From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_DKIMWL_WL_MED,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06D01C28CC0 for ; Wed, 29 May 2019 14:16:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D0ADA239B8 for ; Wed, 29 May 2019 14:16:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PRVorFm2" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727072AbfE2OQn (ORCPT ); Wed, 29 May 2019 10:16:43 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:43765 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726820AbfE2OQm (ORCPT ); Wed, 29 May 2019 10:16:42 -0400 Received: by mail-ot1-f68.google.com with SMTP id i8so2149200oth.10 for ; Wed, 29 May 2019 07:16:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LPIxbFckpmqavIl60mnhGb6C8rcrkiaOP2OfEidBo5E=; b=PRVorFm2Okq9hP5kqFH4ZiGr/E/Zu5eJY3MGXXFHxfdpmEdO3GutJJMHvfi09HYlYk SnDTz9Jq0D6SvbjJsXUxw5SPAGf64dGBdkqzG7gBAtOGooyMlAvl8mmczoLi90evYR0A PoHHqSU1LxoqR2wdSfJkTL18f/IZSr+Mc0D+armTgiJNv2KbxIbIGzPnKannBmXr5ZoL onXscwCND5pzd7qsQ+4DRiaG4VALoZaDIZlGVD+Au9+DrLehAtdeFUdLTVj+n3sjvpTd 19cYxGogHm6iK4AXItVQ8hkyokyg4Cjwng+d2g0cb8MTYxZRlHB62qmC+BHhUJPQbJyg MxTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LPIxbFckpmqavIl60mnhGb6C8rcrkiaOP2OfEidBo5E=; b=NXQv0JcNqXi1h67kggsPaded4Xh6ntaVaE3ES1i5XqDyJHIkvWxqEFl0QSIRcl1Fah j/XdC0weWVB0QSpmFgH232owx9MD0iZQmBVAeH78FxJCwYRRV00VwxcetH3gHlRcDwPL yKVbhkOcT7+uq4kj/Js8Jo/BrcWfqZc9iPVb20rwMxDCYV34xn9nohj/nY17GizcWovK TuIUG9nAwotlJknsexsRK7tdH3pfyBBI5e+d5y9Vy8ZHKT0AKdnCgyVIGM5D4yBIW9Xe gYU7tt3BD5BeWgHYgX+GiVfKEbwh14vZXM/UZHKRxOUsbrV0Uz8qy0me3W6Y8TwmhtkY ZXxg== X-Gm-Message-State: APjAAAW/p/KpBHcWiZ2bIf95FU9WUhTaCd8Lpfq8mezHzbxyVqDY++n8 1gD51Lmzo3n4hbjXdYakYE8WMnszYnrLF/l9zBWnzQ== X-Google-Smtp-Source: APXvYqwFTJrhrhEsjfOGtxnb29he2Fqyf9z7Tcu+GzobGgP0NfT3JF16fdsQq+/5jwCnLYlKlqDC3v5fUc8xIPyeFeo= X-Received: by 2002:a9d:7f8b:: with SMTP id t11mr37188otp.110.1559139396903; Wed, 29 May 2019 07:16:36 -0700 (PDT) MIME-Version: 1.0 References: <155905930702.7587.7100265859075976147.stgit@warthog.procyon.org.uk> <155905934373.7587.10824503964531598726.stgit@warthog.procyon.org.uk> <24577.1559134719@warthog.procyon.org.uk> In-Reply-To: <24577.1559134719@warthog.procyon.org.uk> From: Jann Horn Date: Wed, 29 May 2019 16:16:10 +0200 Message-ID: Subject: Re: [PATCH 4/7] vfs: Add superblock notifications To: David Howells Cc: Al Viro , raven@themaw.net, linux-fsdevel , Linux API , linux-block@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module , kernel list Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Wed, May 29, 2019 at 2:58 PM David Howells wrote: > Jann Horn wrote: > > It might make sense to require that the path points to the root inode > > of the superblock? That way you wouldn't be able to do this on a bind > > mount that exposes part of a shared filesystem to a container. > > Why prevent that? It doesn't prevent the container denizen from watching a > bind mount that exposes the root of a shared filesystem into a container. Well, yes, but if you expose the root of the shared filesystem to the container, the container is probably meant to have a higher level of access than if only a bind mount is exposed? But I don't know. > It probably makes sense to permit the LSM to rule on whether a watch may be > emplaced, however. We should have some sort of reasonable policy outside of LSM code though - the kernel should still be secure even if no LSMs are built into it. > > > + } > > > + } > > > + up_write(&s->s_umount); > > > + if (ret < 0) > > > + kfree(watch); > > > + } else if (s->s_watchers) { > > > > This should probably have something like a READ_ONCE() for clarity? > > Note that I think I'll rearrange this to: > > } else { > ret = -EBADSLT; > if (s->s_watchers) { > down_write(&s->s_umount); > ret = remove_watch_from_object(s->s_watchers, wqueue, > s->s_unique_id, false); > up_write(&s->s_umount); > } > } > > I'm not sure READ_ONCE() is necessary, since s_watchers can only be > instantiated once and the watch list then persists until the superblock is > deactivated. Furthermore, by the time deactivate_locked_super() is called, we > can't be calling sb_notify() on it as it's become inaccessible. > > So if we see s->s_watchers as non-NULL, we should not see anything different > inside the lock. In fact, I should be able to rewrite the above to: > > } else { > ret = -EBADSLT; > wlist = s->s_watchers; > if (wlist) { > down_write(&s->s_umount); > ret = remove_watch_from_object(wlist, wqueue, > s->s_unique_id, false); > up_write(&s->s_umount); > } > } I'm extremely twitchy when it comes to code like this because AFAIK gcc at least used to sometimes turn code that read a value from memory and then used it multiple times into something with multiple memory reads, leading to critical security vulnerabilities; see e.g. slide 36 of . I am not aware of any spec that requires the compiler to only perform one read from the memory location in code like this.