From patchwork Tue Oct 8 15:21:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13826632 Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6C9B1E00B9; Tue, 8 Oct 2024 15:21:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400887; cv=none; b=O+Q0IKRxKmYhhavJty1GlVTqjkNKgYCNIEUCYxfK0BnLyIiiWIBkyv9nPyLD8edmGNzdxvzB0Kxhs7YkSDukxO+xwm5tS64DHtFaA+5Grcp6iEXulekyxo096Vy0yC4OuedVCB+lby+RTnhu9slR5JJ+rXIOM/k8q5cG1/ha5aw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400887; c=relaxed/simple; bh=+ZX3b6fCY2knnP8sQBd0OIDg/nPCYylQ+5J2FVHaZVc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=MXvRAHp8L/6qwh38WDmST0pU6bfDhBWY1bHmC4cLbdM0vWFyv4Y0sO7WclKhfb9LnJKv0jNarlT/AZ/tmudLsLz0J7o3cmS7OrJhWRFnrPsox5LlynGJ7cAdBwnqq8VkVI8/BTNoRVGVkE+UGI7+lmlNxPqcG3Ei0g6wZlUpQIs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Lghjypnd; arc=none smtp.client-ip=209.85.218.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Lghjypnd" Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-a994cd82a3bso379656166b.2; Tue, 08 Oct 2024 08:21:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728400884; x=1729005684; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=grQc67CzF7uq3AE31l5+7PT63mf7qm7fLdVHTGt7Pys=; b=LghjypndZSiIGUp1aL/k0lulrPZIbtQc6xEkDp67ZdmSB2gJUzTf4QZ9MVkKlcBTM/ pA9+8ipfjFNp/eGcNI1kvKdzHbQV5rjZo6HBh9vyNnulJ4lKYH6ErMKMKQfDIjMUZV5a 1f0n53PtdX2qXbkSh36OF7T0QL879OqG5szL5Lgf4Yag9URKtvWAy0U2tK2l1mLDrMKN yWqm9SqzYv3VO0PVFdZHLEIrRl2E7XSoue/8iDZmsPHxsalhVyVt5foSjN28vd7ytLrJ eBUyPHsj4GQeC9OX0j06ttFQKqX4VFzg4gTHE81scoULos0kzY62xP02dmGJMmRWMeup bt3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728400884; x=1729005684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=grQc67CzF7uq3AE31l5+7PT63mf7qm7fLdVHTGt7Pys=; b=f3juUCFXqNTisxhX/Z6ghMAmlI+FGKh5iW5X5AYj2oIiEPrNNYueqYUf6OZAOADUA9 77iqiKQ0OP8znqkoR7qTkah5/YgyuglWq5y5u6iskFxVc0Uq+oTO9sIjEs+1+aj7j8Bz 26z8sFEjvHVF64oyZGZXTeUTo7qNVsDVnb/KJ6UGlDp9eQc9KRoH8QvfUKVttNg9D14+ HUYtKho3o0OaWAx90inDHiJkAoh4oHB7ps1e7WNtJGSCEFuAGeD1ALNHO7BDmpdq0cZk ofYqFfYYfQs+aWG1284SipFGrJCX6qj3and2c356FUixXXQHNJ1RaO2p67kSex+oHuTm QOQg== X-Forwarded-Encrypted: i=1; AJvYcCWN94pc66+W6KfFlR34W/ItPbajBLL/f4j8Ao/yfrBwlcINzOPUmLNOnEDmHKQ0OXJfs1nSkxiIkysaBiLN@vger.kernel.org, AJvYcCXeBimG9P6mPgF1x+USDtFz4OFhRdEpMKj7G+vQ4KF2uagzRBcKFQKzOMeMsGcqedWZjsga+uOF6Iv4@vger.kernel.org X-Gm-Message-State: AOJu0YyBO02BgSyQIo3oF1L6aBwjNzuTqJxG5SCwb5XmXBgVKNl75Dya svLmunUG169qHhQuoK5qaUu5bvQBIIPxR0yonPCSfjsB4W77fRw3 X-Google-Smtp-Source: AGHT+IFrMFei7vlVnSpHXwkbxz941y+0jDVcyeIXKAJX1eby0p30pjVJDpQMf25yGfOMw3hic+pBrw== X-Received: by 2002:a17:907:7216:b0:a99:4113:e645 with SMTP id a640c23a62f3a-a994113e677mr989121266b.55.1728400883355; Tue, 08 Oct 2024 08:21:23 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99384f8258sm487910466b.16.2024.10.08.08.21.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Oct 2024 08:21:22 -0700 (PDT) From: Amir Goldstein To: Jeff Layton Cc: Christian Brauner , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v3 1/3] fs: prepare for "explicit connectable" file handles Date: Tue, 8 Oct 2024 17:21:16 +0200 Message-Id: <20241008152118.453724-2-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241008152118.453724-1-amir73il@gmail.com> References: <20241008152118.453724-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 We would like to use the high 16bit of the handle_type field to encode file handle traits, such as "connectable". In preparation for this change, make sure that filesystems do not return a handle_type value with upper bits set and that the open_by_handle_at(2) syscall rejects these handle types. Signed-off-by: Amir Goldstein --- fs/exportfs/expfs.c | 14 ++++++++++++-- fs/fhandle.c | 6 ++++++ include/linux/exportfs.h | 14 ++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c index 4f2dd4ab4486..c8eb660fdde4 100644 --- a/fs/exportfs/expfs.c +++ b/fs/exportfs/expfs.c @@ -382,14 +382,21 @@ int exportfs_encode_inode_fh(struct inode *inode, struct fid *fid, int *max_len, struct inode *parent, int flags) { const struct export_operations *nop = inode->i_sb->s_export_op; + enum fid_type type; if (!exportfs_can_encode_fh(nop, flags)) return -EOPNOTSUPP; if (!nop && (flags & EXPORT_FH_FID)) - return exportfs_encode_ino64_fid(inode, fid, max_len); + type = exportfs_encode_ino64_fid(inode, fid, max_len); + else + type = nop->encode_fh(inode, fid->raw, max_len, parent); + + if (WARN_ON_ONCE(FILEID_USER_FLAGS(type))) + return -EINVAL; + + return type; - return nop->encode_fh(inode, fid->raw, max_len, parent); } EXPORT_SYMBOL_GPL(exportfs_encode_inode_fh); @@ -436,6 +443,9 @@ exportfs_decode_fh_raw(struct vfsmount *mnt, struct fid *fid, int fh_len, char nbuf[NAME_MAX+1]; int err; + if (WARN_ON_ONCE(FILEID_USER_FLAGS(fileid_type))) + return -EINVAL; + /* * Try to get any dentry for the given file handle from the filesystem. */ diff --git a/fs/fhandle.c b/fs/fhandle.c index 82df28d45cd7..c5792cf3c6e9 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -307,6 +307,10 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, retval = -EINVAL; goto out_path; } + if (!FILEID_USER_TYPE_IS_VALID(f_handle.handle_type)) { + retval = -EINVAL; + goto out_path; + } handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), GFP_KERNEL); if (!handle) { @@ -322,6 +326,8 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, goto out_handle; } + /* Filesystem code should not be exposed to user flags */ + handle->handle_type &= ~FILEID_USER_FLAGS_MASK; retval = do_handle_to_path(handle, path, &ctx); out_handle: diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 893a1d21dc1c..76a3050b3593 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -160,6 +160,20 @@ struct fid { #define EXPORT_FH_FID 0x2 /* File handle may be non-decodeable */ #define EXPORT_FH_DIR_ONLY 0x4 /* Only decode file handle for a directory */ +/* + * Filesystems use only lower 8 bits of file_handle type for fid_type. + * name_to_handle_at() uses upper 16 bits of type as user flags to be + * interpreted by open_by_handle_at(). + */ +#define FILEID_USER_FLAGS_MASK 0xffff0000 +#define FILEID_USER_FLAGS(type) ((type) & FILEID_USER_FLAGS_MASK) + +/* Flags supported in encoded handle_type that is exported to user */ +#define FILEID_VALID_USER_FLAGS (0) + +#define FILEID_USER_TYPE_IS_VALID(type) \ + (!(FILEID_USER_FLAGS(type) & ~FILEID_VALID_USER_FLAGS)) + /** * struct export_operations - for nfsd to communicate with file systems * @encode_fh: encode a file handle fragment from a dentry From patchwork Tue Oct 8 15:21:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13826633 Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D7931E049E; Tue, 8 Oct 2024 15:21:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400888; cv=none; b=sOkACajLMKce+IjdJ+aGtLktygHX3U6h5BOb7Vc0RVI3lFRB1SpYzP5HP/qn+tk0puLNBPIh05/gIRfLYSrEcyHz1LdgZJRCZX9Mur9GP0C/NhRpzlCUOhTdUSWPpXCF26+O/Nqwe9qwjm3X1PuDHuXp3KAB701lQWACGJJEDkg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400888; c=relaxed/simple; bh=+lTbmtwfyb7AjlOxLrcSHxwkErVrBDtzdezP2YLKOJA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nzyWjAM8K0ysVsWrVRBwTiYMT/vBmR3dAHTPvYG3BhS3PjMWdN8Ti86i8/QV5+b+o1qCH2Kr3T0gS117SK0jGBlORp/pJN8IjrCyjMOt6CJz7pMspmGEOSJBRcF8jmeSH75Fnag3hG1rL4sns5FVDcp8+fcV9e4mmvpjvA7Rwps= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=M8ol3jx9; arc=none smtp.client-ip=209.85.208.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="M8ol3jx9" Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-5c91a7141b8so232610a12.1; Tue, 08 Oct 2024 08:21:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728400885; x=1729005685; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7x/acSxCv7H+ppJ4OuFjM3Dd++gtKxDLriu5QQGsWoQ=; b=M8ol3jx9zOk2Z8Kk3Wz3OPckPXo5tddzGVPubrolkoIDkETwSepZh1WDEURWBuExiA ZDlWdo2IWjYZvK5uOurHW/zNLqCcAGpoWJTHOQTEcpeC5lRphBWYBuHvl7baMIAlQrm7 za2A24HtJ/8STx1NDFiDD9fzEPpkZqSmbtwHoT4mpPZay7dR7EyeiAZ+kQBpw690rKlo zcWwjzPfvjUEb+CriKc2i/7vUfCVxywC7202nTxbKx5+iNxt3wNqEMsrjZdQfXACKJNs +3bfoqXFZrCme/gUsCGRdvKnHCFbxIRgGwz1PEh7Oiv8P6OQJHwGhTqf7zR8AZg8+8X8 k6Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728400885; x=1729005685; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7x/acSxCv7H+ppJ4OuFjM3Dd++gtKxDLriu5QQGsWoQ=; b=saLicXRZfInUPdOwOMNIqBlSTqmePfNqvqrRZ4KmUdSbpBxY/EyjS2CyR0BjL+t2fS X/tbmgipfY0oPOzTDTZoNRyrGcUpqjBoEJoMp877H0b7f7sgZ4YxA620aKfX5EFXma8a FR4hnSh1OZgFkqUY5iUUhqeVzCEivB0zo22cn7qFOgqdigbuxx4aAg8io3dnPi4qK0yZ B0teQt8yAurIXMnORocMm693sMVNBkYgm4OCjWfsJXtyt+vLiLNlXWbevU85VQRWKK0b PvzkouseValc8dpp4KT8b1jJg2exd8xS12MweNMZhx9wzesIBMpvxmxGC0iGkGwZpj32 5GVQ== X-Forwarded-Encrypted: i=1; AJvYcCU9IVmhMnPzOjVR+rTv2nPGc1krR9ryZtGjoHoaaK9kRrb8kEGJ3avCT+WeR4qqoB9b19KI60bFtwM3@vger.kernel.org, AJvYcCXT1+vwEb1fsdK+RUnoygNXQwJ8ZyV+uJxGs7+Xf2rOTXMfLWUIz/IldsHSCGFGwN3it11bUPHdx7vVliAU@vger.kernel.org X-Gm-Message-State: AOJu0Yz7awRdYhmpHVe+tn0JEl576e/6nl0Ai9dWnSrUDnquJH72bETj BUccPlWQRtBcg8uA10T87uxCSVvI/UY4IouXG8+UlnGcF8VpdnSjYxdUufKr X-Google-Smtp-Source: AGHT+IEKLxWVgobj8E72uSDt+XHtmNrE+X1Kl4tNw0NSo18GnMluZbKC1AjgMl/tBoXLvOko81/44A== X-Received: by 2002:a17:907:3e8e:b0:a99:65c6:7f22 with SMTP id a640c23a62f3a-a9965c68657mr303983566b.11.1728400884292; Tue, 08 Oct 2024 08:21:24 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99384f8258sm487910466b.16.2024.10.08.08.21.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Oct 2024 08:21:23 -0700 (PDT) From: Amir Goldstein To: Jeff Layton Cc: Christian Brauner , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v3 2/3] fs: name_to_handle_at() support for "explicit connectable" file handles Date: Tue, 8 Oct 2024 17:21:17 +0200 Message-Id: <20241008152118.453724-3-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241008152118.453724-1-amir73il@gmail.com> References: <20241008152118.453724-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 nfsd encodes "connectable" file handles for the subtree_check feature, which can be resolved to an open file with a connected path. So far, userspace nfs server could not make use of this functionality. Introduce a new flag AT_HANDLE_CONNECTABLE to name_to_handle_at(2). When used, the encoded file handle is "explicitly connectable". The "explicitly connectable" file handle sets bits in the high 16bit of the handle_type field, so open_by_handle_at(2) will know that it needs to open a file with a connected path. old kernels will now recognize the handle_type with high bits set, so "explicitly connectable" file handles cannot be decoded by open_by_handle_at(2) on old kernels. The flag AT_HANDLE_CONNECTABLE is not allowed together with either AT_HANDLE_FID or AT_EMPTY_PATH. Signed-off-by: Amir Goldstein --- fs/fhandle.c | 48 ++++++++++++++++++++++++++++++++++---- include/linux/exportfs.h | 2 ++ include/uapi/linux/fcntl.h | 1 + 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index c5792cf3c6e9..7b4c8945efcb 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -31,6 +31,14 @@ static long do_sys_name_to_handle(const struct path *path, if (!exportfs_can_encode_fh(path->dentry->d_sb->s_export_op, fh_flags)) return -EOPNOTSUPP; + /* + * A request to encode a connectable handle for a disconnected dentry + * is unexpected since AT_EMPTY_PATH is not allowed. + */ + if (fh_flags & EXPORT_FH_CONNECTABLE && + WARN_ON(path->dentry->d_flags & DCACHE_DISCONNECTED)) + return -EINVAL; + if (copy_from_user(&f_handle, ufh, sizeof(struct file_handle))) return -EFAULT; @@ -45,7 +53,7 @@ static long do_sys_name_to_handle(const struct path *path, /* convert handle size to multiple of sizeof(u32) */ handle_dwords = f_handle.handle_bytes >> 2; - /* we ask for a non connectable maybe decodeable file handle */ + /* Encode a possibly decodeable/connectable file handle */ retval = exportfs_encode_fh(path->dentry, (struct fid *)handle->f_handle, &handle_dwords, fh_flags); @@ -67,8 +75,23 @@ static long do_sys_name_to_handle(const struct path *path, * non variable part of the file_handle */ handle_bytes = 0; - } else + } else { + /* + * When asked to encode a connectable file handle, encode this + * property in the file handle itself, so that we later know + * how to decode it. + * For sanity, also encode in the file handle if the encoded + * object is a directory and verify this during decode, because + * decoding directory file handles is quite different than + * decoding connectable non-directory file handles. + */ + if (fh_flags & EXPORT_FH_CONNECTABLE) { + handle->handle_type |= FILEID_IS_CONNECTABLE; + if (d_is_dir(path->dentry)) + fh_flags |= FILEID_IS_DIR; + } retval = 0; + } /* copy the mount id */ if (unique_mntid) { if (put_user(real_mount(path->mnt)->mnt_id_unique, @@ -109,15 +132,30 @@ SYSCALL_DEFINE5(name_to_handle_at, int, dfd, const char __user *, name, { struct path path; int lookup_flags; - int fh_flags; + int fh_flags = 0; int err; if (flag & ~(AT_SYMLINK_FOLLOW | AT_EMPTY_PATH | AT_HANDLE_FID | - AT_HANDLE_MNT_ID_UNIQUE)) + AT_HANDLE_MNT_ID_UNIQUE | AT_HANDLE_CONNECTABLE)) + return -EINVAL; + + /* + * AT_HANDLE_FID means there is no intention to decode file handle + * AT_HANDLE_CONNECTABLE means there is an intention to decode a + * connected fd (with known path), so these flags are conflicting. + * AT_EMPTY_PATH could be used along with a dfd that refers to a + * disconnected non-directory, which cannot be used to encode a + * connectable file handle, because its parent is unknown. + */ + if (flag & AT_HANDLE_CONNECTABLE && + flag & (AT_HANDLE_FID | AT_EMPTY_PATH)) return -EINVAL; + else if (flag & AT_HANDLE_FID) + fh_flags |= EXPORT_FH_FID; + else if (flag & AT_HANDLE_CONNECTABLE) + fh_flags |= EXPORT_FH_CONNECTABLE; lookup_flags = (flag & AT_SYMLINK_FOLLOW) ? LOOKUP_FOLLOW : 0; - fh_flags = (flag & AT_HANDLE_FID) ? EXPORT_FH_FID : 0; if (flag & AT_EMPTY_PATH) lookup_flags |= LOOKUP_EMPTY; err = user_path_at(dfd, name, lookup_flags, &path); diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 76a3050b3593..230b0e1d669d 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -169,6 +169,8 @@ struct fid { #define FILEID_USER_FLAGS(type) ((type) & FILEID_USER_FLAGS_MASK) /* Flags supported in encoded handle_type that is exported to user */ +#define FILEID_IS_CONNECTABLE 0x10000 +#define FILEID_IS_DIR 0x40000 #define FILEID_VALID_USER_FLAGS (0) #define FILEID_USER_TYPE_IS_VALID(type) \ diff --git a/include/uapi/linux/fcntl.h b/include/uapi/linux/fcntl.h index 87e2dec79fea..56ff2100e021 100644 --- a/include/uapi/linux/fcntl.h +++ b/include/uapi/linux/fcntl.h @@ -153,6 +153,7 @@ object identity and may not be usable with open_by_handle_at(2). */ #define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */ +#define AT_HANDLE_CONNECTABLE 0x002 /* Request a connectable file handle */ #if defined(__KERNEL__) #define AT_GETATTR_NOSEC 0x80000000 From patchwork Tue Oct 8 15:21:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 13826634 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C7301E0497; Tue, 8 Oct 2024 15:21:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400889; cv=none; b=fEyONEW4+klrAbdNam/34gUVNC4zF1z9nqiBk3JrS/5zr2Qexboo8yhK7Zmqj4mvO5gFcMPPnlosBNEx/YFT+n5lnF/DHpPJOwIEPuayGo5KtaFvPGzEk9pfI17h2s6chqdre45equrXXKrfjq28CF3aykZKx0THRHzNwQawi+Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728400889; c=relaxed/simple; bh=kp69Yv7ejdvXL4Ldvgcq2UBSJul9TjQhTDOv91togkk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=N0f5NOnd4WfWSYEyVwnbLjffQg8qHB2m5dIMoboZBHaxVsJiDUHk9ZZpCOn0nwDeGwhLEllRoHIVm26WUmLMCMaQtXmM9az2tx8WWo79Pk+6N6RbIrjgShNr/Ai+IUVls5Cs+ZCTLUOJ9snUz2uIPiHFADWjb7te1+Wb3r9Jqdc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hajbIByl; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hajbIByl" Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-a99650da839so188170166b.2; Tue, 08 Oct 2024 08:21:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728400886; x=1729005686; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EUaVCNUqnT5/rCf5Nw/LoDvlRy744S45/gp8iReu32s=; b=hajbIBylte4UT6EJT+7k1OgX/JKg5GcpZcLyDnz/OhguAvvVKyfr+UY3rT0IIA0hdV yAWD7RniYhIc0DZRhhV7SfnaXRiWrXJWJsW9smSS/8A2pS2+99y88HDqMoRs+nM4fzAw HQe/51VN7Jm/A2bngeZqtcxImHOG1GBn+6cM4GBAF2/2ustGSGvkE+atqczPy3QAeWQK CQQb6AKp50MnN5jX5duASfzzo6G7VzchDUcgLglsZBjjxZK2lg0VMM3h5lRGSLFQjWYE ZsUGSoUFsL3j66kMWrwWVPByhwStRrbaWzVC1QNNY+CJEhri13yW68kXRFROI+PrwuWU DUaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728400886; x=1729005686; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EUaVCNUqnT5/rCf5Nw/LoDvlRy744S45/gp8iReu32s=; b=V0hL+AYHCGhGXtJv14BGhhb+JgxpegwYp9VJWfQkDx/UAkTD8lhrFAWbnb/wIrouAJ /yzEmYcFv8P60r+1+WTbeX09+T2dTPlEv6bEc7n0jPOm/dSvoV7uDR/E2Kk9T7On7Qj/ jluzBO8nlAVF2KcHvdCtPadpeiqOOussrobbuglMCmurfHvRI1jS31z79ZCUKDY3Ljuo cC/NB7e+1fipQsiK4wd/ch8YexZ5VVGkJ9SEJy8LPtqQNX6mrUB0JW7n1RmG8mbV9Oej R/rvoObGw7acXwmxrJY/cNVLYtTISmAxqk65ybuQXFg8LN6k/ZPUeYWfm2E1OdWpPGXb bDbA== X-Forwarded-Encrypted: i=1; AJvYcCWAKV0Lt5bNkJL42ghNVl/7F8py2Szfda1TkVkeJ0C84Gm9756n3XTLAsBkP4YcdswTAyn3M4aBUtp2@vger.kernel.org, AJvYcCXtA55/hSUsHaPmnGO1M5lwg5Z6bQwEpucc5lCflMzGfZ+ZEixtyQAjIZW6JW7bs4Pad0q3fgFVrcp51N4O@vger.kernel.org X-Gm-Message-State: AOJu0YzlLWvhvosb1ibI39oKxjhbi5GfrAEkDSHXyUEEbVDbTmxq0Xej T7iv24mAwvljN4DYnEQGLxyF9JFlBebi7HhtznYT+dVEyW19I9Rb X-Google-Smtp-Source: AGHT+IGcsyyD4YdkuViiyU+yF0XQWcisTO+FxN5+4pNU7PZcWpUJe2plgPi+bKQ76/06v1djAbRnew== X-Received: by 2002:a17:907:868e:b0:a99:462c:8728 with SMTP id a640c23a62f3a-a99462c8b7fmr1092425166b.3.1728400885441; Tue, 08 Oct 2024 08:21:25 -0700 (PDT) Received: from amir-ThinkPad-T480.arnhem.chello.nl (92-109-99-123.cable.dynamic.v4.ziggo.nl. [92.109.99.123]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a99384f8258sm487910466b.16.2024.10.08.08.21.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Oct 2024 08:21:24 -0700 (PDT) From: Amir Goldstein To: Jeff Layton Cc: Christian Brauner , Jan Kara , Aleksa Sarai , Chuck Lever , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v3 3/3] fs: open_by_handle_at() support for decoding "explicit connectable" file handles Date: Tue, 8 Oct 2024 17:21:18 +0200 Message-Id: <20241008152118.453724-4-amir73il@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241008152118.453724-1-amir73il@gmail.com> References: <20241008152118.453724-1-amir73il@gmail.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Teach open_by_handle_at(2) about the type format of "explicit connectable" file handles that were created using the AT_HANDLE_CONNECTABLE flag to name_to_handle_at(2). When decoding an "explicit connectable" file handles, name_to_handle_at(2) should fail if it cannot open a "connected" fd with known path, which is accessible (to capable user) from mount fd path. Note that this does not check if the path is accessible to the calling user, just that it is accessible wrt the mount namesapce, so if there is no "connected" alias, or if parts of the path are hidden in the mount namespace, open_by_handle_at(2) will return -ESTALE. Signed-off-by: Amir Goldstein --- fs/fhandle.c | 20 +++++++++++++++++++- include/linux/exportfs.h | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 7b4c8945efcb..6a5458c3c6c9 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -246,7 +246,13 @@ static int vfs_dentry_acceptable(void *context, struct dentry *dentry) if (!(ctx->flags & HANDLE_CHECK_SUBTREE) || d == root) retval = 1; - WARN_ON_ONCE(d != root && d != root->d_sb->s_root); + /* + * exportfs_decode_fh_raw() does not call acceptable() callback with + * a disconnected directory dentry, so we should have reached either + * mount fd directory or sb root. + */ + if (ctx->fh_flags & EXPORT_FH_DIR_ONLY) + WARN_ON_ONCE(d != root && d != root->d_sb->s_root); dput(d); return retval; } @@ -349,6 +355,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, retval = -EINVAL; goto out_path; } + handle = kmalloc(struct_size(handle, f_handle, f_handle.handle_bytes), GFP_KERNEL); if (!handle) { @@ -364,6 +371,17 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, goto out_handle; } + /* + * If handle was encoded with AT_HANDLE_CONNECTABLE, verify that we + * are decoding an fd with connected path, which is accessible from + * the mount fd path. + */ + if (f_handle.handle_type & FILEID_IS_CONNECTABLE) { + ctx.fh_flags |= EXPORT_FH_CONNECTABLE; + ctx.flags |= HANDLE_CHECK_SUBTREE; + } + if (f_handle.handle_type & FILEID_IS_DIR) + ctx.fh_flags |= EXPORT_FH_DIR_ONLY; /* Filesystem code should not be exposed to user flags */ handle->handle_type &= ~FILEID_USER_FLAGS_MASK; retval = do_handle_to_path(handle, path, &ctx); diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h index 230b0e1d669d..a48d4c94ff74 100644 --- a/include/linux/exportfs.h +++ b/include/linux/exportfs.h @@ -171,7 +171,7 @@ struct fid { /* Flags supported in encoded handle_type that is exported to user */ #define FILEID_IS_CONNECTABLE 0x10000 #define FILEID_IS_DIR 0x40000 -#define FILEID_VALID_USER_FLAGS (0) +#define FILEID_VALID_USER_FLAGS (FILEID_IS_CONNECTABLE | FILEID_IS_DIR) #define FILEID_USER_TYPE_IS_VALID(type) \ (!(FILEID_USER_FLAGS(type) & ~FILEID_VALID_USER_FLAGS))