Re: [PATCH] Add flags option to get xattr method paired to __vfs_getxattr

From: Mark Salyzyn <salyzyn@android.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Latchesar Ionkov" <lucho@ionkov.net>,
	"Dave Kleikamp" <shaggy@kernel.org>,
	jfs-discussion@lists.sourceforge.net,
	linux-integrity@vger.kernel.org,
	"Martin Brandenburg" <martin@omnibond.com>,
	samba-technical@lists.samba.org,
	"Dominique Martinet" <asmadeus@codewreck.org>,
	"Chao Yu" <yuchao0@huawei.com>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	linux-unionfs@vger.kernel.org,
	"David Howells" <dhowells@redhat.com>, "Chris Mason" <clm@fb.com>,
	"David S. Miller" <davem@davemloft.net>,
	"Andreas Dilger" <adilger.kernel@dilger.ca>,
	"Eric Paris" <eparis@parisplace.org>,
	netdev@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net,
	linux-afs@lists.infradead.org,
	"Mike Marshall" <hubcap@omnibond.com>,
	linux-xfs@vger.kernel.org,
	"Andreas Gruenbacher" <agruenba@redhat.com>,
	"Sage Weil" <sage@redhat.com>,
	"Miklos Szeredi" <miklos@szeredi.hu>,
	"Richard Weinberger" <richard@nod.at>,
	"Mark Fasheh" <mark@fasheh.com>,
	"Hugh Dickins" <hughd@google.com>,
	"James Morris" <jmorris@namei.org>,
	cluster-devel@redhat.com, selinux@vger.kernel.org,
	"Vyacheslav Dubeyko" <slava@dubeyko.com>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	v9fs-developer@lists.sourceforge.net,
	"Ilya Dryomov" <idryomov@gmail.com>,
	linux-ext4@vger.kernel.org, kernel-team@android.com,
	linux-mm@kvack.org, devel@lists.orangefs.org,
	"Serge Hallyn" <serge@hallyn.com>,
	"Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>,
	linux-cifs@vger.kernel.org,
	"Eric Van Hensbergen" <ericvh@gmail.com>,
	ecryptfs@vger.kernel.org, "Josef Bacik" <josef@toxicpanda.com>,
	reiserfs-devel@vger.kernel.org, "Tejun Heo" <tj@kernel.org>,
	"Joel Becker" <jlbec@evilplan.org>,
	linux-mtd@lists.infradead.org, "David Sterba" <dsterba@suse.com>,
	"Jaegeuk Kim" <jaegeuk@kernel.org>,
	ceph-devel@vger.kernel.org,
	"Trond Myklebust" <trond.myklebust@hammerspace.com>,
	"Paul Moore" <paul@paul-moore.com>,
	linux-nfs@vger.kernel.org, "Theodore Ts'o" <tytso@mit.edu>,
	linux-fsdevel@vger.kernel.org,
	"Joseph Qi" <joseph.qi@linux.alibaba.com>,
	"Mathieu Malaterre" <malat@debian.org>,
	"Stephen Smalley" <sds@tycho.nsa.gov>,
	"Darrick J. Wong" <darrick.wong@oracle.com>,
	"Jeff Layton" <jlayton@kernel.org>,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	"Tyler Hicks" <tyhicks@canonical.com>,
	"Steve French" <sfrench@samba.org>,
	linux-security-module@vger.kernel.org,
	ocfs2-devel@oss.oracle.com, "Jan Kara" <jack@suse.com>,
	"Bob Peterson" <rpeterso@redhat.com>,
	"Phillip Lougher" <phillip@squashfs.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"David Woodhouse" <dwmw2@infradead.org>,
	"Anna Schumaker" <anna.schumaker@netapp.com>,
	linux-btrfs@vger.kernel.org,
	"Alexander Viro" <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] Add flags option to get xattr method paired to __vfs_getxattr
Date: Tue, 13 Aug 2019 07:37:29 -0700	[thread overview]
Message-ID: <e211bef2-f346-c9c7-f4b8-c774159b14e1@android.com> (raw)
In-Reply-To: <20190813084801.GA972@kroah.com>

On 8/13/19 1:48 AM, Greg Kroah-Hartman wrote:
> On Mon, Aug 12, 2019 at 12:32:49PM -0700, Mark Salyzyn wrote:
>> --- a/include/linux/xattr.h
>> +++ b/include/linux/xattr.h
>> @@ -30,10 +30,10 @@ struct xattr_handler {
>>   	const char *prefix;
>>   	int flags;      /* fs private flags */
>>   	bool (*list)(struct dentry *dentry);
>> -	int (*get)(const struct xattr_handler *, struct dentry *dentry,
>> +	int (*get)(const struct xattr_handler *handler, struct dentry *dentry,
>>   		   struct inode *inode, const char *name, void *buffer,
>> -		   size_t size);
>> -	int (*set)(const struct xattr_handler *, struct dentry *dentry,
>> +		   size_t size, int flags);
>> +	int (*set)(const struct xattr_handler *handler, struct dentry *dentry,
>>   		   struct inode *inode, const char *name, const void *buffer,
>>   		   size_t size, int flags);
> Wow, 7 arguments.  Isn't there some nice rule of thumb that says once
> you get more then 5, a function becomes impossible to understand?

This is a method with a pot-pourri of somewhat intuitive useful, but not 
always necessary, arguments, the additional argument does not complicate 
the function(s) AFAIK, but maybe its usage. Most functions do not even 
reference handler, the inode is typically a derivative of dentry, The 
arguments most used are the name of the attribute and the buffer/size 
the results are to be placed into.

The addition of flags is actually a pattern borrowed from the [.]set 
method, which provides at least 32 bits of 'control' (of which we added 
only one). Before, it was an anti-pattern.

> Surely this could be a structure passed in here somehow, that way when
> you add the 8th argument in the future, you don't have to change
> everything yet again?  :)
Just be happy I provided int flags, instead of bool no_security ;-> 
there are a few bits there that can be used in the future.
> I don't have anything concrete to offer as a replacement fix for this,
> but to me this just feels really wrong...

I went through 6 different alternatives (in the overlayfs security fix 
patch set) until I found this one that resonated with the security and 
filesystem stakeholders. The one was a direct result of trying to reduce 
the security attack surface. This code was created by threading a 
needle, and evolution. I am game for a 7th alternative to solve the 
unionfs set of recursive calls into acquiring the extended attributes.

-- Mark

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/