Re: [RFC PATCH] fs: obtain the inode generation number from vfs directly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2024/8/28 1:11, Darrick J. Wong wrote:
On Tue, Aug 27, 2024 at 11:22:17AM +0200, Christian Brauner wrote:
On Mon, Aug 26, 2024 at 10:37:12PM GMT, Darrick J. Wong wrote:
On Tue, Aug 27, 2024 at 10:32:38AM +0800, Hongbo Li wrote:


On 2024/8/27 10:13, Darrick J. Wong wrote:
On Tue, Aug 27, 2024 at 01:41:08AM +0000, Hongbo Li wrote:
Many mainstream file systems already support the GETVERSION ioctl,
and their implementations are completely the same, essentially
just obtain the value of i_generation. We think this ioctl can be
implemented at the VFS layer, so the file systems do not need to
implement it individually.

What if a filesystem never touches i_generation?  Is it ok to advertise
a generation number of zero when that's really meaningless?  Or should
we gate the generic ioctl on (say) whether or not the fs implements file
handles and/or supports nfs?

This ioctl mainly returns the i_generation, and whether it has meaning is up
to the specific file system. Some tools will invoke IOC_GETVERSION, such as
`lsattr -v`(but if it's lattr, it won't), but users may not necessarily
actually use this value.

That's not how that works.  If the kernel starts exporting a datum,
people will start using it, and then the expectation that it will
*continue* to work becomes ingrained in the userspace ABI forever.
Be careful about establishing new behaviors for vfat.

Is the meaning even the same across all filesystems? And what is the
meaning of this anyway? Is this described/defined for userspace
anywhere?

AFAICT there's no manpage so I guess we could return getrandom32() if we
wanted to. ;)

But in seriousness, the usual four filesystems return i_generation.
That is changed every time an inumber gets reused so that anyone with an
old file handle cannot accidentally open the wrong file.  In theory one
could use GETVERSION to construct file handles (if you do, UHLHAND!)
instead of using name_to_handle_at, which is why it's dangerous to
implement GETVERSION for everyone without checking if i_generation makes
sense.

I'm not sure if my understanding of you is correct. As my humble opinions, the ioctl is for returning information to the user, and it cannot rely on this information returned to the user to ensure the security. If the file system wants to be secure internally, it should decouple from the VFS layer interface, rather than just not implementing it. For NFS, constructing a file handle is easy, you can successfully construct a file handle by capturing the nfs protocol packet even thought the i_generation is not exposed.

Thanks,
Hongbo

--D




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux