From: Hongbo Li <lihongbo22@huawei.com>
To: "Darrick J. Wong" <djwong@kernel.org>,
Christian Brauner <brauner@kernel.org>
Cc: <jack@suse.cz>, <viro@zeniv.linux.org.uk>, <gnoack@google.com>,
<mic@digikod.net>, <linux-fsdevel@vger.kernel.org>,
<linux-security-module@vger.kernel.org>
Subject: Re: [RFC PATCH] fs: obtain the inode generation number from vfs directly
Date: Wed, 28 Aug 2024 10:16:03 +0800 [thread overview]
Message-ID: <365c0861-2ec9-4722-86ca-d59bf5643268@huawei.com> (raw)
In-Reply-To: <20240827171148.GN6043@frogsfrogsfrogs>
On 2024/8/28 1:11, Darrick J. Wong wrote:
> On Tue, Aug 27, 2024 at 11:22:17AM +0200, Christian Brauner wrote:
>> On Mon, Aug 26, 2024 at 10:37:12PM GMT, Darrick J. Wong wrote:
>>> On Tue, Aug 27, 2024 at 10:32:38AM +0800, Hongbo Li wrote:
>>>>
>>>>
>>>> On 2024/8/27 10:13, Darrick J. Wong wrote:
>>>>> On Tue, Aug 27, 2024 at 01:41:08AM +0000, Hongbo Li wrote:
>>>>>> Many mainstream file systems already support the GETVERSION ioctl,
>>>>>> and their implementations are completely the same, essentially
>>>>>> just obtain the value of i_generation. We think this ioctl can be
>>>>>> implemented at the VFS layer, so the file systems do not need to
>>>>>> implement it individually.
>>>>>
>>>>> What if a filesystem never touches i_generation? Is it ok to advertise
>>>>> a generation number of zero when that's really meaningless? Or should
>>>>> we gate the generic ioctl on (say) whether or not the fs implements file
>>>>> handles and/or supports nfs?
>>>>
>>>> This ioctl mainly returns the i_generation, and whether it has meaning is up
>>>> to the specific file system. Some tools will invoke IOC_GETVERSION, such as
>>>> `lsattr -v`(but if it's lattr, it won't), but users may not necessarily
>>>> actually use this value.
>>>
>>> That's not how that works. If the kernel starts exporting a datum,
>>> people will start using it, and then the expectation that it will
>>> *continue* to work becomes ingrained in the userspace ABI forever.
>>> Be careful about establishing new behaviors for vfat.
>>
>> Is the meaning even the same across all filesystems? And what is the
>> meaning of this anyway? Is this described/defined for userspace
>> anywhere?
>
> AFAICT there's no manpage so I guess we could return getrandom32() if we
> wanted to. ;)
>
> But in seriousness, the usual four filesystems return i_generation.
> That is changed every time an inumber gets reused so that anyone with an
> old file handle cannot accidentally open the wrong file. In theory one
> could use GETVERSION to construct file handles (if you do, UHLHAND!)
> instead of using name_to_handle_at, which is why it's dangerous to
> implement GETVERSION for everyone without checking if i_generation makes
> sense.
I'm not sure if my understanding of you is correct. As my humble
opinions, the ioctl is for returning information to the user, and it
cannot rely on this information returned to the user to ensure the
security. If the file system wants to be secure internally, it should
decouple from the VFS layer interface, rather than just not implementing it.
For NFS, constructing a file handle is easy, you can successfully
construct a file handle by capturing the nfs protocol packet even
thought the i_generation is not exposed.
Thanks,
Hongbo
>
> --D
next prev parent reply other threads:[~2024-08-28 2:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-27 1:41 [RFC PATCH] fs: obtain the inode generation number from vfs directly Hongbo Li
2024-08-27 2:13 ` Darrick J. Wong
2024-08-27 2:32 ` Hongbo Li
2024-08-27 5:37 ` Darrick J. Wong
2024-08-27 9:22 ` Christian Brauner
2024-08-27 17:11 ` Darrick J. Wong
2024-08-28 2:16 ` Hongbo Li [this message]
2024-08-28 3:44 ` Theodore Ts'o
2024-08-28 5:38 ` Dave Chinner
2024-08-28 15:55 ` Jan Kara
2024-08-29 1:46 ` Darrick J. Wong
2024-08-29 13:34 ` Dave Chinner
2024-08-27 2:53 ` Matthew Wilcox
2024-08-27 3:07 ` Hongbo Li
2024-08-28 4:27 ` Dave Chinner
2024-08-28 16:36 ` Tavian Barnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=365c0861-2ec9-4722-86ca-d59bf5643268@huawei.com \
--to=lihongbo22@huawei.com \
--cc=brauner@kernel.org \
--cc=djwong@kernel.org \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox