOW_REMOTE_NODES	(...)

--D

> Thanks,
> Amir.
> 

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Fri, Dec 6, 2024 at 5:03 PM Darrick J. Wong <djwong@kernel.org> wrote:
>
> On Thu, Dec 05, 2024 at 12:57:28PM +0100, Amir Goldstein wrote:
> > On Thu, Dec 5, 2024 at 1:38 AM Christoph Hellwig <hch@infradead.org> wrote:
> > >
> > > On Sun, Dec 01, 2024 at 02:12:24PM +0100, Christian Brauner wrote:
> > > > Hey,
> > > >
> > > > Some filesystems like kernfs and pidfs support file handles as a
> > > > convenience to enable the use of name_to_handle_at(2) and
> > > > open_by_handle_at(2) but don't want to and cannot be reliably exported.
> > > > Add a flag that allows them to mark their export operations accordingly
> > > > and make NFS check for its presence.
> > > >
> > > > @Amir, I'll reorder the patches such that this series comes prior to the
> > > > pidfs file handle series. Doing it that way will mean that there's never
> > > > a state where pidfs supports file handles while also being exportable.
> > > > It's probably not a big deal but it's definitely cleaner. It also means
> > > > the last patch in this series to mark pidfs as non-exportable can be
> > > > dropped. Instead pidfs export operations will be marked as
> > > > non-exportable in the patch that they are added in.
> > >
> > > Can you please invert the polarity?  Marking something as not supporting
> > > is always awkward.  Clearly marking it as supporting something (and
> > > writing down in detail what is required for that) is much better, even
> > > it might cause a little more churn initially.
> > >
> >
> > Churn would be a bit annoying, but I guess it makes sense.
> > I agree with Christian that it should be done as cleanup to allow for
> > easier backport.
> >
> > Please suggest a name for this opt-in flag.
> > EXPORT_OP_NFS_EXPORT???
>
> That's probably too specific to NFS--
>
> AFAICT the goal here is to prevent exporting {pid,kern}fs file handles
> to other nodes, correct?  Because we don't want to allow a process on
> another computer to mess around with processes on the local computer?
>
> How about:
>
> /* file handles can be used by a process on another node */
> #define EXPORT_OP_ALLOW_REMOTE_NODES    (...)

This has a sound of security which is incorrect IMO.
The fact that we block nfsd export of cgroups does not prevent
any type of userland file server from exporting cgroup file handles.

I hate to be a pain, but IMO, the claim that inverted polarity is clearer
is not a consensus and there are plenty of counter examples.
I do not object to inverting the polarity if a flag name is found
that explains the property well, but IMO, this is not it.

Maybe opt-out of nfsd export is a little less safer than opt-in, but
1. opt-out is and will remain the rare exception for export_operations
2. at least the flag name EXPORT_OP_LOCAL_FILE_HANDLE
    is pretty clear IMO

Plus, as I wrote in another email, the fact that pidfs is SB_NOUSER,
so userspace is not allowed to mount it into the namespace and
userland file servers cannot export the filesystem itself.
That property itself (SB_NOUSER), is therefore a good enough indication
to deny nfsd export of this fs.
So really the immediate need for an explicit flag is only to stop exporting
kernfs/cgroupfs and I don't see this need spreading much further
(perhaps to nsfs) and therefore, the value of inverting to opt-in is
questionable IMO.

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christoph Hellwig]

On Sat, Dec 07, 2024 at 09:49:02AM +0100, Amir Goldstein wrote:
> > /* file handles can be used by a process on another node */
> > #define EXPORT_OP_ALLOW_REMOTE_NODES    (...)
> 
> This has a sound of security which is incorrect IMO.
> The fact that we block nfsd export of cgroups does not prevent
> any type of userland file server from exporting cgroup file handles.

So what is the purpose of the flag?  Asking for a coherent name and
description was the other bigger ask for me.

> Maybe opt-out of nfsd export is a little less safer than opt-in, but
> 1. opt-out is and will remain the rare exception for export_operations
> 2. at least the flag name EXPORT_OP_LOCAL_FILE_HANDLE
>     is pretty clear IMO

Even after this thread I have absolutely no idea what problem it tries
to solve.  Maybe that's not just the flag names fault, and not of opt-in
vs out, but both certainly don't help.

> Plus, as I wrote in another email, the fact that pidfs is SB_NOUSER,
> so userspace is not allowed to mount it into the namespace and
> userland file servers cannot export the filesystem itself.
> That property itself (SB_NOUSER), is therefore a good enough indication
> to deny nfsd export of this fs.

So check SB_NOUSER in nfsd and be done with it?

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Mon, Dec 9, 2024 at 8:49 AM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Sat, Dec 07, 2024 at 09:49:02AM +0100, Amir Goldstein wrote:
> > > /* file handles can be used by a process on another node */
> > > #define EXPORT_OP_ALLOW_REMOTE_NODES    (...)
> >
> > This has a sound of security which is incorrect IMO.
> > The fact that we block nfsd export of cgroups does not prevent
> > any type of userland file server from exporting cgroup file handles.
>
> So what is the purpose of the flag?  Asking for a coherent name and
> description was the other bigger ask for me.
>
> > Maybe opt-out of nfsd export is a little less safer than opt-in, but
> > 1. opt-out is and will remain the rare exception for export_operations
> > 2. at least the flag name EXPORT_OP_LOCAL_FILE_HANDLE
> >     is pretty clear IMO
>
> Even after this thread I have absolutely no idea what problem it tries
> to solve.  Maybe that's not just the flag names fault, and not of opt-in
> vs out, but both certainly don't help.
>
> > Plus, as I wrote in another email, the fact that pidfs is SB_NOUSER,
> > so userspace is not allowed to mount it into the namespace and
> > userland file servers cannot export the filesystem itself.
> > That property itself (SB_NOUSER), is therefore a good enough indication
> > to deny nfsd export of this fs.
>
> So check SB_NOUSER in nfsd and be done with it?
>

That will work for the new user (pidfs).

I think SB_KERNMOUNT qualifies as well, because it signifies
a mount that does not belong to any user's mount namespace.

For example, tmpfs (shmem) can be exported via nfs, but trying to
export an anonymous memfd should fail.

To be clear, exporting pidfs or internal shmem via an anonymous fd is
probably not possible with existing userspace tools, but with all the new
mount_fd and magic link apis, I can never be sure what can be made possible
to achieve when the user holds an anonymous fd.

The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
was that when kernfs/cgroups was added exportfs support with commit
aa8188253474 ("kernfs: add exportfs operations"), there was no intention
to export cgroupfs over nfs, only local to uses, but that was never enforced,
so we thought it would be good to add this restriction and backport it to
stable kernels.

[CC patch authors]

I tried to look for some property of cgroupfs that will make it not eligible
for nfs such as the SB_KERNMOUNT and SB_NOUSER indicators, but
as far as I can see cgroups looks like any other non-blockdev filesystem.

Maybe we were wrong about the assumption that cgroupfs should be treated
specially and deny export cgroups over nfs??

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Greg KH]

On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> On Mon, Dec 9, 2024 at 8:49 AM Christoph Hellwig <hch@infradead.org> wrote:
> >
> > On Sat, Dec 07, 2024 at 09:49:02AM +0100, Amir Goldstein wrote:
> > > > /* file handles can be used by a process on another node */
> > > > #define EXPORT_OP_ALLOW_REMOTE_NODES    (...)
> > >
> > > This has a sound of security which is incorrect IMO.
> > > The fact that we block nfsd export of cgroups does not prevent
> > > any type of userland file server from exporting cgroup file handles.
> >
> > So what is the purpose of the flag?  Asking for a coherent name and
> > description was the other bigger ask for me.
> >
> > > Maybe opt-out of nfsd export is a little less safer than opt-in, but
> > > 1. opt-out is and will remain the rare exception for export_operations
> > > 2. at least the flag name EXPORT_OP_LOCAL_FILE_HANDLE
> > >     is pretty clear IMO
> >
> > Even after this thread I have absolutely no idea what problem it tries
> > to solve.  Maybe that's not just the flag names fault, and not of opt-in
> > vs out, but both certainly don't help.
> >
> > > Plus, as I wrote in another email, the fact that pidfs is SB_NOUSER,
> > > so userspace is not allowed to mount it into the namespace and
> > > userland file servers cannot export the filesystem itself.
> > > That property itself (SB_NOUSER), is therefore a good enough indication
> > > to deny nfsd export of this fs.
> >
> > So check SB_NOUSER in nfsd and be done with it?
> >
> 
> That will work for the new user (pidfs).
> 
> I think SB_KERNMOUNT qualifies as well, because it signifies
> a mount that does not belong to any user's mount namespace.
> 
> For example, tmpfs (shmem) can be exported via nfs, but trying to
> export an anonymous memfd should fail.
> 
> To be clear, exporting pidfs or internal shmem via an anonymous fd is
> probably not possible with existing userspace tools, but with all the new
> mount_fd and magic link apis, I can never be sure what can be made possible
> to achieve when the user holds an anonymous fd.
> 
> The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> was that when kernfs/cgroups was added exportfs support with commit
> aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> to export cgroupfs over nfs, only local to uses, but that was never enforced,
> so we thought it would be good to add this restriction and backport it to
> stable kernels.
> 
> [CC patch authors]
> 
> I tried to look for some property of cgroupfs that will make it not eligible
> for nfs such as the SB_KERNMOUNT and SB_NOUSER indicators, but
> as far as I can see cgroups looks like any other non-blockdev filesystem.
> 
> Maybe we were wrong about the assumption that cgroupfs should be treated
> specially and deny export cgroups over nfs??

Please don't export any of the "fake" kernel filesystems (configfs,
cgroups, sysfs, debugfs, proc, etc) over nfs please.  That way lies
madness and makes no sense.

thanks,

greg k-h

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Mon, Dec 9, 2024 at 10:16 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > On Mon, Dec 9, 2024 at 8:49 AM Christoph Hellwig <hch@infradead.org> wrote:
> > >
> > > On Sat, Dec 07, 2024 at 09:49:02AM +0100, Amir Goldstein wrote:
> > > > > /* file handles can be used by a process on another node */
> > > > > #define EXPORT_OP_ALLOW_REMOTE_NODES    (...)
> > > >
> > > > This has a sound of security which is incorrect IMO.
> > > > The fact that we block nfsd export of cgroups does not prevent
> > > > any type of userland file server from exporting cgroup file handles.
> > >
> > > So what is the purpose of the flag?  Asking for a coherent name and
> > > description was the other bigger ask for me.
> > >
> > > > Maybe opt-out of nfsd export is a little less safer than opt-in, but
> > > > 1. opt-out is and will remain the rare exception for export_operations
> > > > 2. at least the flag name EXPORT_OP_LOCAL_FILE_HANDLE
> > > >     is pretty clear IMO
> > >
> > > Even after this thread I have absolutely no idea what problem it tries
> > > to solve.  Maybe that's not just the flag names fault, and not of opt-in
> > > vs out, but both certainly don't help.
> > >
> > > > Plus, as I wrote in another email, the fact that pidfs is SB_NOUSER,
> > > > so userspace is not allowed to mount it into the namespace and
> > > > userland file servers cannot export the filesystem itself.
> > > > That property itself (SB_NOUSER), is therefore a good enough indication
> > > > to deny nfsd export of this fs.
> > >
> > > So check SB_NOUSER in nfsd and be done with it?
> > >
> >
> > That will work for the new user (pidfs).
> >
> > I think SB_KERNMOUNT qualifies as well, because it signifies
> > a mount that does not belong to any user's mount namespace.
> >
> > For example, tmpfs (shmem) can be exported via nfs, but trying to
> > export an anonymous memfd should fail.
> >
> > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > probably not possible with existing userspace tools, but with all the new
> > mount_fd and magic link apis, I can never be sure what can be made possible
> > to achieve when the user holds an anonymous fd.
> >
> > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > was that when kernfs/cgroups was added exportfs support with commit
> > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > so we thought it would be good to add this restriction and backport it to
> > stable kernels.
> >
> > [CC patch authors]
> >
> > I tried to look for some property of cgroupfs that will make it not eligible
> > for nfs such as the SB_KERNMOUNT and SB_NOUSER indicators, but
> > as far as I can see cgroups looks like any other non-blockdev filesystem.
> >
> > Maybe we were wrong about the assumption that cgroupfs should be treated
> > specially and deny export cgroups over nfs??
>
> Please don't export any of the "fake" kernel filesystems (configfs,
> cgroups, sysfs, debugfs, proc, etc) over nfs please.  That way lies
> madness and makes no sense.

Agreed. The problem is that when looking in vfs for a clear definition
of "fake" kernel filesystems, I cannot find an objective criteria, especially
for those "fake" fs that you listed.

The "pseudo" filesystems (that call init_pseudo()) which are clearly
marked with SB_NOUSER (except for nsfs)

The "internal" filesystems that use kern_mount() internal mount ns
are clearly marked with SB_KERNMOUNT.

One commonality that I found among most fs that have a known sysfs
mount point is that they use  get_tree_single() because they are "singleton"
filesystems. However, a singleton filesystem may not be fake (efivarfs,
openpromfs), so I am not sure this is a good indication for no nfs export
and in any case, this it not true for procfs, sysfs, cgroups (kernfs).

We are left with the fact that there is no clear criteria with the list of
"fake" filesystems that you mentioned and among that list, only cgroupfs
has implemented file handles, so I see two options:

1. Explicitly opt-out of nfs export for cgroups as the proposed patch set does
2. Clearly mark all "fake" filesystems, for whatever "fake" means with
    SB_<WHATEVER> and then let nfsd query the "fake" fs flag

#1 is pretty straightforward.
#2 means this discussion will go on for some time and that I may eventually
need to submit a "What is a fake filesystem?" topic to LSFMM ;)

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christoph Hellwig]

On Mon, Dec 09, 2024 at 10:16:36AM +0100, Greg KH wrote:
> > Maybe we were wrong about the assumption that cgroupfs should be treated
> > specially and deny export cgroups over nfs??
> 
> Please don't export any of the "fake" kernel filesystems (configfs,
> cgroups, sysfs, debugfs, proc, etc) over nfs please.  That way lies
> madness and makes no sense.

Umm, yes: it sounds like a pretty useless idea.  But you can do that
today with a userland nfs server, so why explicitly forbid it for
the kernel nfs server.  In either case you absolutely have to want it,
you're not going to accidentally NFS export a file system.

I'm still trying to understand what problem we're trying to solve here.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christoph Hellwig]

On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> To be clear, exporting pidfs or internal shmem via an anonymous fd is
> probably not possible with existing userspace tools, but with all the new
> mount_fd and magic link apis, I can never be sure what can be made possible
> to achieve when the user holds an anonymous fd.
> 
> The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> was that when kernfs/cgroups was added exportfs support with commit
> aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> to export cgroupfs over nfs, only local to uses, but that was never enforced,
> so we thought it would be good to add this restriction and backport it to
> stable kernels.

Can you please explain what the problem with exporting these file
systems over NFS is?  Yes, it's not going to be very useful.  But what
is actually problematic about it?  Any why is it not problematic with
a userland nfs server?  We really need to settle that argumet before
deciding a flag name or polarity.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Amir Goldstein]

On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
>
> On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > probably not possible with existing userspace tools, but with all the new
> > mount_fd and magic link apis, I can never be sure what can be made possible
> > to achieve when the user holds an anonymous fd.
> >
> > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > was that when kernfs/cgroups was added exportfs support with commit
> > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > so we thought it would be good to add this restriction and backport it to
> > stable kernels.
>
> Can you please explain what the problem with exporting these file
> systems over NFS is?  Yes, it's not going to be very useful.  But what
> is actually problematic about it?  Any why is it not problematic with
> a userland nfs server?  We really need to settle that argumet before
> deciding a flag name or polarity.
>

I agree that it is not the end of the world and users do have to explicitly
use fsid= argument to be able to export cgroupfs via nfsd.

The idea for this patch started from the claim that Jeff wrote that cgroups
is not allowed for nfsd export, but I couldn't find where it is not allowed.

I have no issue personally with leaving cgroupfs exportable via nfsd
and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.

Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?

Thanks,
Amir.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Chuck Lever]

On 12/9/24 11:30 AM, Amir Goldstein wrote:
> On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
>>
>> On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
>>> To be clear, exporting pidfs or internal shmem via an anonymous fd is
>>> probably not possible with existing userspace tools, but with all the new
>>> mount_fd and magic link apis, I can never be sure what can be made possible
>>> to achieve when the user holds an anonymous fd.
>>>
>>> The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
>>> was that when kernfs/cgroups was added exportfs support with commit
>>> aa8188253474 ("kernfs: add exportfs operations"), there was no intention
>>> to export cgroupfs over nfs, only local to uses, but that was never enforced,
>>> so we thought it would be good to add this restriction and backport it to
>>> stable kernels.
>>
>> Can you please explain what the problem with exporting these file
>> systems over NFS is?  Yes, it's not going to be very useful.  But what
>> is actually problematic about it?  Any why is it not problematic with
>> a userland nfs server?  We really need to settle that argumet before
>> deciding a flag name or polarity.
>>
> 
> I agree that it is not the end of the world and users do have to explicitly
> use fsid= argument to be able to export cgroupfs via nfsd.
> 
> The idea for this patch started from the claim that Jeff wrote that cgroups
> is not allowed for nfsd export, but I couldn't find where it is not allowed.
> 
> I have no issue personally with leaving cgroupfs exportable via nfsd
> and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
> 
> Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?

We all seem to be hard-pressed to find a usage scenario where exporting
pseudo-filesystems via NFS is valuable. But maybe someone has done it
and has a good reason for it.

The issue is whether such export should be consistently and actively
prevented.

I'm not aware of any specific security issues with it.


-- 
Chuck Lever

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Jeff Layton]

On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
> On 12/9/24 11:30 AM, Amir Goldstein wrote:
> > On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
> > > 
> > > On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > > > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > > > probably not possible with existing userspace tools, but with all the new
> > > > mount_fd and magic link apis, I can never be sure what can be made possible
> > > > to achieve when the user holds an anonymous fd.
> > > > 
> > > > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > > > was that when kernfs/cgroups was added exportfs support with commit
> > > > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > > > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > > > so we thought it would be good to add this restriction and backport it to
> > > > stable kernels.
> > > 
> > > Can you please explain what the problem with exporting these file
> > > systems over NFS is?  Yes, it's not going to be very useful.  But what
> > > is actually problematic about it?  Any why is it not problematic with
> > > a userland nfs server?  We really need to settle that argumet before
> > > deciding a flag name or polarity.
> > > 
> > 
> > I agree that it is not the end of the world and users do have to explicitly
> > use fsid= argument to be able to export cgroupfs via nfsd.
> > 
> > The idea for this patch started from the claim that Jeff wrote that cgroups
> > is not allowed for nfsd export, but I couldn't find where it is not allowed.
> > 

I think that must have been a wrong assumption on my part. I don't see
anything that specifically prevents that either. If cgroupfs is mounted
and you tell mountd to export it, I don't see what would prevent that.

To be clear, I don't see how you would trick bog-standard mountd into
exporting a filesystem that isn't mounted into its namespace, however.
Writing a replacement for mountd is always a possibilty.

> > I have no issue personally with leaving cgroupfs exportable via nfsd
> > and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
> > 
> > Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
> 
> We all seem to be hard-pressed to find a usage scenario where exporting
> pseudo-filesystems via NFS is valuable. But maybe someone has done it
> and has a good reason for it.
> 
> The issue is whether such export should be consistently and actively
> prevented.
> 
> I'm not aware of any specific security issues with it.
> 
> 

I'm not either, but we are in new territory here. nfsd is a network
service, so it does present more of an attack surface vs. local access.

In general, you do have to take active steps to export a filesystem,
but if someone exports / with "crossmnt", everything mounted is
potentially accessible. That's obviously a dumb thing to do, but people
make mistakes, and it's possible that doing this could be part of a
wider exploit.

I tend to think it safest to make exporting via nfsd an opt-in thing on
a per-fs basis (along the lines of this patchset). If someone wants to
allow access to more "exotic" filesystems, let them argue their use-
case on the list first.
-- 
Jeff Layton <jlayton@kernel.org>

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Chuck Lever]

On 12/9/24 12:15 PM, Jeff Layton wrote:
> On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
>> On 12/9/24 11:30 AM, Amir Goldstein wrote:
>>> On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
>>>>
>>>> On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
>>>>> To be clear, exporting pidfs or internal shmem via an anonymous fd is
>>>>> probably not possible with existing userspace tools, but with all the new
>>>>> mount_fd and magic link apis, I can never be sure what can be made possible
>>>>> to achieve when the user holds an anonymous fd.
>>>>>
>>>>> The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
>>>>> was that when kernfs/cgroups was added exportfs support with commit
>>>>> aa8188253474 ("kernfs: add exportfs operations"), there was no intention
>>>>> to export cgroupfs over nfs, only local to uses, but that was never enforced,
>>>>> so we thought it would be good to add this restriction and backport it to
>>>>> stable kernels.
>>>>
>>>> Can you please explain what the problem with exporting these file
>>>> systems over NFS is?  Yes, it's not going to be very useful.  But what
>>>> is actually problematic about it?  Any why is it not problematic with
>>>> a userland nfs server?  We really need to settle that argumet before
>>>> deciding a flag name or polarity.
>>>>
>>>
>>> I agree that it is not the end of the world and users do have to explicitly
>>> use fsid= argument to be able to export cgroupfs via nfsd.
>>>
>>> The idea for this patch started from the claim that Jeff wrote that cgroups
>>> is not allowed for nfsd export, but I couldn't find where it is not allowed.
>>>
> 
> I think that must have been a wrong assumption on my part. I don't see
> anything that specifically prevents that either. If cgroupfs is mounted
> and you tell mountd to export it, I don't see what would prevent that.
> 
> To be clear, I don't see how you would trick bog-standard mountd into
> exporting a filesystem that isn't mounted into its namespace, however.
> Writing a replacement for mountd is always a possibilty.
> 
>>> I have no issue personally with leaving cgroupfs exportable via nfsd
>>> and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
>>>
>>> Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
>>
>> We all seem to be hard-pressed to find a usage scenario where exporting
>> pseudo-filesystems via NFS is valuable. But maybe someone has done it
>> and has a good reason for it.
>>
>> The issue is whether such export should be consistently and actively
>> prevented.
>>
>> I'm not aware of any specific security issues with it.
>>
>>
> 
> I'm not either, but we are in new territory here. nfsd is a network
> service, so it does present more of an attack surface vs. local access.
> 
> In general, you do have to take active steps to export a filesystem,
> but if someone exports / with "crossmnt", everything mounted is
> potentially accessible. That's obviously a dumb thing to do, but people
> make mistakes, and it's possible that doing this could be part of a
> wider exploit.
> 
> I tend to think it safest to make exporting via nfsd an opt-in thing on
> a per-fs basis (along the lines of this patchset). If someone wants to
> allow access to more "exotic" filesystems, let them argue their use-
> case on the list first.

If we were starting from scratch, 100% agree.

The current situation is that these file systems appear to be exportable
(and not only via NFS). The proposal is that this facility is to be
taken away. This can easily turn into a behavior regression for someone
if we're not careful.


-- 
Chuck Lever

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christian Brauner]

On Mon, Dec 09, 2024 at 12:20:10PM -0500, Chuck Lever wrote:
> On 12/9/24 12:15 PM, Jeff Layton wrote:
> > On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
> > > On 12/9/24 11:30 AM, Amir Goldstein wrote:
> > > > On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
> > > > > 
> > > > > On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > > > > > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > > > > > probably not possible with existing userspace tools, but with all the new
> > > > > > mount_fd and magic link apis, I can never be sure what can be made possible
> > > > > > to achieve when the user holds an anonymous fd.
> > > > > > 
> > > > > > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > > > > > was that when kernfs/cgroups was added exportfs support with commit
> > > > > > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > > > > > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > > > > > so we thought it would be good to add this restriction and backport it to
> > > > > > stable kernels.
> > > > > 
> > > > > Can you please explain what the problem with exporting these file
> > > > > systems over NFS is?  Yes, it's not going to be very useful.  But what
> > > > > is actually problematic about it?  Any why is it not problematic with
> > > > > a userland nfs server?  We really need to settle that argumet before
> > > > > deciding a flag name or polarity.
> > > > > 
> > > > 
> > > > I agree that it is not the end of the world and users do have to explicitly
> > > > use fsid= argument to be able to export cgroupfs via nfsd.
> > > > 
> > > > The idea for this patch started from the claim that Jeff wrote that cgroups
> > > > is not allowed for nfsd export, but I couldn't find where it is not allowed.
> > > > 
> > 
> > I think that must have been a wrong assumption on my part. I don't see
> > anything that specifically prevents that either. If cgroupfs is mounted
> > and you tell mountd to export it, I don't see what would prevent that.
> > 
> > To be clear, I don't see how you would trick bog-standard mountd into
> > exporting a filesystem that isn't mounted into its namespace, however.
> > Writing a replacement for mountd is always a possibilty.
> > 
> > > > I have no issue personally with leaving cgroupfs exportable via nfsd
> > > > and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
> > > > 
> > > > Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
> > > 
> > > We all seem to be hard-pressed to find a usage scenario where exporting
> > > pseudo-filesystems via NFS is valuable. But maybe someone has done it
> > > and has a good reason for it.
> > > 
> > > The issue is whether such export should be consistently and actively
> > > prevented.
> > > 
> > > I'm not aware of any specific security issues with it.
> > > 
> > > 
> > 
> > I'm not either, but we are in new territory here. nfsd is a network
> > service, so it does present more of an attack surface vs. local access.
> > 
> > In general, you do have to take active steps to export a filesystem,
> > but if someone exports / with "crossmnt", everything mounted is
> > potentially accessible. That's obviously a dumb thing to do, but people
> > make mistakes, and it's possible that doing this could be part of a
> > wider exploit.
> > 
> > I tend to think it safest to make exporting via nfsd an opt-in thing on
> > a per-fs basis (along the lines of this patchset). If someone wants to
> > allow access to more "exotic" filesystems, let them argue their use-
> > case on the list first.
> 
> If we were starting from scratch, 100% agree.
> 
> The current situation is that these file systems appear to be exportable
> (and not only via NFS). The proposal is that this facility is to be
> taken away. This can easily turn into a behavior regression for someone
> if we're not careful.

So I'm happy to drop the exportfs preliminary we have now preventing
kernfs from being exported but then Christoph and you should figure out
what the security implications of allowing kernfs instances to be
exported areare because I'm not an NFS export expert.

Filesystems that fall under kernfs that are exportable by NFS as I
currently understand it are at least:

(1) sysfs
(2) cgroupfs

Has anyone ever actually tried to export the two and tested what
happens? Because I wouldn't be surprised if this ended in tears but
maybe I'm overly pessimistic.

Both (1) and (2) are rather special and don't have standard filesystem
semantics in a few places.

- cgroupfs isn't actually namespace aware. Whereas most filesystems like
  tmpfs and ramfs that are mountable inside unprivileged containers are
  multi-instance filesystems, aka allocate a new superblock per
  container cgroupfs is single-instance with a nasty implementation to
  virtualize the per-container view via cgroup namespaces. I wouldn't be
  surprised if that ends up being problematic.

- Cgroupfs has write-time permission checks as the process that is moved
  into a cgroup isn't known at open time. That has been exploitable
  before this was fixed.

- Even though it's legacy cgroup has a v1 and v2 mode where v1 is even
  more messed up than v2 including the release-agent logic which ends up
  issuing a usermode helper to call a binary when a cgroup is released.

- sysfs potentially exposes all kinds of extremly low-level information
  to a remote machine.

None of this gives me the warm and fuzzy. But that's just me.

Otherwise, I don't understand what it means that a userspace NFS server
can export kernfs instances. I don't know what that means and what the
contrast to in-kernel NFS server export is and whether that has the same
security implications. If so it's even scary that some random userspace
NFS server can just expose guts like kernfs.

But if both of you feel that this is safe to do and there aren't any
security issues lurking that have gone unnoticed simply because no one
has really ever exported sysfs or cgroupfs then by all means continue
allowing that. I'm rather skeptical.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christian Brauner]

On Tue, Dec 10, 2024 at 11:13:16AM +0100, Christian Brauner wrote:
> On Mon, Dec 09, 2024 at 12:20:10PM -0500, Chuck Lever wrote:
> > On 12/9/24 12:15 PM, Jeff Layton wrote:
> > > On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
> > > > On 12/9/24 11:30 AM, Amir Goldstein wrote:
> > > > > On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
> > > > > > 
> > > > > > On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > > > > > > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > > > > > > probably not possible with existing userspace tools, but with all the new
> > > > > > > mount_fd and magic link apis, I can never be sure what can be made possible
> > > > > > > to achieve when the user holds an anonymous fd.
> > > > > > > 
> > > > > > > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > > > > > > was that when kernfs/cgroups was added exportfs support with commit
> > > > > > > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > > > > > > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > > > > > > so we thought it would be good to add this restriction and backport it to
> > > > > > > stable kernels.
> > > > > > 
> > > > > > Can you please explain what the problem with exporting these file
> > > > > > systems over NFS is?  Yes, it's not going to be very useful.  But what
> > > > > > is actually problematic about it?  Any why is it not problematic with
> > > > > > a userland nfs server?  We really need to settle that argumet before
> > > > > > deciding a flag name or polarity.
> > > > > > 
> > > > > 
> > > > > I agree that it is not the end of the world and users do have to explicitly
> > > > > use fsid= argument to be able to export cgroupfs via nfsd.
> > > > > 
> > > > > The idea for this patch started from the claim that Jeff wrote that cgroups
> > > > > is not allowed for nfsd export, but I couldn't find where it is not allowed.
> > > > > 
> > > 
> > > I think that must have been a wrong assumption on my part. I don't see
> > > anything that specifically prevents that either. If cgroupfs is mounted
> > > and you tell mountd to export it, I don't see what would prevent that.
> > > 
> > > To be clear, I don't see how you would trick bog-standard mountd into
> > > exporting a filesystem that isn't mounted into its namespace, however.
> > > Writing a replacement for mountd is always a possibilty.
> > > 
> > > > > I have no issue personally with leaving cgroupfs exportable via nfsd
> > > > > and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
> > > > > 
> > > > > Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
> > > > 
> > > > We all seem to be hard-pressed to find a usage scenario where exporting
> > > > pseudo-filesystems via NFS is valuable. But maybe someone has done it
> > > > and has a good reason for it.
> > > > 
> > > > The issue is whether such export should be consistently and actively
> > > > prevented.
> > > > 
> > > > I'm not aware of any specific security issues with it.
> > > > 
> > > > 
> > > 
> > > I'm not either, but we are in new territory here. nfsd is a network
> > > service, so it does present more of an attack surface vs. local access.
> > > 
> > > In general, you do have to take active steps to export a filesystem,
> > > but if someone exports / with "crossmnt", everything mounted is
> > > potentially accessible. That's obviously a dumb thing to do, but people
> > > make mistakes, and it's possible that doing this could be part of a
> > > wider exploit.
> > > 
> > > I tend to think it safest to make exporting via nfsd an opt-in thing on
> > > a per-fs basis (along the lines of this patchset). If someone wants to
> > > allow access to more "exotic" filesystems, let them argue their use-
> > > case on the list first.
> > 
> > If we were starting from scratch, 100% agree.
> > 
> > The current situation is that these file systems appear to be exportable
> > (and not only via NFS). The proposal is that this facility is to be
> > taken away. This can easily turn into a behavior regression for someone
> > if we're not careful.
> 
> So I'm happy to drop the exportfs preliminary we have now preventing
> kernfs from being exported but then Christoph and you should figure out
> what the security implications of allowing kernfs instances to be
> exported areare because I'm not an NFS export expert.
> 
> Filesystems that fall under kernfs that are exportable by NFS as I
> currently understand it are at least:
> 
> (1) sysfs
> (2) cgroupfs
> 
> Has anyone ever actually tried to export the two and tested what
> happens? Because I wouldn't be surprised if this ended in tears but
> maybe I'm overly pessimistic.
> 
> Both (1) and (2) are rather special and don't have standard filesystem
> semantics in a few places.
> 
> - cgroupfs isn't actually namespace aware. Whereas most filesystems like
>   tmpfs and ramfs that are mountable inside unprivileged containers are
>   multi-instance filesystems, aka allocate a new superblock per
>   container cgroupfs is single-instance with a nasty implementation to
>   virtualize the per-container view via cgroup namespaces. I wouldn't be
>   surprised if that ends up being problematic.
> 
> - Cgroupfs has write-time permission checks as the process that is moved
>   into a cgroup isn't known at open time. That has been exploitable
>   before this was fixed.
> 
> - Even though it's legacy cgroup has a v1 and v2 mode where v1 is even
>   more messed up than v2 including the release-agent logic which ends up
>   issuing a usermode helper to call a binary when a cgroup is released.
> 
> - sysfs potentially exposes all kinds of extremly low-level information
>   to a remote machine.
> 
> None of this gives me the warm and fuzzy. But that's just me.
> 
> Otherwise, I don't understand what it means that a userspace NFS server
> can export kernfs instances. I don't know what that means and what the
> contrast to in-kernel NFS server export is and whether that has the same
> security implications. If so it's even scary that some random userspace
> NFS server can just expose guts like kernfs.
> 
> But if both of you feel that this is safe to do and there aren't any
> security issues lurking that have gone unnoticed simply because no one
> has really ever exported sysfs or cgroupfs then by all means continue
> allowing that. I'm rather skeptical.

Amir pointed that sysfs can't be exported as it opts out of kernfs
export_operations being set.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Christoph Hellwig]

On Tue, Dec 10, 2024 at 11:13:16AM +0100, Christian Brauner wrote:
> So I'm happy to drop the exportfs preliminary we have now preventing
> kernfs from being exported but then Christoph and you should figure out
> what the security implications of allowing kernfs instances to be
> exported areare because I'm not an NFS export expert.

I'm pretty sure you can do all kinds of really stupid things with it,
and very few if any useful ones.  But the litmus tests is if those are
things that only the kernel nfs server can do vs things that a userland
nfs (or other protocol) server could do the open by handle syscalls.
Because if they aren't specific to the kernel nfs server they are just
random policy for privileged actions.

Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles

[Jeff Layton]

On Tue, 2024-12-10 at 11:13 +0100, Christian Brauner wrote:
> On Mon, Dec 09, 2024 at 12:20:10PM -0500, Chuck Lever wrote:
> > On 12/9/24 12:15 PM, Jeff Layton wrote:
> > > On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
> > > > On 12/9/24 11:30 AM, Amir Goldstein wrote:
> > > > > On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@infradead.org> wrote:
> > > > > > 
> > > > > > On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
> > > > > > > To be clear, exporting pidfs or internal shmem via an anonymous fd is
> > > > > > > probably not possible with existing userspace tools, but with all the new
> > > > > > > mount_fd and magic link apis, I can never be sure what can be made possible
> > > > > > > to achieve when the user holds an anonymous fd.
> > > > > > > 
> > > > > > > The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
> > > > > > > was that when kernfs/cgroups was added exportfs support with commit
> > > > > > > aa8188253474 ("kernfs: add exportfs operations"), there was no intention
> > > > > > > to export cgroupfs over nfs, only local to uses, but that was never enforced,
> > > > > > > so we thought it would be good to add this restriction and backport it to
> > > > > > > stable kernels.
> > > > > > 
> > > > > > Can you please explain what the problem with exporting these file
> > > > > > systems over NFS is?  Yes, it's not going to be very useful.  But what
> > > > > > is actually problematic about it?  Any why is it not problematic with
> > > > > > a userland nfs server?  We really need to settle that argumet before
> > > > > > deciding a flag name or polarity.
> > > > > > 
> > > > > 
> > > > > I agree that it is not the end of the world and users do have to explicitly
> > > > > use fsid= argument to be able to export cgroupfs via nfsd.
> > > > > 
> > > > > The idea for this patch started from the claim that Jeff wrote that cgroups
> > > > > is not allowed for nfsd export, but I couldn't find where it is not allowed.
> > > > > 
> > > 
> > > I think that must have been a wrong assumption on my part. I don't see
> > > anything that specifically prevents that either. If cgroupfs is mounted
> > > and you tell mountd to export it, I don't see what would prevent that.
> > > 
> > > To be clear, I don't see how you would trick bog-standard mountd into
> > > exporting a filesystem that isn't mounted into its namespace, however.
> > > Writing a replacement for mountd is always a possibilty.
> > > 
> > > > > I have no issue personally with leaving cgroupfs exportable via nfsd
> > > > > and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
> > > > > 
> > > > > Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
> > > > 
> > > > We all seem to be hard-pressed to find a usage scenario where exporting
> > > > pseudo-filesystems via NFS is valuable. But maybe someone has done it
> > > > and has a good reason for it.
> > > > 
> > > > The issue is whether such export should be consistently and actively
> > > > prevented.
> > > > 
> > > > I'm not aware of any specific security issues with it.
> > > > 
> > > > 
> > > 
> > > I'm not either, but we are in new territory here. nfsd is a network
> > > service, so it does present more of an attack surface vs. local access.
> > > 
> > > In general, you do have to take active steps to export a filesystem,
> > > but if someone exports / with "crossmnt", everything mounted is
> > > potentially accessible. That's obviously a dumb thing to do, but people
> > > make mistakes, and it's possible that doing this could be part of a
> > > wider exploit.
> > > 
> > > I tend to think it safest to make exporting via nfsd an opt-in thing on
> > > a per-fs basis (along the lines of this patchset). If someone wants to
> > > allow access to more "exotic" filesystems, let them argue their use-
> > > case on the list first.
> > 
> > If we were starting from scratch, 100% agree.
> > 
> > The current situation is that these file systems appear to be exportable
> > (and not only via NFS). The proposal is that this facility is to be
> > taken away. This can easily turn into a behavior regression for someone
> > if we're not careful.
> 
> So I'm happy to drop the exportfs preliminary we have now preventing
> kernfs from being exported but then Christoph and you should figure out
> what the security implications of allowing kernfs instances to be
> exported areare because I'm not an NFS export expert.
> 
> Filesystems that fall under kernfs that are exportable by NFS as I
> currently understand it are at least:
> 
> (1) sysfs
> (2) cgroupfs
> 
> Has anyone ever actually tried to export the two and tested what
> happens? Because I wouldn't be surprised if this ended in tears but
> maybe I'm overly pessimistic.
> 
> Both (1) and (2) are rather special and don't have standard filesystem
> semantics in a few places.
> 
> - cgroupfs isn't actually namespace aware. Whereas most filesystems like
>   tmpfs and ramfs that are mountable inside unprivileged containers are
>   multi-instance filesystems, aka allocate a new superblock per
>   container cgroupfs is single-instance with a nasty implementation to
>   virtualize the per-container view via cgroup namespaces. I wouldn't be
>   surprised if that ends up being problematic.
> 
> - Cgroupfs has write-time permission checks as the process that is moved
>   into a cgroup isn't known at open time. That has been exploitable
>   before this was fixed.
> 
> - Even though it's legacy cgroup has a v1 and v2 mode where v1 is even
>   more messed up than v2 including the release-agent logic which ends up
>   issuing a usermode helper to call a binary when a cgroup is released.
> 
> - sysfs potentially exposes all kinds of extremly low-level information
>   to a remote machine.
> 
> None of this gives me the warm and fuzzy. But that's just me.
> 
> Otherwise, I don't understand what it means that a userspace NFS server
> can export kernfs instances. I don't know what that means and what the
> contrast to in-kernel NFS server export is and whether that has the same
> security implications. If so it's even scary that some random userspace
> NFS server can just expose guts like kernfs.
> 

A userspace NFS server can export anything to which it has access. If
cgroupfs or sysfs is mounted and the server is running with appropriate
permissions then there is nothing that prevents it from making that
available. It's helpful if the filesystem can implement
name_to_handle_at() and open_by_handle_at(), but even that isn't
specifically required.

> But if both of you feel that this is safe to do and there aren't any
> security issues lurking that have gone unnoticed simply because no one
> has really ever exported sysfs or cgroupfs then by all means continue
> allowing that. I'm rather skeptical.

I'm not sure I agree that it's "safe", but in order to export kernfs or
pidfs you have to explicitly set it up to be exported. Christoph has a
good point that we don't have a specific scenario that we're trying to
prevent here.

My main thinking here is that:

1/ exporting these fstypes is not something we consider useful

2/ by forbidding this now, we prevent someone from complaining that
there is a regression later if we do find that it's problematic and
have to forbid it

Also, if we forbid this now, that might force someone who does want to
do this to articulate their use-case publicly.
-- 
Jeff Layton <jlayton@kernel.org>