http://blog.gmane.org/gmane.linux.file-systems hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.linux.file-systems/27815 After review of Jeff's 2 recent patch series, and discussion with Jeff on IRC (as a result Jeff respun and made minor modifications to a couple), I have just merged 10 of his 14 patches into cifs-2.6.git. See below: 3 min ago Jeff Layton cifs: make ipv6_connect take a TCP_Server_Info 3 min ago Jeff Layton cifs: make ipv4_connect take a TCP_Server_Info 14 min ago Jeff Layton cifs: don't declare smb_vol info on the stack 15 min ago Jeff Layton cifs: move allocation of new TCP_Server_Info into separ ... 7 min ago Jeff Layton cifs: account for IPv6 in ses->serverName and clean ... 21 min ago Jeff Layton cifs: make dnotify thread experimental code 5 hours ago Jeff Layton cifs: convert tcpSem to a mutex 5 hours ago Jeff Layton cifs: take module reference when starting cifsd 6 hours ago Jeff Layton cifs: display addr and prefixpath options in /proc ... 6 hours ago Jeff Layton cifs: remove unused SMB session pointer from struct ... On Sun, Nov 30, 2008 at 12:40 PM, Jeff Layton <jlayton< at >redhat.com> wrote: Steve French 2008-12-02T01:43:14 http://permalink.gmane.org/gmane.linux.file-systems/27814 From: Alain Knaff <alain< at >knaff.lu> This patch fixes a race condition in lseek. While it is expected that unpredictable behaviour may result while repositioning the offset of a file descriptor concurrently with reading/writing to the same file descriptor, this should not happen when merely *reading* the file descriptor's offset. Unfortunately, the only portable way in Unix to read a file descriptor's offset is lseek(fd, 0, SEEK_CUR); however executing this concurrently with read/write may mess up the position, as shown by the testcase below: #include <sys/types.h> #include <stdio.h> #include <pthread.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <pthread.h> void *loop(void *ptr) { fprintf(stderr, "Starting seek thread\n"); while(1) { if(lseek(0, 0LL, SEEK_CUR) < 0LL) perror("seek"); } } int main(int argc, char **argv) { long long l=0; int r; char buf[4096]; pthread_t thread; pthread_create(&thread, 0, loop, 0); for(r=0; 1 ; r++) { int n = read(0, buf, 4096); if(n == 0) break; if(n < 4096) { fprintf(stderr, "Short read %d %s\n", n, strerror(errno)); } l+= n; } fprintf(stderr, "Read %lld bytes\n", l); return 0; } Compile this and run it on a multi-processor machine as ./a.out <bigFile where bigFile is a 1 Gigabyte file. It should print 1073741824. However, on a buggy kernel, it usually produces a bigger number. The problem only happens on a multiprocessor machine. This is because an lseek(fd, 0, SEEK_CUR) running concurrently with a read() or write() will reset the position back to what it used to be when the read() started. This behavior was observed "in the wild" when using udpcast which uses lseek to monitor progress of reading/writing the uncompressed data. The patch below fixes the issue by "special-casing" the lseek(fd, 0, SEEK_CUR) pattern. Apparently, an attempt was already made to fix the issue by the following code: if (offset != file->f_pos) { file->f_pos = offset; file->f_version = 0; } However, this doesn't work if file->f_pos was changed (by read() or write()) between the time offset was computed, and the time where it considers writing it back. Signed-off-by: Alain Knaff <alain< at >knaff.lu> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Cc: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/read_write.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff -puN fs/read_write.c~vfs-lseekfd-0-seek_cur-race-condition fs/read_write.c --- a/fs/read_write.c~vfs-lseekfd-0-seek_cur-race-condition +++ a/fs/read_write.c < at >< at > -50,6 +50,14 < at >< at > generic_file_llseek_unlocked(struct file offset += inode->i_size; break; case SEEK_CUR: +/* + * Here we special-case the lseek(fd, 0, SEEK_CUR) + * position-querying operation. Avoid rewriting the "same" + * f_pos value back to the file because a concurrent read(), + * write() or lseek() might have altered it + */ +if (offset == 0) +return file->f_pos; offset += file->f_pos; break; } < at >< at > -105,6 +113,14 < at >< at > loff_t default_llseek(struct file *file, offset += i_size_read(file->f_path.dentry->d_inode); break; case SEEK_CUR: +/* + * See SEEK_CUR description in + * generic_file_llseek_unlocked() + */ +if (offset == 0) { +retval = file->f_pos; +goto out; +} offset += file->f_pos; } retval = -EINVAL; < at >< at > -115,6 +131,7 < at >< at > loff_t default_llseek(struct file *file, } retval = offset; } +out: unlock_kernel(); return retval; } _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:35:01 http://permalink.gmane.org/gmane.linux.file-systems/27813 From: Arjan van de Ven <arjan< at >infradead.org> Explain that you really need to use the return value of d_path rather than the buffer you passed into it. Also fix the comment for seq_path(), the function arguments changed recently but the comment hadn't been updated in sync. Signed-off-by: Arjan van de Ven <arjan< at >linux.intel.com> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Cc: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/dcache.c | 8 ++++++-- fs/seq_file.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff -puN fs/dcache.c~vfs-expand-some-comments-d_path-seq_path fs/dcache.c --- a/fs/dcache.c~vfs-expand-some-comments-d_path-seq_path +++ a/fs/dcache.c < at >< at > -1912,7 +1912,8 < at >< at > static int prepend_name(char **buffer, i * Convert a dentry into an ASCII path name. If the entry has been deleted * the string " (deleted)" is appended. Note that this is ambiguous. * - * Returns the buffer or an error code if the path was too long. + * Returns a pointer into the buffer or an error code if the + * path was too long. * * "buflen" should be positive. Caller holds the dcache_lock. * < at >< at > -1988,7 +1989,10 < at >< at > Elong: * Convert a dentry into an ASCII path name. If the entry has been deleted * the string " (deleted)" is appended. Note that this is ambiguous. * - * Returns the buffer or an error code if the path was too long. + * Returns a pointer into the buffer or an error code if the path was + * too long. Note: Callers should use the returned pointer, not the passed + * in buffer, to use the name! The implementation often starts at an offset + * into the buffer, and may leave 0 bytes at the start. * * "buflen" should be positive. */ diff -puN fs/seq_file.c~vfs-expand-some-comments-d_path-seq_path fs/seq_file.c --- a/fs/seq_file.c~vfs-expand-some-comments-d_path-seq_path +++ a/fs/seq_file.c < at >< at > -389,8 +389,14 < at >< at > char *mangle_path(char *s, char *p, char } EXPORT_SYMBOL_GPL(mangle_path); -/* - * return the absolute path of 'dentry' residing in mount 'mnt'. +/** + * seq_path - seq_file interface to print a pathname + * < at >m: the seq_file handle + * < at >path: the struct path to print + * < at >esc: set of characters to escape in the output + * + * return the absolute path of 'path', as represented by the + * dentry / mnt pair in the path parameter. */ int seq_path(struct seq_file *m, struct path *path, char *esc) { _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:35:00 http://permalink.gmane.org/gmane.linux.file-systems/27812 From: Zhaolei <zhaolei< at >cn.fujitsu.com> no function named d_put(), it should be dput(). Impact: fix document and comment, no functionality changed Signed-off-by: Zhao Lei <zhaolei< at >cn.fuijtsu.com> Signed-off-by: Randy Dunlap <rdunlap< at >xenotime.net> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- Documentation/filesystems/vfs.txt | 2 +- fs/dcache.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff -puN Documentation/filesystems/vfs.txt~vfs-correct-wrong-function-name-of-d_put-in-kernel-document-and-source-comment Documentation/filesystems/vfs.txt --- a/Documentation/filesystems/vfs.txt~vfs-correct-wrong-function-name-of-d_put-in-kernel-document-and-source-comment +++ a/Documentation/filesystems/vfs.txt < at >< at > -931,7 +931,7 < at >< at > manipulate dentries: d_lookup: look up a dentry given its parent and path name component It looks up the child of that given name from the dcache hash table. If it is found, the reference count is incremented -and the dentry is returned. The caller must use d_put() +and the dentry is returned. The caller must use dput() to free the dentry when it finishes using it. For further information on dentry locking, please refer to the document diff -puN fs/dcache.c~vfs-correct-wrong-function-name-of-d_put-in-kernel-document-and-source-comment fs/dcache.c --- a/fs/dcache.c~vfs-correct-wrong-function-name-of-d_put-in-kernel-document-and-source-comment +++ a/fs/dcache.c < at >< at > -1337,7 +1337,7 < at >< at > err_out: * * Searches the children of the parent dentry for the name in question. If * the dentry is found its reference count is incremented and the dentry - * is returned. The caller must use d_put to free the entry when it has + * is returned. The caller must use dput to free the entry when it has * finished using it. %NULL is returned on failure. * * __d_lookup is dcache_lock free. The hash list is protected using RCU. _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:58 http://permalink.gmane.org/gmane.linux.file-systems/27811 From: Kentaro Takeda <takedakn< at >nttdata.co.jp> ----- What is this patch for? ----- There are security_inode_*() LSM hooks for attribute-based MAC, but they are not suitable for pathname-based MAC because they don't receive "struct vfsmount" information. ----- How this patch was developed? ----- Two pathname-based MACs, AppArmor and TOMOYO Linux, are trying to merge upstream. But because of "struct vfsmount" problem, they have been unable to merge upstream. Here are the list of approaches and the reasons of denial. (1) Not using LSM http://lwn.net/Articles/277833/ This approach was rejected because security modules should use LSM because the whole idea behind LSM was to have a single set of hooks for all security modules; if every module now adds its own set of hooks, that purpose will have been defeated and the kernel will turn into a big mess of security hooks. (2) Retrieving "struct vfsmount" from "struct task_struct". http://lkml.org/lkml/2007/11/5/388 Since "struct task_struct" contains list of "struct vfsmount", "struct vfsmount" which corresponds to "struct dentry" can be retrieved from the list unless "mount --bind" is used. This approach turned out to cause a critical problem that getting namespace_sem lock from security_inode_*() triggers AB-BA deadlock. (3) Adding "struct vfsmount" parameter to VFS helper functions. http://lkml.org/lkml/2008/5/29/207 This approach adds "struct vfsmount" to VFS helper functions (e.g. vfs_mkdir() and vfs_symlink()) and LSM hooks inside VFS helper functions. This approach is helpful for not only AppArmor and TOMOYO Linux 2.x but also SELinux and auditing purpose, for this approach allows existent LSM users to use pathnames in their access control and audit logs. This approach was rejected by Al Viro, the VFS maintainer, because he thinks individual filesystem should remain "struct vfsmount"-unaware and VFS helper functions should not receive "struct vfsmount". Al Viro also suggested to move existing security_inode_*() to out of VFS helper functions so that security_inode_*() can receive "struct vfsmount" without modifying VFS helper functions, but this suggestion was opposed by Stephen Smalley because changing the order of permission checks (i.e. MAC checks before DAC checks) is not acceptable. (4) Passing "struct vfsmount" via "struct task_struct". http://lkml.org/lkml/2007/11/16/157 Since we didn't understand the reason why accessing "struct vfsmount" from LSM hooks inside VFS helper functions is not acceptable, we thought the reason why VFS helper functions don't receive "struct vfsmount" is the amount of modifications needed to do so. Thus, we proposed to pass "struct vfsmount" via "struct task_struct" so that modifications remain minimal. This approach was rejected because this is an abuse of "struct task_struct". (5) Remembering pathname of "struct vfsmount" via "struct task_struct". http://lkml.org/lkml/2008/8/19/16 Since pathname of a "struct dentry" up to the mount point can be calculated without "struct vfsmount", absolute pathname of a "struct dentry" can be calculated if "struct task_struct" can remember absolute pathname of a "struct vfsmount" which corresponds to "struct dentry". As we now understand that Al Viro is opposing to access "struct vfsmount" from LSM hooks inside VFS helper functions, we gave up delivering "struct vfsmount" to LSM hooks inside VFS helper functions. Kernel 2.6.26 introduced read-only bind mount feature, and hooks for that feature (i.e. mnt_want_write() and mnt_drop_write()) were inserted around VFS helper functions call. Since mnt_want_write() receives "struct vfsmount" which corresponds to "struct dentry" that will be passed to subsequent VFS helper functions call, we associated pathname of "struct vfsmount" with "struct task_struct" instead of associating "struct vfsmount" itself. This approach was not explicitly rejected, but there seems to be performance problem. (6) Introducing new LSM hooks. (this patch) We understand that adding new LSM hooks which receive "struct vfsmount" outside VFS helper functions is the most straightforward approach. This approach has less impact to existing LSM module and no impact to VFS helper functions. Signed-off-by: Kentaro Takeda <takedakn< at >nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel< at >I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats< at >nttdata.co.jp> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Cc: Christoph Hellwig <hch< at >lst.de> Cc: Crispin Cowan <crispin< at >crispincowan.com> Cc: Stephen Smalley <sds< at >tycho.nsa.gov> Cc: Casey Schaufler <casey< at >schaufler-ca.com> Cc: James Morris <jmorris< at >namei.org> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/namei.c | 37 +++++++++ fs/open.c | 5 + include/linux/security.h | 139 +++++++++++++++++++++++++++++++++++++ net/unix/af_unix.c | 4 + security/Kconfig | 9 ++ security/capability.c | 57 +++++++++++++++ security/security.c | 66 +++++++++++++++++ 7 files changed, 317 insertions(+) diff -puN fs/namei.c~introduce-new-lsm-hooks-where-vfsmount-is-available fs/namei.c --- a/fs/namei.c~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/fs/namei.c < at >< at > -1556,6 +1556,10 < at >< at > int may_open(struct nameidata *nd, int a * Refuse to truncate files with mandatory locks held on them. */ error = locks_verify_locked(inode); +if (!error) +error = security_path_truncate(&nd->path, 0, + ATTR_MTIME|ATTR_CTIME|ATTR_OPEN, + NULL); if (!error) { DQUOT_INIT(inode); < at >< at > -1586,7 +1590,11 < at >< at > static int __open_namei_create(struct na if (!IS_POSIXACL(dir->d_inode)) mode &= ~current->fs->umask; +error = security_path_mknod(&nd->path, path->dentry, mode, 0); +if (error) +goto out_unlock; error = vfs_create(dir->d_inode, path->dentry, mode, nd); +out_unlock: mutex_unlock(&dir->d_inode->i_mutex); dput(nd->path.dentry); nd->path.dentry = path->dentry; < at >< at > -1999,6 +2007,9 < at >< at > asmlinkage long sys_mknodat(int dfd, con error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; +error = security_path_mknod(&nd.path, dentry, mode, dev); +if (error) +goto out_drop_write; switch (mode & S_IFMT) { case 0: case S_IFREG: error = vfs_create(nd.path.dentry->d_inode,dentry,mode,&nd); < at >< at > -2011,6 +2022,7 < at >< at > asmlinkage long sys_mknodat(int dfd, con error = vfs_mknod(nd.path.dentry->d_inode,dentry,mode,0); break; } +out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: dput(dentry); < at >< at > -2070,7 +2082,11 < at >< at > asmlinkage long sys_mkdirat(int dfd, con error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; +error = security_path_mkdir(&nd.path, dentry, mode); +if (error) +goto out_drop_write; error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode); +out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: dput(dentry); < at >< at > -2180,7 +2196,11 < at >< at > static long do_rmdir(int dfd, const char error = mnt_want_write(nd.path.mnt); if (error) goto exit3; +error = security_path_rmdir(&nd.path, dentry); +if (error) +goto exit4; error = vfs_rmdir(nd.path.dentry->d_inode, dentry); +exit4: mnt_drop_write(nd.path.mnt); exit3: dput(dentry); < at >< at > -2265,7 +2285,11 < at >< at > static long do_unlinkat(int dfd, const c error = mnt_want_write(nd.path.mnt); if (error) goto exit2; +error = security_path_unlink(&nd.path, dentry); +if (error) +goto exit3; error = vfs_unlink(nd.path.dentry->d_inode, dentry); +exit3: mnt_drop_write(nd.path.mnt); exit2: dput(dentry); < at >< at > -2346,7 +2370,11 < at >< at > asmlinkage long sys_symlinkat(const char error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; +error = security_path_symlink(&nd.path, dentry, from); +if (error) +goto out_drop_write; error = vfs_symlink(nd.path.dentry->d_inode, dentry, from); +out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: dput(dentry); < at >< at > -2443,7 +2471,11 < at >< at > asmlinkage long sys_linkat(int olddfd, c error = mnt_want_write(nd.path.mnt); if (error) goto out_dput; +error = security_path_link(old_path.dentry, &nd.path, new_dentry); +if (error) +goto out_drop_write; error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry); +out_drop_write: mnt_drop_write(nd.path.mnt); out_dput: dput(new_dentry); < at >< at > -2677,8 +2709,13 < at >< at > asmlinkage long sys_renameat(int olddfd, error = mnt_want_write(oldnd.path.mnt); if (error) goto exit5; +error = security_path_rename(&oldnd.path, old_dentry, + &newnd.path, new_dentry); +if (error) +goto exit6; error = vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry); +exit6: mnt_drop_write(oldnd.path.mnt); exit5: dput(new_dentry); diff -puN fs/open.c~introduce-new-lsm-hooks-where-vfsmount-is-available fs/open.c --- a/fs/open.c~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/fs/open.c < at >< at > -272,6 +272,8 < at >< at > static long do_sys_truncate(const char _ goto put_write_and_out; error = locks_verify_truncate(inode, NULL, length); +if (!error) +error = security_path_truncate(&path, length, 0, NULL); if (!error) { DQUOT_INIT(inode); error = do_truncate(path.dentry, length, 0, NULL); < at >< at > -329,6 +331,9 < at >< at > static long do_sys_ftruncate(unsigned in error = locks_verify_truncate(inode, file, length); if (!error) +error = security_path_truncate(&file->f_path, length, + ATTR_MTIME|ATTR_CTIME, file); +if (!error) error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file); out_putf: fput(file); diff -puN include/linux/security.h~introduce-new-lsm-hooks-where-vfsmount-is-available include/linux/security.h --- a/include/linux/security.h~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/include/linux/security.h < at >< at > -335,17 +335,37 < at >< at > static inline void security_free_mnt_opt *< at >dir contains the inode structure of the parent directory of the new link. *< at >new_dentry contains the dentry structure for the new link. *Return 0 if permission is granted. + * < at >path_link: + *Check permission before creating a new hard link to a file. + *< at >old_dentry contains the dentry structure for an existing link + *to the file. + *< at >new_dir contains the path structure of the parent directory of + *the new link. + *< at >new_dentry contains the dentry structure for the new link. + *Return 0 if permission is granted. * < at >inode_unlink: *Check the permission to remove a hard link to a file. *< at >dir contains the inode structure of parent directory of the file. *< at >dentry contains the dentry structure for file to be unlinked. *Return 0 if permission is granted. + * < at >path_unlink: + *Check the permission to remove a hard link to a file. + *< at >dir contains the path structure of parent directory of the file. + *< at >dentry contains the dentry structure for file to be unlinked. + *Return 0 if permission is granted. * < at >inode_symlink: *Check the permission to create a symbolic link to a file. *< at >dir contains the inode structure of parent directory of the symbolic link. *< at >dentry contains the dentry structure of the symbolic link. *< at >old_name contains the pathname of file. *Return 0 if permission is granted. + * < at >path_symlink: + *Check the permission to create a symbolic link to a file. + *< at >dir contains the path structure of parent directory of + *the symbolic link. + *< at >dentry contains the dentry structure of the symbolic link. + *< at >old_name contains the pathname of file. + *Return 0 if permission is granted. * < at >inode_mkdir: *Check permissions to create a new directory in the existing directory *associated with inode strcture < at >dir. < at >< at > -353,11 +373,25 < at >< at > static inline void security_free_mnt_opt *< at >dentry contains the dentry structure of new directory. *< at >mode contains the mode of new directory. *Return 0 if permission is granted. + * < at >path_mkdir: + *Check permissions to create a new directory in the existing directory + *associated with path strcture < at >path. + *< at >dir containst the path structure of parent of the directory + *to be created. + *< at >dentry contains the dentry structure of new directory. + *< at >mode contains the mode of new directory. + *Return 0 if permission is granted. * < at >inode_rmdir: *Check the permission to remove a directory. *< at >dir contains the inode structure of parent of the directory to be removed. *< at >dentry contains the dentry structure of directory to be removed. *Return 0 if permission is granted. + * < at >path_rmdir: + *Check the permission to remove a directory. + *< at >dir contains the path structure of parent of the directory to be + *removed. + *< at >dentry contains the dentry structure of directory to be removed. + *Return 0 if permission is granted. * < at >inode_mknod: *Check permissions when creating a special file (or a socket or a fifo *file created via the mknod system call). Note that if mknod operation < at >< at > -368,6 +402,15 < at >< at > static inline void security_free_mnt_opt *< at >mode contains the mode of the new file. *< at >dev contains the device number. *Return 0 if permission is granted. + * < at >path_mknod: + *Check permissions when creating a file. Note that this hook is called + *even if mknod operation is being done for a regular file. + *< at >dir contains the path structure of parent of the new file. + *< at >dentry contains the dentry structure of the new file. + *< at >mode contains the mode of the new file. + *< at >dev contains the undecoded device number. Use new_decode_dev() to get + *the decoded device number. + *Return 0 if permission is granted. * < at >inode_rename: *Check for permission to rename a file or directory. *< at >old_dir contains the inode structure for parent of the old link. < at >< at > -375,6 +418,13 < at >< at > static inline void security_free_mnt_opt *< at >new_dir contains the inode structure for parent of the new link. *< at >new_dentry contains the dentry structure of the new link. *Return 0 if permission is granted. + * < at >path_rename: + *Check for permission to rename a file or directory. + *< at >old_dir contains the path structure for parent of the old link. + *< at >old_dentry contains the dentry structure of the old link. + *< at >new_dir contains the path structure for parent of the new link. + *< at >new_dentry contains the dentry structure of the new link. + *Return 0 if permission is granted. * < at >inode_readlink: *Check the permission to read the symbolic link. *< at >dentry contains the dentry structure for the file link. < at >< at > -403,6 +453,13 < at >< at > static inline void security_free_mnt_opt *< at >dentry contains the dentry structure for the file. *< at >attr is the iattr structure containing the new file attributes. *Return 0 if permission is granted. + * < at >path_truncate: + *Check permission before truncating a file. + *< at >path contains the path structure for the file. + *< at >length is the new length of the file. + *< at >time_attrs is the flags passed to do_truncate(). + *< at >filp is the file structure (may be NULL). + *Return 0 if permission is granted. * < at >inode_getattr: *Check permission before obtaining file attributes. *< at >mnt is the vfsmount where the dentry was looked up < at >< at > -1331,6 +1388,22 < at >< at > struct security_operations { struct super_block *newsb); int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); +#ifdef CONFIG_SECURITY_PATH +int (*path_unlink) (struct path *dir, struct dentry *dentry); +int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode); +int (*path_rmdir) (struct path *dir, struct dentry *dentry); +int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode, + unsigned int dev); +int (*path_truncate) (struct path *path, loff_t length, + unsigned int time_attrs, struct file *filp); +int (*path_symlink) (struct path *dir, struct dentry *dentry, + const char *old_name); +int (*path_link) (struct dentry *old_dentry, struct path *new_dir, + struct dentry *new_dentry); +int (*path_rename) (struct path *old_dir, struct dentry *old_dentry, + struct path *new_dir, struct dentry *new_dentry); +#endif + int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); int (*inode_init_security) (struct inode *inode, struct inode *dir, < at >< at > -2705,6 +2778,72 < at >< at > static inline void security_skb_classify #endif/* CONFIG_SECURITY_NETWORK_XFRM */ +#ifdef CONFIG_SECURITY_PATH +int security_path_unlink(struct path *dir, struct dentry *dentry); +int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode); +int security_path_rmdir(struct path *dir, struct dentry *dentry); +int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, +unsigned int dev); +int security_path_truncate(struct path *path, loff_t length, + unsigned int time_attrs, struct file *filp); +int security_path_symlink(struct path *dir, struct dentry *dentry, + const char *old_name); +int security_path_link(struct dentry *old_dentry, struct path *new_dir, + struct dentry *new_dentry); +int security_path_rename(struct path *old_dir, struct dentry *old_dentry, + struct path *new_dir, struct dentry *new_dentry); +#else/* CONFIG_SECURITY_PATH */ +static inline int security_path_unlink(struct path *dir, struct dentry *dentry) +{ +return 0; +} + +static inline int security_path_mkdir(struct path *dir, struct dentry *dentry, + int mode) +{ +return 0; +} + +static inline int security_path_rmdir(struct path *dir, struct dentry *dentry) +{ +return 0; +} + +static inline int security_path_mknod(struct path *dir, struct dentry *dentry, + int mode, unsigned int dev) +{ +return 0; +} + +static inline int security_path_truncate(struct path *path, loff_t length, + unsigned int time_attrs, + struct file *filp) +{ +return 0; +} + +static inline int security_path_symlink(struct path *dir, struct dentry *dentry, +const char *old_name) +{ +return 0; +} + +static inline int security_path_link(struct dentry *old_dentry, + struct path *new_dir, + struct dentry *new_dentry) +{ +return 0; +} + +static inline int security_path_rename(struct path *old_dir, + struct dentry *old_dentry, + struct path *new_dir, + struct dentry *new_dentry) +{ +return 0; +} +#endif/* CONFIG_SECURITY_PATH */ + #ifdef CONFIG_KEYS #ifdef CONFIG_SECURITY diff -puN net/unix/af_unix.c~introduce-new-lsm-hooks-where-vfsmount-is-available net/unix/af_unix.c --- a/net/unix/af_unix.c~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/net/unix/af_unix.c < at >< at > -836,7 +836,11 < at >< at > static int unix_bind(struct socket *sock err = mnt_want_write(nd.path.mnt); if (err) goto out_mknod_dput; +err = security_path_mknod(&nd.path, dentry, mode, 0); +if (err) +goto out_mknod_drop_write; err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0); +out_mknod_drop_write: mnt_drop_write(nd.path.mnt); if (err) goto out_mknod_dput; diff -puN security/Kconfig~introduce-new-lsm-hooks-where-vfsmount-is-available security/Kconfig --- a/security/Kconfig~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/security/Kconfig < at >< at > -81,6 +81,15 < at >< at > config SECURITY_NETWORK_XFRM IPSec. If you are unsure how to answer this question, answer N. +config SECURITY_PATH +bool "Security hooks for pathname based access control" +depends on SECURITY +help + This enables the security hooks for pathname based access control. + If enabled, a security module can use these hooks to + implement pathname based access controls. + If you are unsure how to answer this question, answer N. + config SECURITY_FILE_CAPABILITIES bool "File POSIX Capabilities" default n diff -puN security/capability.c~introduce-new-lsm-hooks-where-vfsmount-is-available security/capability.c --- a/security/capability.c~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/security/capability.c < at >< at > -263,6 +263,53 < at >< at > static void cap_inode_getsecid(const str *secid = 0; } +#ifdef CONFIG_SECURITY_PATH +static int cap_path_mknod(struct path *dir, struct dentry *dentry, int mode, + unsigned int dev) +{ +return 0; +} + +static int cap_path_mkdir(struct path *dir, struct dentry *dentry, int mode) +{ +return 0; +} + +static int cap_path_rmdir(struct path *dir, struct dentry *dentry) +{ +return 0; +} + +static int cap_path_unlink(struct path *dir, struct dentry *dentry) +{ +return 0; +} + +static int cap_path_symlink(struct path *dir, struct dentry *dentry, + const char *old_name) +{ +return 0; +} + +static int cap_path_link(struct dentry *old_dentry, struct path *new_dir, + struct dentry *new_dentry) +{ +return 0; +} + +static int cap_path_rename(struct path *old_path, struct dentry *old_dentry, + struct path *new_path, struct dentry *new_dentry) +{ +return 0; +} + +static int cap_path_truncate(struct path *path, loff_t length, + unsigned int time_attrs, struct file *filp) +{ +return 0; +} +#endif + static int cap_file_permission(struct file *file, int mask) { return 0; < at >< at > -883,6 +930,16 < at >< at > void security_fixup_ops(struct security_ set_to_cap_if_null(ops, inode_setsecurity); set_to_cap_if_null(ops, inode_listsecurity); set_to_cap_if_null(ops, inode_getsecid); +#ifdef CONFIG_SECURITY_PATH +set_to_cap_if_null(ops, path_mknod); +set_to_cap_if_null(ops, path_mkdir); +set_to_cap_if_null(ops, path_rmdir); +set_to_cap_if_null(ops, path_unlink); +set_to_cap_if_null(ops, path_symlink); +set_to_cap_if_null(ops, path_link); +set_to_cap_if_null(ops, path_rename); +set_to_cap_if_null(ops, path_truncate); +#endif set_to_cap_if_null(ops, file_permission); set_to_cap_if_null(ops, file_alloc_security); set_to_cap_if_null(ops, file_free_security); diff -puN security/security.c~introduce-new-lsm-hooks-where-vfsmount-is-available security/security.c --- a/security/security.c~introduce-new-lsm-hooks-where-vfsmount-is-available +++ a/security/security.c < at >< at > -355,6 +355,72 < at >< at > int security_inode_init_security(struct } EXPORT_SYMBOL(security_inode_init_security); +#ifdef CONFIG_SECURITY_PATH +int security_path_mknod(struct path *path, struct dentry *dentry, int mode, +unsigned int dev) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_mknod(path, dentry, mode, dev); +} +EXPORT_SYMBOL(security_path_mknod); + +int security_path_mkdir(struct path *path, struct dentry *dentry, int mode) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_mkdir(path, dentry, mode); +} + +int security_path_rmdir(struct path *path, struct dentry *dentry) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_rmdir(path, dentry); +} + +int security_path_unlink(struct path *path, struct dentry *dentry) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_unlink(path, dentry); +} + +int security_path_symlink(struct path *path, struct dentry *dentry, + const char *old_name) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_symlink(path, dentry, old_name); +} + +int security_path_link(struct dentry *old_dentry, struct path *new_dir, + struct dentry *new_dentry) +{ +if (unlikely(IS_PRIVATE(old_dentry->d_inode))) +return 0; +return security_ops->path_link(old_dentry, new_dir, new_dentry); +} + +int security_path_rename(struct path *old_dir, struct dentry *old_dentry, + struct path *new_dir, struct dentry *new_dentry) +{ +if (unlikely(IS_PRIVATE(old_dentry->d_inode) || + (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) +return 0; +return security_ops->path_rename(old_dir, old_dentry, new_dir, + new_dentry); +} + +int security_path_truncate(struct path *path, loff_t length, + unsigned int time_attrs, struct file *filp) +{ +if (unlikely(IS_PRIVATE(path->dentry->d_inode))) +return 0; +return security_ops->path_truncate(path, length, time_attrs, filp); +} +#endif + int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) { if (unlikely(IS_PRIVATE(dir))) _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:54 http://permalink.gmane.org/gmane.linux.file-systems/27810 From: Julia Lawall <julia< at >diku.dk> The extra semicolon serves no purpose. Signed-off-by: Julia Lawall <julia< at >diku.dk> Reviewed-by: Richard Genoud <richard.genoud< at >gmail.com> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Cc: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN fs/namespace.c~fs-namespacec-drop-code-after-return fs/namespace.c --- a/fs/namespace.c~fs-namespacec-drop-code-after-return +++ a/fs/namespace.c < at >< at > -1990,7 +1990,7 < at >< at > static struct mnt_namespace *dup_mnt_ns( if (!new_ns->root) { up_write(&namespace_sem); kfree(new_ns); -return ERR_PTR(-ENOMEM);; +return ERR_PTR(-ENOMEM); } spin_lock(&vfsmount_lock); list_add_tail(&new_ns->list, &new_ns->root->mnt_list); _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:51 http://permalink.gmane.org/gmane.linux.file-systems/27809 From: Miklos Szeredi <mszeredi< at >suse.cz> vfs_rename_dir() doesn't properly account for filesystems with FS_RENAME_DOES_D_MOVE. If new_dentry has a target inode attached, it unhashes the new_dentry prior to the rename() iop and rehashes it after, but doesn't account for the possibility that rename() may have swapped {old,new}_dentry. For FS_RENAME_DOES_D_MOVE filesystems, it rehashes new_dentry (now the old renamed-from name, which d_move() expected to go away), such that a subsequent lookup will find it. This was caught by the recently posted POSIX fstest suite, rename/10.t test 62 (and others) on ceph. The bug was introduced by: commit 349457ccf2592c14bdf13b6706170ae2e94931b1 "[PATCH] Allow file systems to manually d_move() inside of ->rename()" Fix by not rehashing the new dentry. Rehashing used to be needed by d_move() but isn't anymore. Reported-by: Sage Weil <sage< at >newdream.net> Cc: Zach Brown <zach.brown< at >oracle.com> Signed-off-by: Miklos Szeredi <mszeredi< at >suse.cz> Cc: Mark Fasheh <mark.fasheh< at >oracle.com> Cc: Trond Myklebust <trond.myklebust< at >fys.uio.no> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Cc: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/namei.c | 2 -- 1 file changed, 2 deletions(-) diff -puN fs/namei.c~vfs-fix-vfs_rename_dir-for-fs_rename_does_d_move-filesystems fs/namei.c --- a/fs/namei.c~vfs-fix-vfs_rename_dir-for-fs_rename_does_d_move-filesystems +++ a/fs/namei.c < at >< at > -2528,8 +2528,6 < at >< at > static int vfs_rename_dir(struct inode * if (!error) target->i_flags |= S_DEAD; mutex_unlock(&target->i_mutex); -if (d_unhashed(new_dentry)) -d_rehash(new_dentry); dput(new_dentry); } if (!error) _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:49 http://permalink.gmane.org/gmane.linux.file-systems/27808 From: Christoph Hellwig <hch< at >lst.de> Ensure that all FMODE_ constants are documented, and ensure a coherent style for the already existing comments. Signed-off-by: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- include/linux/fs.h | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff -puN include/linux/fs.h~vfs-document-fmode_-constants include/linux/fs.h --- a/include/linux/fs.h~vfs-document-fmode_-constants +++ a/include/linux/fs.h < at >< at > -54,21 +54,23 < at >< at > struct inodes_stat_t { #define MAY_ACCESS 16 #define MAY_OPEN 32 -#define FMODE_READ ((__force fmode_t)1) -#define FMODE_WRITE ((__force fmode_t)2) - -/* Internal kernel extensions */ -#define FMODE_LSEEK((__force fmode_t)4) -#define FMODE_PREAD((__force fmode_t)8) -#define FMODE_PWRITEFMODE_PREAD/* These go hand in hand */ - -/* File is being opened for execution. Primary users of this flag are - distributed filesystems that can use it to achieve correct ETXTBUSY - behavior for cross-node execution/opening_for_writing of files */ -#define FMODE_EXEC((__force fmode_t)16) - -#define FMODE_NDELAY((__force fmode_t)32) -#define FMODE_EXCL((__force fmode_t)64) +/* file is open for reading */ +#define FMODE_READ((__force fmode_t)1) +/* file is open for writing */ +#define FMODE_WRITE((__force fmode_t)2) +/* file is seekable */ +#define FMODE_LSEEK((__force fmode_t)4) +/* file can be accessed using pread/pwrite */ +#define FMODE_PREAD((__force fmode_t)8) +#define FMODE_PWRITEFMODE_PREAD/* These go hand in hand */ +/* File is opened for execution with sys_execve / sys_uselib */ +#define FMODE_EXEC((__force fmode_t)16) +/* File is opened with O_NDELAY (only set for block devices) */ +#define FMODE_NDELAY((__force fmode_t)32) +/* File is opened with O_EXCL (only set for block devices) */ +#define FMODE_EXCL((__force fmode_t)64) +/* File is opened using open(.., 3, ..) and is writeable only for ioctls + (specialy hack for floppy.c) */ #define FMODE_WRITE_IOCTL((__force fmode_t)128) #define RW_MASK1 _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:58 http://permalink.gmane.org/gmane.linux.file-systems/27807 From: Dmitri Monakhov <dmonakhov< at >openvz.org> We don't have to do it because it is useless for non regular files. In fact block device may trigger this path without dentry->d_inode->i_mutex. (akpm: concerns were expressed (by me) about S_ISDIR inodes) Signed-off-by: Dmitri Monakhov <dmonakhov< at >openvz.org> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN mm/filemap.c~kill-suid-bit-only-for-regular-files mm/filemap.c --- a/mm/filemap.c~kill-suid-bit-only-for-regular-files +++ a/mm/filemap.c < at >< at > -1766,7 +1766,7 < at >< at > int should_remove_suid(struct dentry *de if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) kill |= ATTR_KILL_SGID; -if (unlikely(kill && !capable(CAP_FSETID))) +if (unlikely(kill && !capable(CAP_FSETID) && S_ISREG(mode))) return kill; return 0; _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:56 http://permalink.gmane.org/gmane.linux.file-systems/27806 From: Jan Engelhardt <jengelh< at >medozas.de> An anonymous user tried to use symbols from /usr/include/linux/fs.h. Since these however are not defined in libc, but are specific to the kernel, they should be in an #ifdef __KERNEL__ section. Move them there. Signed-off-by: Jan Engelhardt <jengelh< at >medozas.de> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- include/linux/fs.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff -puN include/linux/fs.h~include-linux-fsh-put-declarations-in-__kernel__ include/linux/fs.h --- a/include/linux/fs.h~include-linux-fsh-put-declarations-in-__kernel__ +++ a/include/linux/fs.h < at >< at > -21,7 +21,6 < at >< at > /* Fixed constants first: */ #undef NR_OPEN -extern int sysctl_nr_open; #define INR_OPEN 1024/* Initial setting for nfile rlimits */ #define BLOCK_SIZE_BITS 10 < at >< at > -38,21 +37,13 < at >< at > struct files_stat_struct { int nr_free_files;/* read only */ int max_files;/* tunable */ }; -extern struct files_stat_struct files_stat; -extern int get_max_files(void); struct inodes_stat_t { int nr_inodes; int nr_unused; int dummy[5];/* padding for sysctl ABI compatibility */ }; -extern struct inodes_stat_t inodes_stat; -extern int leases_enable, lease_break_time; - -#ifdef CONFIG_DNOTIFY -extern int dir_notify_enable; -#endif #define NR_FILE 8192/* this can well be larger on a larger system */ < at >< at > -321,6 +312,15 < at >< at > extern void __init inode_init(void); extern void __init inode_init_early(void); extern void __init files_init(unsigned long); +extern struct files_stat_struct files_stat; +extern int get_max_files(void); +extern int sysctl_nr_open; +extern struct inodes_stat_t inodes_stat; +extern int leases_enable, lease_break_time; +#ifdef CONFIG_DNOTIFY +extern int dir_notify_enable; +#endif + struct buffer_head; typedef int (get_block_t)(struct inode *inode, sector_t iblock, struct buffer_head *bh_result, int create); _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:50 http://permalink.gmane.org/gmane.linux.file-systems/27805 From: Denis ChengRq <crquan< at >gmail.com> - iget5_locked in bdget really needs blockdev_superblock, instead of bd_mnt, so bd_mnt could be just a local variable; - blockdev_superblock really needs __read_mostly, while local var bd_mnt not; - make use of sb_is_blkdev_sb in bd_forget, instead of direct reference to blockdev_superblock. Signed-off-by: Denis ChengRq <crquan< at >gmail.com> Cc: Al Viro <viro< at >zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- fs/block_dev.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff -puN fs/block_dev.c~fs-block_devc-__read_mostly-improvement-and-sb_is_blkdev_sb-utilization fs/block_dev.c --- a/fs/block_dev.c~fs-block_devc-__read_mostly-improvement-and-sb_is_blkdev_sb-utilization +++ a/fs/block_dev.c < at >< at > -326,12 +326,13 < at >< at > static struct file_system_type bd_type = .kill_sb= kill_anon_super, }; -static struct vfsmount *bd_mnt __read_mostly; -struct super_block *blockdev_superblock; +struct super_block *blockdev_superblock __read_mostly; void __init bdev_cache_init(void) { int err; +struct vfsmount *bd_mnt; + bdev_cachep = kmem_cache_create("bdev_cache", sizeof(struct bdev_inode), 0, (SLAB_HWCACHE_ALIGN|SLAB_RECLAIM_ACCOUNT| SLAB_MEM_SPREAD|SLAB_PANIC), < at >< at > -373,7 +374,7 < at >< at > struct block_device *bdget(dev_t dev) struct block_device *bdev; struct inode *inode; -inode = iget5_locked(bd_mnt->mnt_sb, hash(dev), +inode = iget5_locked(blockdev_superblock, hash(dev), bdev_test, bdev_set, &dev); if (!inode) < at >< at > -463,7 +464,7 < at >< at > void bd_forget(struct inode *inode) spin_lock(&bdev_lock); if (inode->i_bdev) { -if (inode->i_sb != blockdev_superblock) +if (!sb_is_blkdev_sb(inode->i_sb)) bdev = inode->i_bdev; __bd_forget(inode); } _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:56 http://permalink.gmane.org/gmane.linux.file-systems/27804 From: Christoph Hellwig <hch< at >lst.de> Update FMODE_NDELAY before each ioctl call so that we can kill the magic FMODE_NDELAY_NOW. It would be even better to do this directly in setfl(), but for that we'd need to have FMODE_NDELAY for all files, not just block special files. Signed-off-by: Christoph Hellwig <hch< at >lst.de> Signed-off-by: Andrew Morton <akpm< at >linux-foundation.org> --- block/compat_ioctl.c | 8 +++++++- drivers/scsi/sd.c | 2 +- drivers/scsi/sr.c | 2 +- fs/block_dev.c | 10 +++++++++- include/linux/fs.h | 1 - 5 files changed, 18 insertions(+), 5 deletions(-) diff -puN block/compat_ioctl.c~vfs-kill-fmode_ndelay_now block/compat_ioctl.c --- a/block/compat_ioctl.c~vfs-kill-fmode_ndelay_now +++ a/block/compat_ioctl.c < at >< at > -699,8 +699,14 < at >< at > long compat_blkdev_ioctl(struct file *fi struct backing_dev_info *bdi; loff_t size; +/* + * O_NDELAY can be altered using fcntl(.., F_SETFL, ..), so we have + * to updated it before every ioctl. + */ if (file->f_flags & O_NDELAY) -mode |= FMODE_NDELAY_NOW; +mode |= FMODE_NDELAY; +else +mode &= ~FMODE_NDELAY; switch (cmd) { case HDIO_GETGEO: diff -puN drivers/scsi/sd.c~vfs-kill-fmode_ndelay_now drivers/scsi/sd.c --- a/drivers/scsi/sd.c~vfs-kill-fmode_ndelay_now +++ a/drivers/scsi/sd.c < at >< at > -757,7 +757,7 < at >< at > static int sd_ioctl(struct block_device * access to the device is prohibited. */ error = scsi_nonblockable_ioctl(sdp, cmd, p, -(mode & FMODE_NDELAY_NOW) != 0); +(mode & FMODE_NDELAY) != 0); if (!scsi_block_when_processing_errors(sdp) || !error) return error; diff -puN drivers/scsi/sr.c~vfs-kill-fmode_ndelay_now drivers/scsi/sr.c --- a/drivers/scsi/sr.c~vfs-kill-fmode_ndelay_now +++ a/drivers/scsi/sr.c < at >< at > -521,7 +521,7 < at >< at > static int sr_block_ioctl(struct block_d * if it doesn't recognise the ioctl */ ret = scsi_nonblockable_ioctl(sdev, cmd, argp, -(mode & FMODE_NDELAY_NOW) != 0); +(mode & FMODE_NDELAY) != 0); if (ret != -ENODEV) return ret; return scsi_ioctl(sdev, cmd, argp); diff -puN fs/block_dev.c~vfs-kill-fmode_ndelay_now fs/block_dev.c --- a/fs/block_dev.c~vfs-kill-fmode_ndelay_now +++ a/fs/block_dev.c < at >< at > -1218,8 +1218,16 < at >< at > static long block_ioctl(struct file *fil { struct block_device *bdev = I_BDEV(file->f_mapping->host); fmode_t mode = file->f_mode; + +/* + * O_NDELAY can be altered using fcntl(.., F_SETFL, ..), so we have + * to updated it before every ioctl. + */ if (file->f_flags & O_NDELAY) -mode |= FMODE_NDELAY_NOW; +mode |= FMODE_NDELAY; +else +mode &= ~FMODE_NDELAY; + return blkdev_ioctl(bdev, mode, cmd, arg); } diff -puN include/linux/fs.h~vfs-kill-fmode_ndelay_now include/linux/fs.h --- a/include/linux/fs.h~vfs-kill-fmode_ndelay_now +++ a/include/linux/fs.h < at >< at > -70,7 +70,6 < at >< at > struct inodes_stat_t { #define FMODE_NDELAY((__force fmode_t)32) #define FMODE_EXCL((__force fmode_t)64) #define FMODE_WRITE_IOCTL((__force fmode_t)128) -#define FMODE_NDELAY_NOW((__force fmode_t)256) #define RW_MASK1 #define RWA_MASK2 _ -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html akpm< at >linux-foundation.org 2008-12-01T22:34:57 http://permalink.gmane.org/gmane.linux.file-systems/27800 On Mon, 1 Dec 2008, Pekka Enberg wrote: Who is the f*cking MORON that thinks that "documentation" has any meaning what-so-ever? The fact that something is documented (whether correctly or not) has absolutely _zero_ impact on anything at all. What makes something an ABI is that it's useful and available. The only way something isn't an ABI is by _explicitly_ making sure that it's not available even by mistake in a stable form for binary use. Example: kernel internal data structures and function calls. We make sure that you simply _cannot_ make a binary that works across kernel versions. That is the only way for an ABI to not form. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Linus Torvalds 2008-12-01T20:12:12 http://permalink.gmane.org/gmane.linux.file-systems/27799 On Mon, Dec 1, 2008 at 10:02 PM, Andrew Morton <akpm< at >linux-foundation.org> wrote: Hmm, I thought Documentation/ABI/ was supposed to tell us what's an ABI you can depend on and what's not. I mean, you shouldn't be depending on anything but the interfaces documented in Documentation/ABI/stable/, no? -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Pekka Enberg 2008-12-01T20:07:57 http://permalink.gmane.org/gmane.linux.file-systems/27797 Don't you even have a differential profile showing the impact of removing d_cookie? This hash table lookup will now happen on *every* userspace sample that's processed. That's, uh, a lot. (By all means make your change, but I don't get how it's OK to regress other code, and provide no evidence at all as to its impact.) john -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html John Levon 2008-12-01T19:38:18 http://permalink.gmane.org/gmane.linux.file-systems/27796 Thanks for the pointer. Yes something like that. No, the plan is to cache it in the struct file of the topmost directory. This should also solve the lseek() issue. The only concern is that this caching behavior can waste unswappable kernel memory. But unless some malicious application actually wants to exploit this, I don't think it will be a big issue in practice. Miklos -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Miklos Szeredi 2008-12-01T19:31:21 http://permalink.gmane.org/gmane.linux.file-systems/27795 The problem with debugfs is that it claims to not be an ABI but it is lying. Distributions ship tools that depend on portions of debugfs. And they also ship debugfs in their kernel. So it is effectively the same as /proc, except with the 1.0-era everything-goes attitude rather than the 2.6-era we-should-really-think-about-this one. Pushing stuff from procfs to debugfs is thus just setting us up for pain down the road. Don't do it. In five years, we'll discover we can't turn debugfs off or even clean it up because too much relies on it. If you think that debugfs is NOT an ABI, then I'm sure you'll be happy to ack my patch entitled 'gratuitously break usbmon to remind folks that debugfs is not an ABI'. Matt Mackall 2008-12-01T19:13:31 http://permalink.gmane.org/gmane.linux.file-systems/27793 For oprofile case (maybe if you are profiling hundreds of vmas and overflow the 4096 byte hash table), no. That case is uncommon and must be fixed in the dcookie code (as I said, trivial with changing data structure). I don't want this pointer in struct dentry regardless of a possible tiny benefit for oprofile. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Nick Piggin 2008-12-01T18:04:55 http://permalink.gmane.org/gmane.linux.file-systems/27791 This (why this defensive code is fine) is similar to what we discussed. I agree that we can leave it as is. Steve French 2008-12-01T17:43:52 http://permalink.gmane.org/gmane.linux.file-systems/27790 We've actually been (quietly) looking into these whiteout patches for a couple of months already. We found that those patches were not yet suitable for intergration into a f/s such as unionfs. We found (and fixed) some bugs, and had to change the API somewhat and its implementation. I think the only way to be sure that these patches work well is to have a user for them. We plan on re-posting our modified patches once we've done a lot more testing with them in the context of unionfs. Erez. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo< at >vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Erez Zadok 2008-12-01T16:54:43 http://permalink.gmane.org/gmane.linux.file-systems/27787 There currently doesn't exist a labeling type that is adequate for use with labeled NFS. Since NFS doesn't really support xattrs we can't use the use xattr labeling behavior. For this we developed a new labeling type. The native labeling type is used solely by NFS to ensure NFS inodes are labeled at runtime by the NFS code instead of relying on the SELinux security server on the client end. Signed-off-by: Matthew N. Dodd <Matthew.Dodd< at >sparta.com> Signed-off-by: David P. Quigley <dpquigl< at >tycho.nsa.gov> --- security/selinux/hooks.c | 74 +++++++++++++++++++++++++++------- security/selinux/include/security.h | 4 ++ security/selinux/ss/policydb.c | 5 ++- 3 files changed, 66 insertions(+), 17 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 60d6bcc..9e73750 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c < at >< at > -89,7 +89,7 < at >< at > #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX -#define NUM_SEL_MNT_OPTS 4 +#define NUM_SEL_MNT_OPTS 5 extern unsigned int policydb_loaded_version; extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); < at >< at > -302,13 +302,14 < at >< at > extern int ss_initialized; /* The file system's label must be initialized prior to use. */ -static char *labeling_behaviors[6] = { +static char *labeling_behaviors[7] = { "uses xattr", "uses transition SIDs", "uses task SIDs", "uses genfs_contexts", "not configured for labeling", "uses mountpoint labeling", +"uses native labels", }; static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); < at >< at > -324,6 +325,7 < at >< at > enum { Opt_fscontext = 2, Opt_defcontext = 3, Opt_rootcontext = 4, +Opt_native_labels = 5, }; static const match_table_t tokens = { < at >< at > -331,6 +333,7 < at >< at > static const match_table_t tokens = { {Opt_fscontext, FSCONTEXT_STR "%s"}, {Opt_defcontext, DEFCONTEXT_STR "%s"}, {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, +{Opt_native_labels, NATIVELABELS_STR}, {Opt_error, NULL}, }; < at >< at > -518,6 +521,10 < at >< at > static int selinux_get_mnt_opts(const struct super_block *sb, opts->mnt_opts[i] = context; opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; } +if (sbsec->flags == NATIVE_LABELS_MNT) { +opts->mnt_opts[i] = NULL; +opts->mnt_opts_flags[i++] = NATIVE_LABELS_MNT; +} BUG_ON(i != opts->num_mnt_opts); < at >< at > -606,12 +613,16 < at >< at > static int selinux_set_mnt_opts(struct super_block *sb, */ for (i = 0; i < num_opts; i++) { u32 sid; +if (flags[i] == NATIVE_LABELS_MNT) { +sbsec->flags |= NATIVE_LABELS_MNT; +continue; +} rc = security_context_to_sid(mount_options[i], - strlen(mount_options[i]), &sid); +strlen(mount_options[i]), &sid); if (rc) { printk(KERN_WARNING "SELinux: security_context_to_sid" - "(%s) failed for (dev %s, type %s) errno=%d\n", - mount_options[i], sb->s_id, name, rc); +"(%s) failed for (dev %s, type %s) errno=%d\n", +mount_options[i], sb->s_id, name, rc); goto out; } switch (flags[i]) { < at >< at > -670,14 +681,15 < at >< at > static int selinux_set_mnt_opts(struct super_block *sb, if (strcmp(sb->s_type->name, "proc") == 0) sbsec->proc = 1; -/* Determine the labeling behavior to use for this filesystem type. */ -rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); -if (rc) { -printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", - __func__, sb->s_type->name, rc); -goto out; +if (!sbsec->behavior) { +/* Determine the labeling behavior to use for this filesystem type. */ +rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid); +if (rc) { +printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", +__func__, sb->s_type->name, rc); +goto out; +} } - /* sets the context of the superblock for the fs being mounted. */ if (fscontext_sid) { < at >< at > -693,6 +705,11 < at >< at > static int selinux_set_mnt_opts(struct super_block *sb, * sets the label used on all file below the mountpoint, and will set * the superblock context if not already set. */ +/* NATIVE_LABELS can be overridden by 'context=' mounts, below. */ +if (sbsec->flags & NATIVE_LABELS_MNT) { +sbsec->behavior = SECURITY_FS_USE_NATIVE; +} + if (context_sid) { if (!fscontext_sid) { rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec); < at >< at > -709,6 +726,7 < at >< at > static int selinux_set_mnt_opts(struct super_block *sb, sbsec->mntpoint_sid = context_sid; sbsec->behavior = SECURITY_FS_USE_MNTPOINT; +sbsec->flags &= ~NATIVE_LABELS_MNT; /* Exclusive */ } if (rootcontext_sid) { < at >< at > -721,7 +739,8 < at >< at > static int selinux_set_mnt_opts(struct super_block *sb, } if (defcontext_sid) { -if (sbsec->behavior != SECURITY_FS_USE_XATTR) { +if (sbsec->behavior != SECURITY_FS_USE_XATTR && +sbsec->behavior != SECURITY_FS_USE_NATIVE) { rc = -EINVAL; printk(KERN_WARNING "SELinux: defcontext option is " "invalid for this filesystem type\n"); < at >< at > -818,6 +837,7 < at >< at > static int selinux_parse_opts_str(char *options, char *p; char *context = NULL, *defcontext = NULL; char *fscontext = NULL, *rootcontext = NULL; +int native_labels = 0; int rc, num_mnt_opts = 0; opts->num_mnt_opts = 0; < at >< at > -885,9 +905,15 < at >< at > static int selinux_parse_opts_str(char *options, } break; +case Opt_native_labels: +printk("%s() got Opt_native_labels\n", __func__); +native_labels = 1; +break; + + default: rc = -EINVAL; -printk(KERN_WARNING "SELinux: unknown mount option\n"); +printk(KERN_WARNING "SELinux: unknown mount option \"%s\"\n", p); goto out_err; } < at >< at > -920,6 +946,10 < at >< at > static int selinux_parse_opts_str(char *options, opts->mnt_opts[num_mnt_opts] = defcontext; opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; } +if (native_labels) { +opts->mnt_opts[num_mnt_opts] = NULL; +opts->mnt_opts_flags[num_mnt_opts++] = NATIVE_LABELS_MNT; +} opts->num_mnt_opts = num_mnt_opts; return 0; < at >< at > -966,7 +996,12 < at >< at > static void selinux_write_opts(struct seq_file *m, char *prefix; for (i = 0; i < opts->num_mnt_opts; i++) { -char *has_comma = strchr(opts->mnt_opts[i], ','); +char *has_comma; + +if (opts->mnt_opts[i]) +has_comma = strchr(opts->mnt_opts[i], ','); +else +has_comma = NULL; switch (opts->mnt_opts_flags[i]) { case CONTEXT_MNT: < at >< at > -981,6 +1016,10 < at >< at > static void selinux_write_opts(struct seq_file *m, case DEFCONTEXT_MNT: prefix = DEFCONTEXT_STR; break; +case NATIVE_LABELS_MNT: +seq_putc(m, ','); +seq_puts(m, NATIVELABELS_STR); +continue; default: BUG(); }; < at >< at > -1188,6 +1227,8 < at >< at > static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent } switch (sbsec->behavior) { +case SECURITY_FS_USE_NATIVE: +break; case SECURITY_FS_USE_XATTR: if (!inode->i_op->getxattr) { isec->sid = sbsec->def_sid; < at >< at > -2358,7 +2399,8 < at >< at > static inline int selinux_option(char *option, int len) return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || -match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len)); +match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || +match_prefix(NATIVELABELS_STR, sizeof(NATIVELABELS_STR)-1, option, len)); } static inline void take_option(char **to, char *from, int *first, int len) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 7244737..b38fd98 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h < at >< at > -41,11 +41,13 < at >< at > #define FSCONTEXT_MNT0x02 #define ROOTCONTEXT_MNT0x04 #define DEFCONTEXT_MNT0x08 +#defineNATIVE_LABELS_MNT0x10 #define CONTEXT_STR"context=" #define FSCONTEXT_STR"fscontext=" #define ROOTCONTEXT_STR"rootcontext=" #define DEFCONTEXT_STR"defcontext=" +#define NATIVELABELS_STR "native_labels" struct netlbl_lsm_secattr; < at >< at > -147,6 +149,8 < at >< at > int security_get_allow_unknown(void); #define SECURITY_FS_USE_GENFS4 /* use the genfs support */ #define SECURITY_FS_USE_NONE5 /* no labeling support */ #define SECURITY_FS_USE_MNTPOINT6 /* use mountpoint labeling */ +#define SECURITY_FS_USE_NATIVE7 /* use native label support */ +#define SECURITY_FS_USE_MAX7 /* Highest SECURITY_FS_USE_XXX */ int security_fs_use(const char *fstype, unsigned int *behavior, u32 *sid); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 72e4a54..6dfe138 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c < at >< at > -1937,7 +1937,10 < at >< at > int policydb_read(struct policydb *p, void *fp) if (rc < 0) goto bad; c->v.behavior = le32_to_cpu(buf[0]); -if (c->v.behavior > SECURITY_FS_USE_NONE) +/* Determined at runtime, not in policy DB. */ +if (c->v.behavior == SECURITY_FS_USE_MNTPOINT) +goto bad; +if (c->v.behavior > SECURITY_FS_USE_MAX) goto bad; len = le32_to_cpu(buf[1]); c->u.name = kmalloc(len + 1, GFP_KERNEL); David P. Quigley 2008-11-26T21:03:06 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.file-systems