linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Miklos Szeredi <mszeredi@redhat.com>,
	Stephen Rothwell <sfr@canb.auug.org.au>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] call_with_creds()
Date: Wed, 18 Jul 2018 13:43:00 -0700	[thread overview]
Message-ID: <CA+55aFwhnOPO26ubjJ9WhK6YT8JqD5_UTGmNLFWbPdv-On99=w@mail.gmail.com> (raw)
In-Reply-To: <20180718200411.GW30522@ZenIV.linux.org.uk>

On Wed, Jul 18, 2018 at 1:04 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
>
> int cachefiles_write_page(struct fscache_storage *op, struct page *page)
> {
> ...
>         file = dentry_open(&path, O_RDWR | O_LARGEFILE, cache->cache_cred);

Ugh. So on the one hand, in this case I'd actually be more ok with the
whole "call_with_creds()" model, because open() is actually *supposed*
to use creds.

At the same time, my stronger reaction is that "it's actually better
to just pass down the creds as a pointer like we do".

So I think the real problem is simply that people use the current
creds without thinking about it. Often it's just hidden in a
"capable(CAP_SYS_ADMIN)" call or something like that, where people
don't even _think_ about the whole thing.

What I really think I'd prefer is to have some simple way to "poison"
current_cred().  It could be something as simple as a per-thread
counter, and we'd have current_cred() do

        WARN_ON_ONCE(in_interrupt() || current->cred_poison);

and then read/write/open could just inc/dec the cred_poison counter
(when the debug option is set).

We wouldn't even need to catch all the odd cases. We'd only need to
inc/dec the poison counter in the normal read/write/open cases, not
even worrying about the odd special cases (like that
cachefiles_write_page() case).

Why? Because then we'd make sure the filesystems do the right thing,
and then cachefiles_write_page() etc wouldn't even have to worry,
because all the _common_ open cases have already tested that yes, it
uses the right cred pointer and doesn't try to get whatever "current"
happens to be.

So I'd really like to just fix the cases where we access the wrong
creds. And I'd be more than happy to add a few wrapper functions to
make us _see_ the cases where we do so.

What I don't like is the idea of trying to make bad creds accesses
"magically do the right thing".

See what I'm aiming for?

             Linus

  parent reply	other threads:[~2018-07-18 21:22 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20180710101736.32d6cc6c@canb.auug.org.au>
     [not found] ` <20180710150455.GK30522@ZenIV.linux.org.uk>
2018-07-11  2:11   ` linux-next: manual merge of the vfs tree with the overlayfs tree Al Viro
2018-07-11  2:21     ` [RFC][PATCH 01/42] drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 02/42] cxl_getfile(): fix double-iput() on alloc_file() failures Al Viro
2018-07-11  2:21       ` [RFC][PATCH 03/42] ocxlflash_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 04/42] make get_empty_filp() to call file_free_rcu() directly Al Viro
2018-07-11  2:35         ` Linus Torvalds
2018-07-11  2:43           ` Al Viro
2018-07-11  2:21       ` [RFC][PATCH 05/42] fold security_file_free() into file_free() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 06/42] turn filp_clone_open() into inline wrapper for dentry_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 07/42] create_pipe_files(): use fput() if allocation of the second file fails Al Viro
2018-07-11  2:21       ` [RFC][PATCH 08/42] make sure do_dentry_open() won't return positive as an error Al Viro
2018-07-11  2:39         ` Linus Torvalds
2018-07-11  2:41           ` Al Viro
2018-07-11  2:21       ` [RFC][PATCH 09/42] pass creds to get_empty_filp(), make sure dentry_open() passes the right creds Al Viro
2018-07-11  2:21       ` [RFC][PATCH 10/42] get rid of cred argument of vfs_open() and do_dentry_open() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 11/42] security_file_open(): lose cred argument Al Viro
2018-07-11  2:21       ` [RFC][PATCH 12/42] ->file_open(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 13/42] introduce FMODE_OPENED Al Viro
2018-07-11  2:21       ` [RFC][PATCH 14/42] fold put_filp() into fput() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 15/42] lift fput() on late failures into path_openat() Al Viro
2018-07-11  5:43         ` Amir Goldstein
2018-07-11  2:21       ` [RFC][PATCH 16/42] now we can fold open_check_o_direct() into do_dentry_open() Al Viro
2018-07-11  2:44         ` Linus Torvalds
2018-07-11  2:59           ` Al Viro
2018-07-11  3:13             ` Linus Torvalds
2018-07-11  2:21       ` [RFC][PATCH 17/42] switch all remaining checks for FILE_OPENED to FMODE_OPENED Al Viro
2018-07-11  2:21       ` [RFC][PATCH 18/42] introduce FMODE_CREATED and switch to it Al Viro
2018-07-11  2:21       ` [RFC][PATCH 19/42] IMA: don't propagate opened through the entire thing Al Viro
2018-07-11  2:21       ` [RFC][PATCH 20/42] getting rid of 'opened' argument of ->atomic_open() - step 1 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 21/42] getting rid of 'opened' argument of ->atomic_open() - part 2 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 22/42] get rid of 'opened' argument of ->atomic_open() - part 3 Al Viro
2018-07-11  2:21       ` [RFC][PATCH 23/42] get rid of 'opened' in path_openat() and the helpers downstream Al Viro
2018-07-11  2:21       ` [RFC][PATCH 24/42] ->atomic_open(): return 0 in all success cases Al Viro
2018-07-11  2:21       ` [RFC][PATCH 25/42] document ->atomic_open() changes Al Viro
2018-07-11  2:21       ` [RFC][PATCH 26/42] switch atomic_open() and lookup_open() to returning 0 in all success cases Al Viro
2018-07-11  2:21       ` [RFC][PATCH 27/42] kill FILE_{CREATED,OPENED} Al Viro
2018-07-11  2:21       ` [RFC][PATCH 28/42] new wrapper: alloc_file_pseudo() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 29/42] __shmem_file_setup(): reorder allocations Al Viro
2018-07-11  2:21       ` [RFC][PATCH 30/42] ... and switch shmem_file_setup() to alloc_file_pseudo() Al Viro
2018-07-11  2:21       ` [RFC][PATCH 31/42] cxl_getfile(): switch " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 32/42] ocxlflash_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 33/42] hugetlb_file_setup(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 34/42] anon_inode_getfile(): " Al Viro
2018-07-11  2:21       ` [RFC][PATCH 35/42] create_pipe_files(): switch the first allocation " Al Viro
2018-07-11  2:22       ` [RFC][PATCH 36/42] new helper: alloc_file_clone() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 37/42] do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 38/42] make alloc_file() static Al Viro
2018-07-11  2:22       ` [RFC][PATCH 39/42] document alloc_file() changes Al Viro
2018-07-11  2:22       ` [RFC][PATCH 40/42] make path_init() unconditionally paired with terminate_walk() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 41/42] allow link_path_walk() to take ERR_PTR() Al Viro
2018-07-11  2:22       ` [RFC][PATCH 42/42] few more cleanups of link_path_walk() callers Al Viro
2018-07-11  2:56       ` [RFC][PATCH 01/42] drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open() Linus Torvalds
2018-07-11 15:25         ` Al Viro
2018-07-11 16:15           ` Al Viro
2018-07-12 12:43             ` Al Viro
2018-07-12 15:05               ` Linus Torvalds
2018-07-12 15:53                 ` vfs / overlayfs conflict resolution for linux-next Al Viro
2018-07-18  2:56                   ` Al Viro
2018-07-18  3:29                     ` Stephen Rothwell
2018-07-18  7:25                       ` Miklos Szeredi
2018-07-18 12:10                         ` Miklos Szeredi
2018-07-18 12:43                           ` Al Viro
2018-07-18 13:46                             ` Al Viro
2018-07-18 15:46                             ` Miklos Szeredi
2018-07-18 18:12                               ` [RFC] call_with_creds() Al Viro
2018-07-18 18:19                                 ` Linus Torvalds
2018-07-18 19:46                                   ` Al Viro
2018-07-18 19:53                                     ` Linus Torvalds
2018-07-18 20:04                                       ` Al Viro
2018-07-18 20:15                                         ` Al Viro
2018-07-18 20:43                                         ` Linus Torvalds [this message]
2018-07-18 21:22                                           ` Al Viro
2018-07-18 23:06                                             ` Linus Torvalds
2018-07-18 21:27                                         ` David Howells
2018-07-18 23:16                                           ` Linus Torvalds
2018-07-18 21:28                                 ` David Howells
2018-07-18 23:13                                   ` Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+55aFwhnOPO26ubjJ9WhK6YT8JqD5_UTGmNLFWbPdv-On99=w@mail.gmail.com' \
    --to=torvalds@linux-foundation.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mszeredi@redhat.com \
    --cc=sfr@canb.auug.org.au \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).