Re: [RFC][PATCH] fanotify: allow to set errno in FAN_DENY permission response

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm sorry for the delay. The last week was busy and this fell through the
cracks.

On Mon 29-01-24 20:30:34, Amir Goldstein wrote:
> On Mon, Dec 18, 2023 at 5:53 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> > In the HttpDirFS HSM demo, I used FAN_OPEN_PERM on a mount mark
> > to deny open of file during the short time that it's content is being
> > punched out [1].
> > It is quite complicated to explain, but I only used it for denying access,
> > not to fill content and not to write anything to filesystem.
> > It's worth noting that returning EBUSY in that case would be more meaningful
> > to users.
> >
> > That's one case in favor of allowing FAN_DENY_ERRNO for FAN_OPEN_PERM,
> > but mainly I do not have a proof that people will not need it.
> >
> > OTOH, I am a bit concerned that this will encourage developer to use
> > FAN_OPEN_PERM as a trigger to filling file content and then we are back to
> > deadlock risk zone.
> >
> > Not sure which way to go.
> >
> > Anyway, I think we agree that there is no reason to merge FAN_DENY_ERRNO
> > before FAN_PRE_* events, so we can continue this discussion later when
> > I post FAN_PRE_* patches - not for this cycle.
> 
> I started to prepare the pre-content events patches for posting and got back
> to this one as well.
> 
> Since we had this discussion I have learned of another use case that
> requires filling file content in FAN_OPEN_PERM hook, FAN_OPEN_EXEC_PERM
> to be exact.
>
> The reason is that unless an executable content is filled at execve() time,
> there is no other opportunity to fill its content without getting -ETXTBSY.

Yes, I've been scratching my head over this usecase for a few days. I was
thinking whether we could somehow fill in executable (and executed) files on
access but it all seemed too hacky so I agree that we probably have to fill
them in on open. 

> So to keep things more flexible, I decided to add -ETXTBSY to the
> allowed errors with FAN_DENY_ERRNO() and to decided to allow
> FAN_DENY_ERRNO() with all permission events.
>
> To keep FAN_DENY_ERRNO() a bit more focused on HSM, I have
> added a limitation that FAN_DENY_ERRNO() is allowed only for
> FAN_CLASS_PRE_CONTENT groups.

I have no problem with adding -ETXTBSY to the set of allowed errors. That
makes sense. Adding FAN_DENY_ERRNO() to all permission events in
FAN_CLASS_PRE_CONTENT groups - OK, if we don't find anything better - I
wanted to hash out another possibility here: Currently all permission
events (and thus also the events we plan to use for HSM AFAIU) are using
'fd' to identify file where the event happened. This is used as identifier
for response, can be used to fill in file contents for HSM but it also
causes issues such as the problem with exec(2) occasionally failing if this
fd happens to get closed only after exec(2) gets to checking
deny_write_access(). So what if we implemented events needed for HSM as FID
events (we'd have think how to match replies to events)? Then the app would
open the file for filling in using FID as well as it would naturally close
the handle before replying so problems with exec(2) would not arise. These
would be essentially new events (so far we didn't allow permission events
in FID groups) so allowing FAN_DENY_ERRNO() replies for them would be
natural. Overall it would seem like a cleaner "clean room implementation"
API?

								Honza
-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux