From: Amir Goldstein <amir73il@gmail.com>
To: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Dave Chinner <david@fromorbit.com>
Subject: Re: thoughts about fanotify and HSM
Date: Thu, 13 Oct 2022 15:16:25 +0300 [thread overview]
Message-ID: <CAOQ4uxi7Y_W+-+TiveYWixk4vYauSQuNAfFFZyEAVPUehT_Gaw@mail.gmail.com> (raw)
In-Reply-To: <CAOQ4uxjY3eDtqXObbso1KtZTMB7+zYHBRiUANg12hO=T=vqJrw@mail.gmail.com>
On Wed, Oct 12, 2022 at 7:28 PM Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Wed, Oct 12, 2022 at 6:44 PM Jan Kara <jack@suse.cz> wrote:
> >
> > Hi Amir!
> >
> > On Fri 07-10-22 16:58:21, Amir Goldstein wrote:
> > > > > The other use case of automatic inode marks I was thinking about,
> > > > > which are even more relevant for $SUBJECT is this:
> > > > > When instantiating a dentry with an inode that has xattr
> > > > > "security.fanotify.mask" (a.k.a. persistent inode mark), an inode
> > > > > mark could be auto created and attached to a group with a special sb
> > > > > mark (we can limit a single special mark per sb).
> > > > > This could be implemented similar to get_acl(), where i_fsnotify_mask
> > > > > is always initialized with a special value (i.e. FS_UNINITIALIZED)
> > > > > which is set to either 0 or non-zero if "security.fanotify.mask" exists.
> > > > >
> > > > > The details of how such an API would look like are very unclear to me,
> > > > > so I will try to focus on the recursive auto inode mark idea.
> > > >
> > > > Yeah, although initializing fanotify marks based on xattrs does not look
> > > > completely crazy I can see a lot of open questions there so I think
> > > > automatic inode mark idea has more chances for success at this point :).
> > >
> > > I realized that there is one sort of "persistent mark" who raises
> > > less questions - one that only has an ignore mask.
> > >
> > > ignore masks can have a "static" namespace that is not bound to any
> > > specific group, but rather a set of groups that join this namespace.
> > >
> > > I played with this idea and wrote some patches:
> > > https://github.com/amir73il/linux/commits/fan_xattr_ignore_mask
> >
> > I have glanced over the patches. In general the idea looks OK to me but I
> > have some concerns:
> >
> > 1) Technically, it may be challenging to call into filesystem xattr
> > handling code on first event generated by the inode - that may generate
> > some unexpected lock recursion for some filesystems and some events which
> > trigger the initialization...
>
> That may be a correct statement in general, but please note that
> - Only permission events trigger auto-init of xattr ignore mask
> - Permission events are called from security hooks
> - Security hooks may also call getxattr to get the security context
>
> Perhaps LSMs always initialize the security context in OPEN and
> never in ACCESS?
>
> One of the earlier versions of the patch initialized xattr ignore mask
> on LOOKUP permission event, if ANY object was interested in ANY
> permission event even if no object was interested in LOOKUP
> to mimic the LSM context initialization,
> but it was complicated and I wasn't sure if this was necessary.
>
Also, permission events can sleep by definition
so why would getxattr not be safe in the
context of permission events handling?
>
> >
> > 2) What if you set the xattr while the group is already listening to
> > events? Currently the change will get ignored, won't it? But I guess this
> > could be handled by clearing the "cached" flag when the xattr is set.
> >
>
> I have created an API to update the xattr via
> fanotify_mark(FAN_MARK_XATTR, ...
> which updates the cached ignore mask in the connector.
>
> I see no reason to support "direct" modifications of this xattr.
> If such changes are made directly it is fine to ignore them.
>
> > 3) What if multiple applications want to use the persistent mark
> > functionality? I think we need some way to associate a particular
> > fanotify group with a particular subset of fanotify xattrs so that
> > coexistence of multiple applications is possible...
> >
>
> Yeh, I thought about this as well.
> The API in the patches is quite naive because it implements a single
> global namespace for xattr ignore masks, but mostly I wanted to
> see if I can get the fast path and auto-init implementation done.
>
> I was generally thinking of ioctl() as the API to join an xattr marks
> namespace and negotiate the on-disk format of persistent marks
> supported by the application.
>
> I would not want to allow multiple fanotify xattrs per inode -
> that could have the consequence of the inode becoming a junkyard.
>
> I'd prefer to have a single xattr (say security.fanotify.mark)
> and that mark will have
> - on-disk format version
> - namespace id
> - ignore mask
> - etc
>
> If multiple applications want to use persistent marks they need to figure
> out how to work together without stepping on each other's toes.
> I don't think it is up to fanotify to coordinate that.
>
> fanotify_mark() can fail with EEXIST when a group that joined namespace A
> is trying to update a persistent mark when a persistent mark of namespace B
> already exists and probably some FAN_MARK_REPLACE flag could be used
> to force overwrite the existing persistent mark.
>
One thing that I feel a bit silly about is something that
I only fully noticed after writing this WIP wiki entry:
https://github.com/amir73il/fsnotify-utils/wiki/Hierarchical-Storage-Management-API#persistent-inode-marks
Persistent marks (in xattr) with ignore mask are useful, but only a
little bit more
useful than Evictable marks with ignore mask.
Persistent marks (in xattr) with a "positive" event mask are the real deal.
Because with "positive" persistent marks, we will be able to optimize away
srcu_read_lock() and marks iteration for the majority of fsnotify hooks
by looking at objects interest masks (including the FS_XATTR_CACHED bit).
The good thing about the POC patches [1] is that there is no technical
limitation
in this code for using persistent marks with positive event masks.
It is a bit more challenging to document the fact that a "normal" fs/mount mark
is needed in order to "activate" the persistent marks in the inodes of
this fs/mount,
but the changes to the code to support that would be minimal.
Thanks,
Amir.
[1] https://github.com/amir73il/linux/commits/fan_xattr_ignore_mask
next prev parent reply other threads:[~2022-10-13 12:16 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-11 18:12 thoughts about fanotify and HSM Amir Goldstein
2022-09-12 12:57 ` Jan Kara
2022-09-12 16:38 ` Amir Goldstein
[not found] ` <BY5PR07MB652953061D3A2243F66F0798A3449@BY5PR07MB6529.namprd07.prod.outlook.com>
2022-09-13 2:41 ` Amir Goldstein
2022-09-14 7:27 ` Amir Goldstein
2022-09-14 10:30 ` Jan Kara
2022-09-14 11:52 ` Amir Goldstein
2022-09-20 18:19 ` Amir Goldstein
2022-09-22 10:48 ` Jan Kara
2022-09-22 13:03 ` Amir Goldstein
2022-09-26 15:27 ` Jan Kara
2022-09-28 12:29 ` Amir Goldstein
2022-09-29 10:01 ` Jan Kara
2022-10-07 13:58 ` Amir Goldstein
2022-10-12 15:44 ` Jan Kara
2022-10-12 16:28 ` Amir Goldstein
2022-10-13 12:16 ` Amir Goldstein [this message]
2022-11-03 12:57 ` Jan Kara
2022-11-03 13:38 ` Amir Goldstein
2022-10-28 12:50 ` Amir Goldstein
2022-11-03 16:30 ` Jan Kara
2022-11-04 8:17 ` Amir Goldstein
2022-11-07 11:10 ` Jan Kara
2022-11-07 14:13 ` Amir Goldstein
2022-11-14 19:17 ` Jan Kara
2022-11-14 20:08 ` Amir Goldstein
2022-11-15 10:16 ` Jan Kara
2022-11-15 13:08 ` Amir Goldstein
2022-11-16 10:56 ` Jan Kara
2022-11-16 16:24 ` Amir Goldstein
2022-11-17 12:38 ` Amir Goldstein
2022-11-23 10:49 ` Jan Kara
2022-11-23 13:07 ` Amir Goldstein
2022-11-21 16:40 ` Amir Goldstein
2022-11-23 12:11 ` Jan Kara
2022-11-23 13:30 ` Amir Goldstein
2022-11-23 10:10 ` Jan Kara
2022-11-23 15:16 ` Amir Goldstein
[not found] ` <BY5PR07MB6529795F49FB4E923AFCB062A3449@BY5PR07MB6529.namprd07.prod.outlook.com>
2022-09-14 9:29 ` Jan Kara
2022-09-21 23:27 ` Dave Chinner
2022-09-22 4:35 ` Amir Goldstein
2022-09-23 7:57 ` Dave Chinner
2022-09-23 11:22 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOQ4uxi7Y_W+-+TiveYWixk4vYauSQuNAfFFZyEAVPUehT_Gaw@mail.gmail.com \
--to=amir73il@gmail.com \
--cc=david@fromorbit.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).