diff mbox series

[2/2] procfs: Add 'path' to /proc/<pid>/fdinfo/

Message ID 20220531212521.1231133-3-kaleshsingh@google.com (mailing list archive)
State New
Headers show
Series procfs: Add file path and size to /proc/<pid>/fdinfo | expand

Commit Message

Kalesh Singh May 31, 2022, 9:25 p.m. UTC
In order to identify the type of memory a process has pinned through
its open fds, add the file path to fdinfo output. This allows
identifying memory types based on common prefixes. e.g. "/memfd...",
"/dmabuf...", "/dev/ashmem...".

Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
the same as /proc/<pid>/maps which also exposes the file path of
mappings; so the security permissions for accessing path is consistent
with that of /proc/<pid>/maps.

Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
---

Changes from rfc:
  - Split adding 'size' and 'path' into a separate patches, per Christian
  - Fix indentation (use tabs) in documentaion, per Randy

 Documentation/filesystems/proc.rst | 14 ++++++++++++--
 fs/proc/fd.c                       |  4 ++++
 2 files changed, 16 insertions(+), 2 deletions(-)

Comments

Stephen Brennan May 31, 2022, 10:07 p.m. UTC | #1
On 5/31/22 14:25, Kalesh Singh wrote:
> In order to identify the type of memory a process has pinned through
> its open fds, add the file path to fdinfo output. This allows
> identifying memory types based on common prefixes. e.g. "/memfd...",
> "/dmabuf...", "/dev/ashmem...".
> 
> Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
> the same as /proc/<pid>/maps which also exposes the file path of
> mappings; so the security permissions for accessing path is consistent
> with that of /proc/<pid>/maps.

Hi Kalesh,

I think I see the value in the size field, but I'm curious about path,
which is available via readlink /proc/<pid>/fd/<n>, since those are
symlinks to the file themselves.

File paths can contain fun characters like newlines or colons, which
could make parsing out filenames in this text file... fun. How would your
userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
readlink(2) API makes that easy already.

Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
to a different path between reading fdinfo and stating the fd)?

Stephen

> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
> ---
> 
> Changes from rfc:
>   - Split adding 'size' and 'path' into a separate patches, per Christian
>   - Fix indentation (use tabs) in documentaion, per Randy
> 
>  Documentation/filesystems/proc.rst | 14 ++++++++++++--
>  fs/proc/fd.c                       |  4 ++++
>  2 files changed, 16 insertions(+), 2 deletions(-)
> 
> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> index 779c05528e87..591f12d30d97 100644
> --- a/Documentation/filesystems/proc.rst
> +++ b/Documentation/filesystems/proc.rst
> @@ -1886,14 +1886,16 @@ if precise results are needed.
>  3.8	/proc/<pid>/fdinfo/<fd> - Information about opened file
>  ---------------------------------------------------------------
>  This file provides information associated with an opened file. The regular
> -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
> +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
> +and 'path'.
>  
>  The 'pos' represents the current offset of the opened file in decimal
>  form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
>  file has been created with [see open(2) for details] and 'mnt_id' represents
>  mount ID of the file system containing the opened file [see 3.5
>  /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
> -the file, and 'size' represents the size of the file in bytes.
> +the file, 'size' represents the size of the file in bytes, and 'path'
> +represents the file path.
>  
>  A typical output is::
>  
> @@ -1902,6 +1904,7 @@ A typical output is::
>  	mnt_id:	19
>  	ino:	63107
>  	size:	0
> +	path:	/dev/null
>  
>  All locks associated with a file descriptor are shown in its fdinfo too::
>  
> @@ -1920,6 +1923,7 @@ Eventfd files
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:[eventfd]
>  	eventfd-count:	5a
>  
>  where 'eventfd-count' is hex value of a counter.
> @@ -1934,6 +1938,7 @@ Signalfd files
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:[signalfd]
>  	sigmask:	0000000000000200
>  
>  where 'sigmask' is hex value of the signal mask associated
> @@ -1949,6 +1954,7 @@ Epoll files
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:[eventpoll]
>  	tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
>  
>  where 'tfd' is a target file descriptor number in decimal form,
> @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:inotify
>  	inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
>  
>  where 'wd' is a watch descriptor in decimal form, i.e. a target file
> @@ -1992,6 +1999,7 @@ For fanotify files the format is::
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:[fanotify]
>  	fanotify flags:10 event-flags:0
>  	fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
>  	fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
> @@ -2018,6 +2026,7 @@ Timerfd files
>  	mnt_id:	9
>  	ino:	63107
>  	size:   0
> +	path:	anon_inode:[timerfd]
>  	clockid: 0
>  	ticks: 0
>  	settime flags: 01
> @@ -2042,6 +2051,7 @@ DMA Buffer files
>  	mnt_id:	9
>  	ino:	63107
>  	size:   32768
> +	path:	/dmabuf:
>  	count:  2
>  	exp_name:  system-heap
>  
> diff --git a/fs/proc/fd.c b/fs/proc/fd.c
> index 464bc3f55759..8889a8ba09d4 100644
> --- a/fs/proc/fd.c
> +++ b/fs/proc/fd.c
> @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
>  	seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
>  	seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
>  
> +	seq_puts(m, "path:\t");
> +	seq_file_path(m, file, "\n");
> +	seq_putc(m, '\n');
> +
>  	/* show_fd_locks() never deferences files so a stale value is safe */
>  	show_fd_locks(m, file, files);
>  	if (seq_has_overflowed(m))
Kalesh Singh May 31, 2022, 10:30 p.m. UTC | #2
On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
<stephen.s.brennan@oracle.com> wrote:
>
> On 5/31/22 14:25, Kalesh Singh wrote:
> > In order to identify the type of memory a process has pinned through
> > its open fds, add the file path to fdinfo output. This allows
> > identifying memory types based on common prefixes. e.g. "/memfd...",
> > "/dmabuf...", "/dev/ashmem...".
> >
> > Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
> > the same as /proc/<pid>/maps which also exposes the file path of
> > mappings; so the security permissions for accessing path is consistent
> > with that of /proc/<pid>/maps.
>
> Hi Kalesh,

Hi Stephen,

Thanks for taking a look.

>
> I think I see the value in the size field, but I'm curious about path,
> which is available via readlink /proc/<pid>/fd/<n>, since those are
> symlinks to the file themselves.

This could work if we are root, but the file permissions wouldn't
allow us to do the readlink on other processes otherwise. We want to
be able to capture the system state in production environments from
some trusted process with ptrace read capability.

>
> File paths can contain fun characters like newlines or colons, which
> could make parsing out filenames in this text file... fun. How would your
> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
> readlink(2) API makes that easy already.

I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
then user space might parse this line like:

if (strncmp(line, "path:\t", 6) == 0)
        char* path = line + 6;


Thanks,
Kalesh

>
> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
> to a different path between reading fdinfo and stating the fd)?
>
> Stephen
>
> > Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
> > ---
> >
> > Changes from rfc:
> >   - Split adding 'size' and 'path' into a separate patches, per Christian
> >   - Fix indentation (use tabs) in documentaion, per Randy
> >
> >  Documentation/filesystems/proc.rst | 14 ++++++++++++--
> >  fs/proc/fd.c                       |  4 ++++
> >  2 files changed, 16 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> > index 779c05528e87..591f12d30d97 100644
> > --- a/Documentation/filesystems/proc.rst
> > +++ b/Documentation/filesystems/proc.rst
> > @@ -1886,14 +1886,16 @@ if precise results are needed.
> >  3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
> >  ---------------------------------------------------------------
> >  This file provides information associated with an opened file. The regular
> > -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
> > +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
> > +and 'path'.
> >
> >  The 'pos' represents the current offset of the opened file in decimal
> >  form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
> >  file has been created with [see open(2) for details] and 'mnt_id' represents
> >  mount ID of the file system containing the opened file [see 3.5
> >  /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
> > -the file, and 'size' represents the size of the file in bytes.
> > +the file, 'size' represents the size of the file in bytes, and 'path'
> > +represents the file path.
> >
> >  A typical output is::
> >
> > @@ -1902,6 +1904,7 @@ A typical output is::
> >       mnt_id: 19
> >       ino:    63107
> >       size:   0
> > +     path:   /dev/null
> >
> >  All locks associated with a file descriptor are shown in its fdinfo too::
> >
> > @@ -1920,6 +1923,7 @@ Eventfd files
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:[eventfd]
> >       eventfd-count:  5a
> >
> >  where 'eventfd-count' is hex value of a counter.
> > @@ -1934,6 +1938,7 @@ Signalfd files
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:[signalfd]
> >       sigmask:        0000000000000200
> >
> >  where 'sigmask' is hex value of the signal mask associated
> > @@ -1949,6 +1954,7 @@ Epoll files
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:[eventpoll]
> >       tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
> >
> >  where 'tfd' is a target file descriptor number in decimal form,
> > @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:inotify
> >       inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
> >
> >  where 'wd' is a watch descriptor in decimal form, i.e. a target file
> > @@ -1992,6 +1999,7 @@ For fanotify files the format is::
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:[fanotify]
> >       fanotify flags:10 event-flags:0
> >       fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
> >       fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
> > @@ -2018,6 +2026,7 @@ Timerfd files
> >       mnt_id: 9
> >       ino:    63107
> >       size:   0
> > +     path:   anon_inode:[timerfd]
> >       clockid: 0
> >       ticks: 0
> >       settime flags: 01
> > @@ -2042,6 +2051,7 @@ DMA Buffer files
> >       mnt_id: 9
> >       ino:    63107
> >       size:   32768
> > +     path:   /dmabuf:
> >       count:  2
> >       exp_name:  system-heap
> >
> > diff --git a/fs/proc/fd.c b/fs/proc/fd.c
> > index 464bc3f55759..8889a8ba09d4 100644
> > --- a/fs/proc/fd.c
> > +++ b/fs/proc/fd.c
> > @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
> >       seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
> >       seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
> >
> > +     seq_puts(m, "path:\t");
> > +     seq_file_path(m, file, "\n");
> > +     seq_putc(m, '\n');
> > +
> >       /* show_fd_locks() never deferences files so a stale value is safe */
> >       show_fd_locks(m, file, files);
> >       if (seq_has_overflowed(m))
>
> --
> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>
Stephen Brennan May 31, 2022, 10:48 p.m. UTC | #3
Kalesh Singh <kaleshsingh@google.com> writes:
> On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
> <stephen.s.brennan@oracle.com> wrote:
>>
>> On 5/31/22 14:25, Kalesh Singh wrote:
>> > In order to identify the type of memory a process has pinned through
>> > its open fds, add the file path to fdinfo output. This allows
>> > identifying memory types based on common prefixes. e.g. "/memfd...",
>> > "/dmabuf...", "/dev/ashmem...".
>> >
>> > Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
>> > the same as /proc/<pid>/maps which also exposes the file path of
>> > mappings; so the security permissions for accessing path is consistent
>> > with that of /proc/<pid>/maps.
>>
>> Hi Kalesh,
>
> Hi Stephen,
>
> Thanks for taking a look.
>
>>
>> I think I see the value in the size field, but I'm curious about path,
>> which is available via readlink /proc/<pid>/fd/<n>, since those are
>> symlinks to the file themselves.
>
> This could work if we are root, but the file permissions wouldn't
> allow us to do the readlink on other processes otherwise. We want to
> be able to capture the system state in production environments from
> some trusted process with ptrace read capability.

Interesting, thanks for explaining. It seems weird to have a duplicate
interface for the same information but such is life.

>>
>> File paths can contain fun characters like newlines or colons, which
>> could make parsing out filenames in this text file... fun. How would your
>> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
>> readlink(2) API makes that easy already.
>
> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),

I really should have read through that function before commenting,
thanks for teaching me something new :)

Stephen

> then user space might parse this line like:
>
> if (strncmp(line, "path:\t", 6) == 0)
>         char* path = line + 6;
>
>
> Thanks,
> Kalesh
>
>>
>> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
>> to a different path between reading fdinfo and stating the fd)?
>>
>> Stephen
>>
>> > Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
>> > ---
>> >
>> > Changes from rfc:
>> >   - Split adding 'size' and 'path' into a separate patches, per Christian
>> >   - Fix indentation (use tabs) in documentaion, per Randy
>> >
>> >  Documentation/filesystems/proc.rst | 14 ++++++++++++--
>> >  fs/proc/fd.c                       |  4 ++++
>> >  2 files changed, 16 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
>> > index 779c05528e87..591f12d30d97 100644
>> > --- a/Documentation/filesystems/proc.rst
>> > +++ b/Documentation/filesystems/proc.rst
>> > @@ -1886,14 +1886,16 @@ if precise results are needed.
>> >  3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
>> >  ---------------------------------------------------------------
>> >  This file provides information associated with an opened file. The regular
>> > -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
>> > +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
>> > +and 'path'.
>> >
>> >  The 'pos' represents the current offset of the opened file in decimal
>> >  form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
>> >  file has been created with [see open(2) for details] and 'mnt_id' represents
>> >  mount ID of the file system containing the opened file [see 3.5
>> >  /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
>> > -the file, and 'size' represents the size of the file in bytes.
>> > +the file, 'size' represents the size of the file in bytes, and 'path'
>> > +represents the file path.
>> >
>> >  A typical output is::
>> >
>> > @@ -1902,6 +1904,7 @@ A typical output is::
>> >       mnt_id: 19
>> >       ino:    63107
>> >       size:   0
>> > +     path:   /dev/null
>> >
>> >  All locks associated with a file descriptor are shown in its fdinfo too::
>> >
>> > @@ -1920,6 +1923,7 @@ Eventfd files
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:[eventfd]
>> >       eventfd-count:  5a
>> >
>> >  where 'eventfd-count' is hex value of a counter.
>> > @@ -1934,6 +1938,7 @@ Signalfd files
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:[signalfd]
>> >       sigmask:        0000000000000200
>> >
>> >  where 'sigmask' is hex value of the signal mask associated
>> > @@ -1949,6 +1954,7 @@ Epoll files
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:[eventpoll]
>> >       tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
>> >
>> >  where 'tfd' is a target file descriptor number in decimal form,
>> > @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:inotify
>> >       inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
>> >
>> >  where 'wd' is a watch descriptor in decimal form, i.e. a target file
>> > @@ -1992,6 +1999,7 @@ For fanotify files the format is::
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:[fanotify]
>> >       fanotify flags:10 event-flags:0
>> >       fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
>> >       fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
>> > @@ -2018,6 +2026,7 @@ Timerfd files
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   0
>> > +     path:   anon_inode:[timerfd]
>> >       clockid: 0
>> >       ticks: 0
>> >       settime flags: 01
>> > @@ -2042,6 +2051,7 @@ DMA Buffer files
>> >       mnt_id: 9
>> >       ino:    63107
>> >       size:   32768
>> > +     path:   /dmabuf:
>> >       count:  2
>> >       exp_name:  system-heap
>> >
>> > diff --git a/fs/proc/fd.c b/fs/proc/fd.c
>> > index 464bc3f55759..8889a8ba09d4 100644
>> > --- a/fs/proc/fd.c
>> > +++ b/fs/proc/fd.c
>> > @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
>> >       seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
>> >       seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
>> >
>> > +     seq_puts(m, "path:\t");
>> > +     seq_file_path(m, file, "\n");
>> > +     seq_putc(m, '\n');
>> > +
>> >       /* show_fd_locks() never deferences files so a stale value is safe */
>> >       show_fd_locks(m, file, files);
>> >       if (seq_has_overflowed(m))
>>
>> --
>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>>
Christian König June 1, 2022, 3:02 p.m. UTC | #4
Am 01.06.22 um 00:48 schrieb Stephen Brennan:
> Kalesh Singh <kaleshsingh@google.com> writes:
>> On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
>> <stephen.s.brennan@oracle.com> wrote:
>>> On 5/31/22 14:25, Kalesh Singh wrote:
>>>> In order to identify the type of memory a process has pinned through
>>>> its open fds, add the file path to fdinfo output. This allows
>>>> identifying memory types based on common prefixes. e.g. "/memfd...",
>>>> "/dmabuf...", "/dev/ashmem...".
>>>>
>>>> Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
>>>> the same as /proc/<pid>/maps which also exposes the file path of
>>>> mappings; so the security permissions for accessing path is consistent
>>>> with that of /proc/<pid>/maps.
>>> Hi Kalesh,
>> Hi Stephen,
>>
>> Thanks for taking a look.
>>
>>> I think I see the value in the size field, but I'm curious about path,
>>> which is available via readlink /proc/<pid>/fd/<n>, since those are
>>> symlinks to the file themselves.
>> This could work if we are root, but the file permissions wouldn't
>> allow us to do the readlink on other processes otherwise. We want to
>> be able to capture the system state in production environments from
>> some trusted process with ptrace read capability.
> Interesting, thanks for explaining. It seems weird to have a duplicate
> interface for the same information but such is life.

Yeah, the size change is really straight forward but for this one I'm 
not 100% sure either.

Probably best to ping some core fs developer before going further with it.

BTW: Any preferred branch to push this upstream? If not I can take it 
through drm-misc-next.

Regards,
Christian.

>
>>> File paths can contain fun characters like newlines or colons, which
>>> could make parsing out filenames in this text file... fun. How would your
>>> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
>>> readlink(2) API makes that easy already.
>> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
> I really should have read through that function before commenting,
> thanks for teaching me something new :)
>
> Stephen
>
>> then user space might parse this line like:
>>
>> if (strncmp(line, "path:\t", 6) == 0)
>>          char* path = line + 6;
>>
>>
>> Thanks,
>> Kalesh
>>
>>> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
>>> to a different path between reading fdinfo and stating the fd)?
>>>
>>> Stephen
>>>
>>>> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
>>>> ---
>>>>
>>>> Changes from rfc:
>>>>    - Split adding 'size' and 'path' into a separate patches, per Christian
>>>>    - Fix indentation (use tabs) in documentaion, per Randy
>>>>
>>>>   Documentation/filesystems/proc.rst | 14 ++++++++++++--
>>>>   fs/proc/fd.c                       |  4 ++++
>>>>   2 files changed, 16 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
>>>> index 779c05528e87..591f12d30d97 100644
>>>> --- a/Documentation/filesystems/proc.rst
>>>> +++ b/Documentation/filesystems/proc.rst
>>>> @@ -1886,14 +1886,16 @@ if precise results are needed.
>>>>   3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
>>>>   ---------------------------------------------------------------
>>>>   This file provides information associated with an opened file. The regular
>>>> -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
>>>> +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
>>>> +and 'path'.
>>>>
>>>>   The 'pos' represents the current offset of the opened file in decimal
>>>>   form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
>>>>   file has been created with [see open(2) for details] and 'mnt_id' represents
>>>>   mount ID of the file system containing the opened file [see 3.5
>>>>   /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
>>>> -the file, and 'size' represents the size of the file in bytes.
>>>> +the file, 'size' represents the size of the file in bytes, and 'path'
>>>> +represents the file path.
>>>>
>>>>   A typical output is::
>>>>
>>>> @@ -1902,6 +1904,7 @@ A typical output is::
>>>>        mnt_id: 19
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   /dev/null
>>>>
>>>>   All locks associated with a file descriptor are shown in its fdinfo too::
>>>>
>>>> @@ -1920,6 +1923,7 @@ Eventfd files
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:[eventfd]
>>>>        eventfd-count:  5a
>>>>
>>>>   where 'eventfd-count' is hex value of a counter.
>>>> @@ -1934,6 +1938,7 @@ Signalfd files
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:[signalfd]
>>>>        sigmask:        0000000000000200
>>>>
>>>>   where 'sigmask' is hex value of the signal mask associated
>>>> @@ -1949,6 +1954,7 @@ Epoll files
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:[eventpoll]
>>>>        tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
>>>>
>>>>   where 'tfd' is a target file descriptor number in decimal form,
>>>> @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:inotify
>>>>        inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
>>>>
>>>>   where 'wd' is a watch descriptor in decimal form, i.e. a target file
>>>> @@ -1992,6 +1999,7 @@ For fanotify files the format is::
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:[fanotify]
>>>>        fanotify flags:10 event-flags:0
>>>>        fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
>>>>        fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
>>>> @@ -2018,6 +2026,7 @@ Timerfd files
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   0
>>>> +     path:   anon_inode:[timerfd]
>>>>        clockid: 0
>>>>        ticks: 0
>>>>        settime flags: 01
>>>> @@ -2042,6 +2051,7 @@ DMA Buffer files
>>>>        mnt_id: 9
>>>>        ino:    63107
>>>>        size:   32768
>>>> +     path:   /dmabuf:
>>>>        count:  2
>>>>        exp_name:  system-heap
>>>>
>>>> diff --git a/fs/proc/fd.c b/fs/proc/fd.c
>>>> index 464bc3f55759..8889a8ba09d4 100644
>>>> --- a/fs/proc/fd.c
>>>> +++ b/fs/proc/fd.c
>>>> @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
>>>>        seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
>>>>        seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
>>>>
>>>> +     seq_puts(m, "path:\t");
>>>> +     seq_file_path(m, file, "\n");
>>>> +     seq_putc(m, '\n');
>>>> +
>>>>        /* show_fd_locks() never deferences files so a stale value is safe */
>>>>        show_fd_locks(m, file, files);
>>>>        if (seq_has_overflowed(m))
>>> --
>>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
>>>
> _______________________________________________
> Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org
David Laight June 1, 2022, 3:40 p.m. UTC | #5
From: Kalesh Singh
> Sent: 31 May 2022 23:30
...
> > File paths can contain fun characters like newlines or colons, which
> > could make parsing out filenames in this text file... fun. How would your
> > userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
> > readlink(2) API makes that easy already.
> 
> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
> then user space might parse this line like:
> 
> if (strncmp(line, "path:\t", 6) == 0)
>         char* path = line + 6;

The real annoyance is other things doing scans of the filesystem
that accidentally 'bump into' strange names.

While anything serious probably gets it right how many times
Do you run 'find' to quickly search for something?

Spaces in filenames (popularised by some other os) are a PITA.
Not to mention leading and trailing spaces!
Anyone using filenames that only contain spaces does need shooting.

Deliberately adding non-printables isn't really a good idea.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Kalesh Singh June 2, 2022, 3:31 a.m. UTC | #6
On Wed, Jun 1, 2022 at 8:02 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 01.06.22 um 00:48 schrieb Stephen Brennan:
> > Kalesh Singh <kaleshsingh@google.com> writes:
> >> On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
> >> <stephen.s.brennan@oracle.com> wrote:
> >>> On 5/31/22 14:25, Kalesh Singh wrote:
> >>>> In order to identify the type of memory a process has pinned through
> >>>> its open fds, add the file path to fdinfo output. This allows
> >>>> identifying memory types based on common prefixes. e.g. "/memfd...",
> >>>> "/dmabuf...", "/dev/ashmem...".
> >>>>
> >>>> Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
> >>>> the same as /proc/<pid>/maps which also exposes the file path of
> >>>> mappings; so the security permissions for accessing path is consistent
> >>>> with that of /proc/<pid>/maps.
> >>> Hi Kalesh,
> >> Hi Stephen,
> >>
> >> Thanks for taking a look.
> >>
> >>> I think I see the value in the size field, but I'm curious about path,
> >>> which is available via readlink /proc/<pid>/fd/<n>, since those are
> >>> symlinks to the file themselves.
> >> This could work if we are root, but the file permissions wouldn't
> >> allow us to do the readlink on other processes otherwise. We want to
> >> be able to capture the system state in production environments from
> >> some trusted process with ptrace read capability.
> > Interesting, thanks for explaining. It seems weird to have a duplicate
> > interface for the same information but such is life.
>
> Yeah, the size change is really straight forward but for this one I'm
> not 100% sure either.

The 2 concerns I think are:
  1. Fun characters in the path names
  2. If exposing the path is appropriate to begin with.

One way I think we can address both is to only expose the path for
anon inodes. Then we have well-known path formats and we don't expose
much about which files a process is accessing since these aren't real
paths.

+       if (is_anon_inode(inode)) {
+               seq_puts(m, "path:\t");
+               seq_file_path(m, file, "\n");
+               seq_putc(m, '\n');
+       }

Interested to hear thoughts on it.

>
> Probably best to ping some core fs developer before going further with it.

linux-fsdevel is cc'd here. Adding Al Vrio as well. Please let me know
if there are other parties I should include.

>
> BTW: Any preferred branch to push this upstream? If not I can take it
> through drm-misc-next.

No other dependencies for this, so drm-misc-next is good.

Thanks,
Kalesh

>
> Regards,
> Christian.
>
> >
> >>> File paths can contain fun characters like newlines or colons, which
> >>> could make parsing out filenames in this text file... fun. How would your
> >>> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
> >>> readlink(2) API makes that easy already.
> >> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
> > I really should have read through that function before commenting,
> > thanks for teaching me something new :)
> >
> > Stephen
> >
> >> then user space might parse this line like:
> >>
> >> if (strncmp(line, "path:\t", 6) == 0)
> >>          char* path = line + 6;
> >>
> >>
> >> Thanks,
> >> Kalesh
> >>
> >>> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
> >>> to a different path between reading fdinfo and stating the fd)?
> >>>
> >>> Stephen
> >>>
> >>>> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
> >>>> ---
> >>>>
> >>>> Changes from rfc:
> >>>>    - Split adding 'size' and 'path' into a separate patches, per Christian
> >>>>    - Fix indentation (use tabs) in documentaion, per Randy
> >>>>
> >>>>   Documentation/filesystems/proc.rst | 14 ++++++++++++--
> >>>>   fs/proc/fd.c                       |  4 ++++
> >>>>   2 files changed, 16 insertions(+), 2 deletions(-)
> >>>>
> >>>> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> >>>> index 779c05528e87..591f12d30d97 100644
> >>>> --- a/Documentation/filesystems/proc.rst
> >>>> +++ b/Documentation/filesystems/proc.rst
> >>>> @@ -1886,14 +1886,16 @@ if precise results are needed.
> >>>>   3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
> >>>>   ---------------------------------------------------------------
> >>>>   This file provides information associated with an opened file. The regular
> >>>> -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
> >>>> +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
> >>>> +and 'path'.
> >>>>
> >>>>   The 'pos' represents the current offset of the opened file in decimal
> >>>>   form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
> >>>>   file has been created with [see open(2) for details] and 'mnt_id' represents
> >>>>   mount ID of the file system containing the opened file [see 3.5
> >>>>   /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
> >>>> -the file, and 'size' represents the size of the file in bytes.
> >>>> +the file, 'size' represents the size of the file in bytes, and 'path'
> >>>> +represents the file path.
> >>>>
> >>>>   A typical output is::
> >>>>
> >>>> @@ -1902,6 +1904,7 @@ A typical output is::
> >>>>        mnt_id: 19
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   /dev/null
> >>>>
> >>>>   All locks associated with a file descriptor are shown in its fdinfo too::
> >>>>
> >>>> @@ -1920,6 +1923,7 @@ Eventfd files
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:[eventfd]
> >>>>        eventfd-count:  5a
> >>>>
> >>>>   where 'eventfd-count' is hex value of a counter.
> >>>> @@ -1934,6 +1938,7 @@ Signalfd files
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:[signalfd]
> >>>>        sigmask:        0000000000000200
> >>>>
> >>>>   where 'sigmask' is hex value of the signal mask associated
> >>>> @@ -1949,6 +1954,7 @@ Epoll files
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:[eventpoll]
> >>>>        tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
> >>>>
> >>>>   where 'tfd' is a target file descriptor number in decimal form,
> >>>> @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:inotify
> >>>>        inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
> >>>>
> >>>>   where 'wd' is a watch descriptor in decimal form, i.e. a target file
> >>>> @@ -1992,6 +1999,7 @@ For fanotify files the format is::
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:[fanotify]
> >>>>        fanotify flags:10 event-flags:0
> >>>>        fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
> >>>>        fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
> >>>> @@ -2018,6 +2026,7 @@ Timerfd files
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   0
> >>>> +     path:   anon_inode:[timerfd]
> >>>>        clockid: 0
> >>>>        ticks: 0
> >>>>        settime flags: 01
> >>>> @@ -2042,6 +2051,7 @@ DMA Buffer files
> >>>>        mnt_id: 9
> >>>>        ino:    63107
> >>>>        size:   32768
> >>>> +     path:   /dmabuf:
> >>>>        count:  2
> >>>>        exp_name:  system-heap
> >>>>
> >>>> diff --git a/fs/proc/fd.c b/fs/proc/fd.c
> >>>> index 464bc3f55759..8889a8ba09d4 100644
> >>>> --- a/fs/proc/fd.c
> >>>> +++ b/fs/proc/fd.c
> >>>> @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
> >>>>        seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
> >>>>        seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
> >>>>
> >>>> +     seq_puts(m, "path:\t");
> >>>> +     seq_file_path(m, file, "\n");
> >>>> +     seq_putc(m, '\n');
> >>>> +
> >>>>        /* show_fd_locks() never deferences files so a stale value is safe */
> >>>>        show_fd_locks(m, file, files);
> >>>>        if (seq_has_overflowed(m))
> >>> --
> >>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
> >>>
> > _______________________________________________
> > Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> > To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org
>
Kalesh Singh June 15, 2022, 5 p.m. UTC | #7
On Wed, Jun 1, 2022 at 8:31 PM Kalesh Singh <kaleshsingh@google.com> wrote:
>
> On Wed, Jun 1, 2022 at 8:02 AM Christian König
> <ckoenig.leichtzumerken@gmail.com> wrote:
> >
> > Am 01.06.22 um 00:48 schrieb Stephen Brennan:
> > > Kalesh Singh <kaleshsingh@google.com> writes:
> > >> On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
> > >> <stephen.s.brennan@oracle.com> wrote:
> > >>> On 5/31/22 14:25, Kalesh Singh wrote:
> > >>>> In order to identify the type of memory a process has pinned through
> > >>>> its open fds, add the file path to fdinfo output. This allows
> > >>>> identifying memory types based on common prefixes. e.g. "/memfd...",
> > >>>> "/dmabuf...", "/dev/ashmem...".
> > >>>>
> > >>>> Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
> > >>>> the same as /proc/<pid>/maps which also exposes the file path of
> > >>>> mappings; so the security permissions for accessing path is consistent
> > >>>> with that of /proc/<pid>/maps.
> > >>> Hi Kalesh,
> > >> Hi Stephen,
> > >>
> > >> Thanks for taking a look.
> > >>
> > >>> I think I see the value in the size field, but I'm curious about path,
> > >>> which is available via readlink /proc/<pid>/fd/<n>, since those are
> > >>> symlinks to the file themselves.
> > >> This could work if we are root, but the file permissions wouldn't
> > >> allow us to do the readlink on other processes otherwise. We want to
> > >> be able to capture the system state in production environments from
> > >> some trusted process with ptrace read capability.
> > > Interesting, thanks for explaining. It seems weird to have a duplicate
> > > interface for the same information but such is life.
> >
> > Yeah, the size change is really straight forward but for this one I'm
> > not 100% sure either.
>
> The 2 concerns I think are:
>   1. Fun characters in the path names
>   2. If exposing the path is appropriate to begin with.
>
> One way I think we can address both is to only expose the path for
> anon inodes. Then we have well-known path formats and we don't expose
> much about which files a process is accessing since these aren't real
> paths.
>
> +       if (is_anon_inode(inode)) {
> +               seq_puts(m, "path:\t");
> +               seq_file_path(m, file, "\n");
> +               seq_putc(m, '\n');
> +       }
>
> Interested to hear thoughts on it.

Adding Christoph,

To be able to identify types of shared memory processes pin through
FDs in production builds, we would like to add a 'path' field to
fdinfo of anon inodes. We could then use the common prefixes
("/dmabuf", "/memfd", ...) to identify different types.

Would appreciate any feedback from the FS perspective.

Thanks,
Kalesh

>
> >
> > Probably best to ping some core fs developer before going further with it.
>
> linux-fsdevel is cc'd here. Adding Al Vrio as well. Please let me know
> if there are other parties I should include.
>
> >
> > BTW: Any preferred branch to push this upstream? If not I can take it
> > through drm-misc-next.
>
> No other dependencies for this, so drm-misc-next is good.
>
> Thanks,
> Kalesh
>
> >
> > Regards,
> > Christian.
> >
> > >
> > >>> File paths can contain fun characters like newlines or colons, which
> > >>> could make parsing out filenames in this text file... fun. How would your
> > >>> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
> > >>> readlink(2) API makes that easy already.
> > >> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
> > > I really should have read through that function before commenting,
> > > thanks for teaching me something new :)
> > >
> > > Stephen
> > >
> > >> then user space might parse this line like:
> > >>
> > >> if (strncmp(line, "path:\t", 6) == 0)
> > >>          char* path = line + 6;
> > >>
> > >>
> > >> Thanks,
> > >> Kalesh
> > >>
> > >>> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
> > >>> to a different path between reading fdinfo and stating the fd)?
> > >>>
> > >>> Stephen
> > >>>
> > >>>> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
> > >>>> ---
> > >>>>
> > >>>> Changes from rfc:
> > >>>>    - Split adding 'size' and 'path' into a separate patches, per Christian
> > >>>>    - Fix indentation (use tabs) in documentaion, per Randy
> > >>>>
> > >>>>   Documentation/filesystems/proc.rst | 14 ++++++++++++--
> > >>>>   fs/proc/fd.c                       |  4 ++++
> > >>>>   2 files changed, 16 insertions(+), 2 deletions(-)
> > >>>>
> > >>>> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> > >>>> index 779c05528e87..591f12d30d97 100644
> > >>>> --- a/Documentation/filesystems/proc.rst
> > >>>> +++ b/Documentation/filesystems/proc.rst
> > >>>> @@ -1886,14 +1886,16 @@ if precise results are needed.
> > >>>>   3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
> > >>>>   ---------------------------------------------------------------
> > >>>>   This file provides information associated with an opened file. The regular
> > >>>> -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
> > >>>> +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
> > >>>> +and 'path'.
> > >>>>
> > >>>>   The 'pos' represents the current offset of the opened file in decimal
> > >>>>   form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
> > >>>>   file has been created with [see open(2) for details] and 'mnt_id' represents
> > >>>>   mount ID of the file system containing the opened file [see 3.5
> > >>>>   /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
> > >>>> -the file, and 'size' represents the size of the file in bytes.
> > >>>> +the file, 'size' represents the size of the file in bytes, and 'path'
> > >>>> +represents the file path.
> > >>>>
> > >>>>   A typical output is::
> > >>>>
> > >>>> @@ -1902,6 +1904,7 @@ A typical output is::
> > >>>>        mnt_id: 19
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   /dev/null
> > >>>>
> > >>>>   All locks associated with a file descriptor are shown in its fdinfo too::
> > >>>>
> > >>>> @@ -1920,6 +1923,7 @@ Eventfd files
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:[eventfd]
> > >>>>        eventfd-count:  5a
> > >>>>
> > >>>>   where 'eventfd-count' is hex value of a counter.
> > >>>> @@ -1934,6 +1938,7 @@ Signalfd files
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:[signalfd]
> > >>>>        sigmask:        0000000000000200
> > >>>>
> > >>>>   where 'sigmask' is hex value of the signal mask associated
> > >>>> @@ -1949,6 +1954,7 @@ Epoll files
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:[eventpoll]
> > >>>>        tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
> > >>>>
> > >>>>   where 'tfd' is a target file descriptor number in decimal form,
> > >>>> @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:inotify
> > >>>>        inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
> > >>>>
> > >>>>   where 'wd' is a watch descriptor in decimal form, i.e. a target file
> > >>>> @@ -1992,6 +1999,7 @@ For fanotify files the format is::
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:[fanotify]
> > >>>>        fanotify flags:10 event-flags:0
> > >>>>        fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
> > >>>>        fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
> > >>>> @@ -2018,6 +2026,7 @@ Timerfd files
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   0
> > >>>> +     path:   anon_inode:[timerfd]
> > >>>>        clockid: 0
> > >>>>        ticks: 0
> > >>>>        settime flags: 01
> > >>>> @@ -2042,6 +2051,7 @@ DMA Buffer files
> > >>>>        mnt_id: 9
> > >>>>        ino:    63107
> > >>>>        size:   32768
> > >>>> +     path:   /dmabuf:
> > >>>>        count:  2
> > >>>>        exp_name:  system-heap
> > >>>>
> > >>>> diff --git a/fs/proc/fd.c b/fs/proc/fd.c
> > >>>> index 464bc3f55759..8889a8ba09d4 100644
> > >>>> --- a/fs/proc/fd.c
> > >>>> +++ b/fs/proc/fd.c
> > >>>> @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
> > >>>>        seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
> > >>>>        seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
> > >>>>
> > >>>> +     seq_puts(m, "path:\t");
> > >>>> +     seq_file_path(m, file, "\n");
> > >>>> +     seq_putc(m, '\n');
> > >>>> +
> > >>>>        /* show_fd_locks() never deferences files so a stale value is safe */
> > >>>>        show_fd_locks(m, file, files);
> > >>>>        if (seq_has_overflowed(m))
> > >>> --
> > >>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
> > >>>
> > > _______________________________________________
> > > Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> > > To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org
> >
Kalesh Singh June 21, 2022, 4:45 p.m. UTC | #8
On Wed, Jun 15, 2022 at 10:00 AM Kalesh Singh <kaleshsingh@google.com> wrote:
>
> On Wed, Jun 1, 2022 at 8:31 PM Kalesh Singh <kaleshsingh@google.com> wrote:
> >
> > On Wed, Jun 1, 2022 at 8:02 AM Christian König
> > <ckoenig.leichtzumerken@gmail.com> wrote:
> > >
> > > Am 01.06.22 um 00:48 schrieb Stephen Brennan:
> > > > Kalesh Singh <kaleshsingh@google.com> writes:
> > > >> On Tue, May 31, 2022 at 3:07 PM Stephen Brennan
> > > >> <stephen.s.brennan@oracle.com> wrote:
> > > >>> On 5/31/22 14:25, Kalesh Singh wrote:
> > > >>>> In order to identify the type of memory a process has pinned through
> > > >>>> its open fds, add the file path to fdinfo output. This allows
> > > >>>> identifying memory types based on common prefixes. e.g. "/memfd...",
> > > >>>> "/dmabuf...", "/dev/ashmem...".
> > > >>>>
> > > >>>> Access to /proc/<pid>/fdinfo is governed by PTRACE_MODE_READ_FSCREDS
> > > >>>> the same as /proc/<pid>/maps which also exposes the file path of
> > > >>>> mappings; so the security permissions for accessing path is consistent
> > > >>>> with that of /proc/<pid>/maps.
> > > >>> Hi Kalesh,
> > > >> Hi Stephen,
> > > >>
> > > >> Thanks for taking a look.
> > > >>
> > > >>> I think I see the value in the size field, but I'm curious about path,
> > > >>> which is available via readlink /proc/<pid>/fd/<n>, since those are
> > > >>> symlinks to the file themselves.
> > > >> This could work if we are root, but the file permissions wouldn't
> > > >> allow us to do the readlink on other processes otherwise. We want to
> > > >> be able to capture the system state in production environments from
> > > >> some trusted process with ptrace read capability.
> > > > Interesting, thanks for explaining. It seems weird to have a duplicate
> > > > interface for the same information but such is life.
> > >
> > > Yeah, the size change is really straight forward but for this one I'm
> > > not 100% sure either.
> >
> > The 2 concerns I think are:
> >   1. Fun characters in the path names
> >   2. If exposing the path is appropriate to begin with.
> >
> > One way I think we can address both is to only expose the path for
> > anon inodes. Then we have well-known path formats and we don't expose
> > much about which files a process is accessing since these aren't real
> > paths.
> >
> > +       if (is_anon_inode(inode)) {
> > +               seq_puts(m, "path:\t");
> > +               seq_file_path(m, file, "\n");
> > +               seq_putc(m, '\n');
> > +       }
> >
> > Interested to hear thoughts on it.
>
> Adding Christoph,
>
> To be able to identify types of shared memory processes pin through
> FDs in production builds, we would like to add a 'path' field to
> fdinfo of anon inodes. We could then use the common prefixes
> ("/dmabuf", "/memfd", ...) to identify different types.
>
> Would appreciate any feedback from the FS perspective.

Hi all,

If there are no objections to this, then I plan to respin the patch
for just anonymous inodes. Please let me know if there are further
concerns.

Thanks,
Kalesh

>
> Thanks,
> Kalesh
>
> >
> > >
> > > Probably best to ping some core fs developer before going further with it.
> >
> > linux-fsdevel is cc'd here. Adding Al Vrio as well. Please let me know
> > if there are other parties I should include.
> >
> > >
> > > BTW: Any preferred branch to push this upstream? If not I can take it
> > > through drm-misc-next.
> >
> > No other dependencies for this, so drm-misc-next is good.
> >
> > Thanks,
> > Kalesh
> >
> > >
> > > Regards,
> > > Christian.
> > >
> > > >
> > > >>> File paths can contain fun characters like newlines or colons, which
> > > >>> could make parsing out filenames in this text file... fun. How would your
> > > >>> userspace parsing logic handle "/home/stephen/filename\nsize:\t4096"? The
> > > >>> readlink(2) API makes that easy already.
> > > >> I think since we have escaped the "\n" (seq_file_path(m, file, "\n")),
> > > > I really should have read through that function before commenting,
> > > > thanks for teaching me something new :)
> > > >
> > > > Stephen
> > > >
> > > >> then user space might parse this line like:
> > > >>
> > > >> if (strncmp(line, "path:\t", 6) == 0)
> > > >>          char* path = line + 6;
> > > >>
> > > >>
> > > >> Thanks,
> > > >> Kalesh
> > > >>
> > > >>> Is the goal avoiding races (e.g. file descriptor 3 is closed and reopened
> > > >>> to a different path between reading fdinfo and stating the fd)?
> > > >>>
> > > >>> Stephen
> > > >>>
> > > >>>> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
> > > >>>> ---
> > > >>>>
> > > >>>> Changes from rfc:
> > > >>>>    - Split adding 'size' and 'path' into a separate patches, per Christian
> > > >>>>    - Fix indentation (use tabs) in documentaion, per Randy
> > > >>>>
> > > >>>>   Documentation/filesystems/proc.rst | 14 ++++++++++++--
> > > >>>>   fs/proc/fd.c                       |  4 ++++
> > > >>>>   2 files changed, 16 insertions(+), 2 deletions(-)
> > > >>>>
> > > >>>> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
> > > >>>> index 779c05528e87..591f12d30d97 100644
> > > >>>> --- a/Documentation/filesystems/proc.rst
> > > >>>> +++ b/Documentation/filesystems/proc.rst
> > > >>>> @@ -1886,14 +1886,16 @@ if precise results are needed.
> > > >>>>   3.8  /proc/<pid>/fdinfo/<fd> - Information about opened file
> > > >>>>   ---------------------------------------------------------------
> > > >>>>   This file provides information associated with an opened file. The regular
> > > >>>> -files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
> > > >>>> +files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
> > > >>>> +and 'path'.
> > > >>>>
> > > >>>>   The 'pos' represents the current offset of the opened file in decimal
> > > >>>>   form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
> > > >>>>   file has been created with [see open(2) for details] and 'mnt_id' represents
> > > >>>>   mount ID of the file system containing the opened file [see 3.5
> > > >>>>   /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
> > > >>>> -the file, and 'size' represents the size of the file in bytes.
> > > >>>> +the file, 'size' represents the size of the file in bytes, and 'path'
> > > >>>> +represents the file path.
> > > >>>>
> > > >>>>   A typical output is::
> > > >>>>
> > > >>>> @@ -1902,6 +1904,7 @@ A typical output is::
> > > >>>>        mnt_id: 19
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   /dev/null
> > > >>>>
> > > >>>>   All locks associated with a file descriptor are shown in its fdinfo too::
> > > >>>>
> > > >>>> @@ -1920,6 +1923,7 @@ Eventfd files
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:[eventfd]
> > > >>>>        eventfd-count:  5a
> > > >>>>
> > > >>>>   where 'eventfd-count' is hex value of a counter.
> > > >>>> @@ -1934,6 +1938,7 @@ Signalfd files
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:[signalfd]
> > > >>>>        sigmask:        0000000000000200
> > > >>>>
> > > >>>>   where 'sigmask' is hex value of the signal mask associated
> > > >>>> @@ -1949,6 +1954,7 @@ Epoll files
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:[eventpoll]
> > > >>>>        tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
> > > >>>>
> > > >>>>   where 'tfd' is a target file descriptor number in decimal form,
> > > >>>> @@ -1968,6 +1974,7 @@ For inotify files the format is the following::
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:inotify
> > > >>>>        inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
> > > >>>>
> > > >>>>   where 'wd' is a watch descriptor in decimal form, i.e. a target file
> > > >>>> @@ -1992,6 +1999,7 @@ For fanotify files the format is::
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:[fanotify]
> > > >>>>        fanotify flags:10 event-flags:0
> > > >>>>        fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
> > > >>>>        fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
> > > >>>> @@ -2018,6 +2026,7 @@ Timerfd files
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   0
> > > >>>> +     path:   anon_inode:[timerfd]
> > > >>>>        clockid: 0
> > > >>>>        ticks: 0
> > > >>>>        settime flags: 01
> > > >>>> @@ -2042,6 +2051,7 @@ DMA Buffer files
> > > >>>>        mnt_id: 9
> > > >>>>        ino:    63107
> > > >>>>        size:   32768
> > > >>>> +     path:   /dmabuf:
> > > >>>>        count:  2
> > > >>>>        exp_name:  system-heap
> > > >>>>
> > > >>>> diff --git a/fs/proc/fd.c b/fs/proc/fd.c
> > > >>>> index 464bc3f55759..8889a8ba09d4 100644
> > > >>>> --- a/fs/proc/fd.c
> > > >>>> +++ b/fs/proc/fd.c
> > > >>>> @@ -60,6 +60,10 @@ static int seq_show(struct seq_file *m, void *v)
> > > >>>>        seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
> > > >>>>        seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
> > > >>>>
> > > >>>> +     seq_puts(m, "path:\t");
> > > >>>> +     seq_file_path(m, file, "\n");
> > > >>>> +     seq_putc(m, '\n');
> > > >>>> +
> > > >>>>        /* show_fd_locks() never deferences files so a stale value is safe */
> > > >>>>        show_fd_locks(m, file, files);
> > > >>>>        if (seq_has_overflowed(m))
> > > >>> --
> > > >>> To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com.
> > > >>>
> > > > _______________________________________________
> > > > Linaro-mm-sig mailing list -- linaro-mm-sig@lists.linaro.org
> > > > To unsubscribe send an email to linaro-mm-sig-leave@lists.linaro.org
> > >
diff mbox series

Patch

diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
index 779c05528e87..591f12d30d97 100644
--- a/Documentation/filesystems/proc.rst
+++ b/Documentation/filesystems/proc.rst
@@ -1886,14 +1886,16 @@  if precise results are needed.
 3.8	/proc/<pid>/fdinfo/<fd> - Information about opened file
 ---------------------------------------------------------------
 This file provides information associated with an opened file. The regular
-files have at least five fields -- 'pos', 'flags', 'mnt_id', 'ino', and 'size'.
+files have at least six fields -- 'pos', 'flags', 'mnt_id', 'ino', 'size',
+and 'path'.
 
 The 'pos' represents the current offset of the opened file in decimal
 form [see lseek(2) for details], 'flags' denotes the octal O_xxx mask the
 file has been created with [see open(2) for details] and 'mnt_id' represents
 mount ID of the file system containing the opened file [see 3.5
 /proc/<pid>/mountinfo for details]. 'ino' represents the inode number of
-the file, and 'size' represents the size of the file in bytes.
+the file, 'size' represents the size of the file in bytes, and 'path'
+represents the file path.
 
 A typical output is::
 
@@ -1902,6 +1904,7 @@  A typical output is::
 	mnt_id:	19
 	ino:	63107
 	size:	0
+	path:	/dev/null
 
 All locks associated with a file descriptor are shown in its fdinfo too::
 
@@ -1920,6 +1923,7 @@  Eventfd files
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:[eventfd]
 	eventfd-count:	5a
 
 where 'eventfd-count' is hex value of a counter.
@@ -1934,6 +1938,7 @@  Signalfd files
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:[signalfd]
 	sigmask:	0000000000000200
 
 where 'sigmask' is hex value of the signal mask associated
@@ -1949,6 +1954,7 @@  Epoll files
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:[eventpoll]
 	tfd:        5 events:       1d data: ffffffffffffffff pos:0 ino:61af sdev:7
 
 where 'tfd' is a target file descriptor number in decimal form,
@@ -1968,6 +1974,7 @@  For inotify files the format is the following::
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:inotify
 	inotify wd:3 ino:9e7e sdev:800013 mask:800afce ignored_mask:0 fhandle-bytes:8 fhandle-type:1 f_handle:7e9e0000640d1b6d
 
 where 'wd' is a watch descriptor in decimal form, i.e. a target file
@@ -1992,6 +1999,7 @@  For fanotify files the format is::
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:[fanotify]
 	fanotify flags:10 event-flags:0
 	fanotify mnt_id:12 mflags:40 mask:38 ignored_mask:40000003
 	fanotify ino:4f969 sdev:800013 mflags:0 mask:3b ignored_mask:40000000 fhandle-bytes:8 fhandle-type:1 f_handle:69f90400c275b5b4
@@ -2018,6 +2026,7 @@  Timerfd files
 	mnt_id:	9
 	ino:	63107
 	size:   0
+	path:	anon_inode:[timerfd]
 	clockid: 0
 	ticks: 0
 	settime flags: 01
@@ -2042,6 +2051,7 @@  DMA Buffer files
 	mnt_id:	9
 	ino:	63107
 	size:   32768
+	path:	/dmabuf:
 	count:  2
 	exp_name:  system-heap
 
diff --git a/fs/proc/fd.c b/fs/proc/fd.c
index 464bc3f55759..8889a8ba09d4 100644
--- a/fs/proc/fd.c
+++ b/fs/proc/fd.c
@@ -60,6 +60,10 @@  static int seq_show(struct seq_file *m, void *v)
 	seq_printf(m, "ino:\t%lu\n", file_inode(file)->i_ino);
 	seq_printf(m, "size:\t%lli\n", (long long)file_inode(file)->i_size);
 
+	seq_puts(m, "path:\t");
+	seq_file_path(m, file, "\n");
+	seq_putc(m, '\n');
+
 	/* show_fd_locks() never deferences files so a stale value is safe */
 	show_fd_locks(m, file, files);
 	if (seq_has_overflowed(m))