On Wed, Mar 31, 2021 at 10:08 PM Christian Brauner <christian.brauner@xxxxxxxxxx> wrote: > > On Wed, Mar 31, 2021 at 09:59:07PM +0800, Yongji Xie wrote: > > On Wed, Mar 31, 2021 at 8:23 PM Christian Brauner > > <christian.brauner@xxxxxxxxxx> wrote: > > > > > > On Wed, Mar 31, 2021 at 07:32:33PM +0800, Yongji Xie wrote: > > > > On Wed, Mar 31, 2021 at 5:15 PM Christian Brauner > > > > <christian.brauner@xxxxxxxxxx> wrote: > > > > > > > > > > On Wed, Mar 31, 2021 at 04:05:10PM +0800, Xie Yongji wrote: > > > > > > Export receive_fd() so that some modules can use > > > > > > it to pass file descriptor between processes without > > > > > > missing any security stuffs. > > > > > > > > > > > > Signed-off-by: Xie Yongji <xieyongji@xxxxxxxxxxxxx> > > > > > > --- > > > > > > > > > > Yeah, as I said in the other mail I'd be comfortable with exposing just > > > > > this variant of the helper. > > > > > > > > Thanks, I got it now. > > > > > > > > > Maybe this should be a separate patch bundled together with Christoph's > > > > > patch to split parts of receive_fd() into a separate helper. > > > > > > > > Do we need to add the seccomp notifier into the separate helper? In > > > > our case, the file passed to the separate helper is from another > > > > process. > > > > > > Not sure what you mean. Christoph has proposed > > > https://lore.kernel.org/linux-fsdevel/20210325082209.1067987-2-hch@xxxxxx > > > I was just saying that if we think this patch is useful we might bundle > > > it together with the > > > EXPORT_SYMBOL(receive_fd) > > > part here, convert all drivers that currently open-code get_unused_fd() > > > + fd_install() to use receive_fd(), and make this a separate patchset. > > > > > > > Yes, I see. We can split the parts (get_unused_fd() + fd_install()) of > > receive_fd() into a separate helper and convert all drivers to use > > that. What I mean is that I also would like to use > > security_file_receive() in my modules. So I'm not sure if it's ok to > > add security_file_receive() into the separate helper. Or do I need to > > export security_file_receive() separately? > > I think I confused you which is my bad. What you do here is - in my > opinion - correct. > I'm just saying that exporting receive_fd() allows further cleanups and > your export here could go on top of Christoph's change in a separate > series. > Oh, I get you now! I'm glad to do that. Thanks, Yongji