All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Darrick J. Wong" <djwong@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions
Date: Wed, 28 Feb 2024 09:33:25 -0800	[thread overview]
Message-ID: <20240228173325.GI1927156@frogsfrogsfrogs> (raw)
In-Reply-To: <Zd9nJj3Lw4kUYIY6@infradead.org>

On Wed, Feb 28, 2024 at 09:02:30AM -0800, Christoph Hellwig wrote:
> On Wed, Feb 28, 2024 at 08:52:27AM -0800, Darrick J. Wong wrote:
> > that are private to XFS.  What this means is that userspace should never
> > be able to access any information about these files, and should not be
> > able to open these files by handle.
> > 
> > "Callers must not be allowed to link these files into the directory
> > tree, which should suffice to keep these private inodes actually
> > private.  I_LINKABLE is therefore left unset.
> 
> I_LINKABLE is only set for O_TMPFILE, so I wouldn't even bother with
> that.  But thinking about this:  what i_nlink do these private inodes
> have?  If it is >= 1, we probably want to add an IS_PRIVATE check
> to xfs_link just in case they ever leak out to a place where ->link
> could be called.

Ooh, that's a good catch.  I'll check for IS_PRIVATE in xfs_vn_link.

"We're about to start adding functionality that uses internal inodes
that are private to XFS.  What this means is that userspace should never
be able to access any information about these files, and should not be
able to open these files by handle.

"To prevent userspace from ever finding the file, or mis-interactions
with the security apparatus, set S_PRIVATE on the inode.  Don't allow
bulkstat, open-by-handle, or linking of S_PRIVATE files into the
directory tree.  This should keep private inodes actually private."

--D

  reply	other threads:[~2024-02-28 17:33 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-27  2:18 [PATCHSET v29.4 04/13] xfs: create temporary files for online repair Darrick J. Wong
2024-02-27  2:24 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong
2024-02-27 18:15   ` Christoph Hellwig
2024-02-28 16:52     ` Darrick J. Wong
2024-02-28 17:02       ` Christoph Hellwig
2024-02-28 17:33         ` Darrick J. Wong [this message]
2024-02-28 17:39           ` Christoph Hellwig
2024-02-27  2:25 ` [PATCH 2/4] xfs: create temporary files and directories for online repair Darrick J. Wong
2024-02-27 18:16   ` Christoph Hellwig
2024-02-27  2:25 ` [PATCH 3/4] xfs: refactor live buffer invalidation for repairs Darrick J. Wong
2024-02-27 18:16   ` Christoph Hellwig
2024-02-27  2:25 ` [PATCH 4/4] xfs: add the ability to reap entire inode forks Darrick J. Wong
2024-02-27 18:16   ` Christoph Hellwig
  -- strict thread matches above, loose matches on Subject: below --
2024-04-15 23:34 [PATCHSET v30.3 04/16] xfs: create temporary files for online repair Darrick J. Wong
2024-04-15 23:44 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong
2024-03-27  1:47 [PATCHSET v30.1 05/15] xfs: create temporary files for online repair Darrick J. Wong
2024-03-27  1:57 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong
2024-03-27 11:12   ` Christoph Hellwig
2023-12-31 19:29 [PATCHSET v29.0 17/28] xfs: create temporary files for online repair Darrick J. Wong
2023-12-31 20:31 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong
2023-05-26  0:34 [PATCHSET v25.0 0/4] xfs: create temporary files for online repair Darrick J. Wong
2023-05-26  1:28 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong
2022-12-30 22:14 [PATCHSET v24.0 0/4] xfs: create temporary files for online repair Darrick J. Wong
2022-12-30 22:14 ` [PATCH 1/4] xfs: hide private inodes from bulkstat and handle functions Darrick J. Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240228173325.GI1927156@frogsfrogsfrogs \
    --to=djwong@kernel.org \
    --cc=hch@infradead.org \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.