From: Al Viro <viro@zeniv.linux.org.uk>
To: Song Liu <song@kernel.org>
Cc: Jan Kara <jack@suse.cz>,
bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, kernel-team@meta.com,
andrii@kernel.org, eddyz87@gmail.com, ast@kernel.org,
daniel@iogearbox.net, martin.lau@linux.dev, brauner@kernel.org,
kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com,
repnop@google.com, jlayton@kernel.org, josef@toxicpanda.com,
mic@digikod.net, gnoack@google.com
Subject: Re: [PATCH bpf-next 3/4] bpf: Introduce path iterator
Date: Thu, 29 May 2025 19:35:36 +0100 [thread overview]
Message-ID: <20250529183536.GL2023217@ZenIV> (raw)
In-Reply-To: <CAPhsuW5pAvH3E1dVa85Kx2QsUSheSLobEMg-b0mOdtyfm7s4ug@mail.gmail.com>
On Thu, May 29, 2025 at 11:00:51AM -0700, Song Liu wrote:
> On Thu, May 29, 2025 at 10:38 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > On Thu, May 29, 2025 at 09:53:21AM -0700, Song Liu wrote:
> >
> > > Current version of path iterator only supports walking towards the root,
> > > with helper path_parent. But the path iterator API can be extended
> > > to cover other use cases.
> >
> > Clarify the last part, please - call me paranoid, but that sounds like
> > a beginning of something that really should be discussed upfront.
>
> We don't have any plan with future use cases yet. The only example
> I mentioned in the original version of the commit log is "walk the
> mount tree". IOW, it is similar to the current iterator, but skips non
> mount point iterations.
>
> Since we call it "path iterator", it might make sense to add ways to
> iterate the VFS tree in different patterns. For example, we may
> have an iterator that iterates all files within a directory. Again, we
> don't see urgent use cases other than the current "walk to root"
> iterator.
What kinds of locking environments can that end up used in?
The reason why I'm getting more and more unhappy with this thing is
that it sounds like a massive headache for any correctness analysis in
VFS work.
Going straight to the root starting at a point you already have pinned
is relatively mild - you can't do path_put() in any blocking contexts,
obviously, and you'd better be careful with what you are doing on
mountpoint traversal (e.g. combined with "now let's open that directory
and read it" it's an instant "hell, no" - you could easily bypass MNT_LOCKED
restrictions that way), but if there's a threat of that getting augmented
with other things (iterating through all files in directory would be
a very different beast from the locking POV, if nothing else)... ouch.
Basically, you are creating a spot we will need to watch very carefully
from now on. And the rationale appears to include "so that we could
expose that to random out-of-tree code that decided to call itself LSM",
so pardon me for being rather suspicious about the details.
PS: one general observation: "some LSM does it" does not imply even
"what that LSM is doing is sane and safe", let along "what that LSM is
doing doesn't happen to avoid breakage only by accident".
next prev parent reply other threads:[~2025-05-29 18:35 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 22:26 [PATCH bpf-next 0/4] bpf path iterator Song Liu
2025-05-28 22:26 ` [PATCH bpf-next 1/4] namei: Introduce new helper function path_parent() Song Liu
2025-05-28 22:26 ` [PATCH bpf-next 2/4] landlock: Use path_parent() Song Liu
2025-05-31 13:51 ` Tingmao Wang
2025-06-02 13:36 ` Song Liu
2025-06-03 0:10 ` Song Liu
2025-06-03 12:47 ` Mickaël Salaün
2025-06-02 17:35 ` Mickaël Salaün
2025-06-02 22:56 ` Tingmao Wang
2025-05-28 22:26 ` [PATCH bpf-next 3/4] bpf: Introduce path iterator Song Liu
2025-05-28 22:37 ` Al Viro
2025-05-29 11:58 ` Jan Kara
2025-05-29 16:53 ` Song Liu
2025-05-29 16:57 ` Alexei Starovoitov
2025-05-29 17:05 ` Song Liu
2025-05-30 14:20 ` Mickaël Salaün
2025-06-02 9:41 ` Christian Brauner
2025-06-03 9:46 ` Jan Kara
2025-06-03 12:49 ` Mickaël Salaün
2025-06-03 21:13 ` Jan Kara
2025-05-29 17:38 ` Al Viro
2025-05-29 18:00 ` Song Liu
2025-05-29 18:35 ` Al Viro [this message]
2025-05-29 19:46 ` Song Liu
2025-05-29 20:15 ` Al Viro
2025-05-29 21:07 ` Song Liu
2025-05-29 21:45 ` Al Viro
2025-05-29 22:13 ` Song Liu
2025-05-29 23:10 ` Al Viro
2025-05-30 0:42 ` Song Liu
2025-05-30 12:20 ` Mickaël Salaün
2025-05-30 18:43 ` Al Viro
2025-05-31 8:39 ` Mickaël Salaün
2025-06-02 9:32 ` Christian Brauner
2025-05-30 18:55 ` Song Liu
2025-05-31 8:40 ` Mickaël Salaün
2025-05-31 14:05 ` Tingmao Wang
2025-06-01 23:33 ` Song Liu
2025-06-04 0:58 ` Tingmao Wang
2025-06-02 9:30 ` Christian Brauner
2025-06-02 9:27 ` Christian Brauner
2025-06-02 13:27 ` Song Liu
2025-06-02 15:40 ` Alexei Starovoitov
2025-06-02 21:39 ` Song Liu
2025-05-28 22:26 ` [PATCH bpf-next 4/4] selftests/bpf: Add tests for bpf " Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250529183536.GL2023217@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@meta.com \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=repnop@google.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).