Thread (6 messages) 6 messages, 3 authors, 2021-06-01

Re: fsnotify events for overlayfs real file

From: Amir Goldstein <amir73il@gmail.com>
Date: 2021-05-18 17:56:41
Also in: linux-unionfs

On Tue, May 18, 2021 at 5:43 PM Miklos Szeredi [off-list ref] wrote:
On Mon, 10 May 2021 at 18:32, Amir Goldstein [off-list ref] wrote:
quoted
quoted
quoted
I see, right. I agree that is unfortunate especially for stuff like audit
or fanotify permission events so we should fix that.
Miklos,

Do you recall what is the reason for using FMODE_NONOTIFY
for realfile?
Commit d989903058a8 ("ovl: do not generate duplicate fsnotify events
for "fake" path").
quoted
I can see that events won't be generated anyway for watchers of
underlying file, because fsnotify_file() looks at the "fake" path
(i.e. the overlay file path).

I recently looked at a similar issue w.r.t file_remove_privs() when
I was looking at passing mnt context to notify_change() [1].

My thinking was that we can change d_real() to provide the real path:

static inline struct path d_real_path(struct path *path,
                                    const struct inode *inode)
{
        struct realpath = {};
        if (!unlikely(dentry->d_flags & DCACHE_OP_REAL))
               return *path;
        dentry->d_op->d_real(path->dentry, inode, &realpath);
        return realpath;
}

static inline struct dentry *d_real(struct dentry *dentry,
                                    const struct inode *inode)
{
        struct realpath = {};
        if (!unlikely(dentry->d_flags & DCACHE_OP_REAL))
               return dentry;
        dentry->d_op->d_real(path->dentry, inode, &realpath);
        return realpath.dentry;
}


Another option, instead of getting the realpath, just detect the
mismatch of file_inode(file) != d_inode(path->dentry) in
fanotify_file() and pass FSNOTIFY_EVENT_DENTRY data type
with d_real() dentry to backend instead of FSNOTIFY_EVENT_PATH.

For inotify it should be enough and for fanotify it is enough for
FAN_REPORT_FID and legacy fanotify can report FAN_NOFD,
so at least permission events listeners can identify the situation and
be able to block access to unknown paths.

Am I overcomplicating this?

Any magic solution that I am missing?
Agree, dentry events should still happen.
Alas, the more critical issue is with fanotify permission events
which are path events.
Path events: what happens if you bind mount, then detach (lazy
umount)?   Isn't that exactly the same as what overlayfs does on the
underlying mounts?
No, it isn't.

In the detached mount case, the fanotify listener will get an open fd
from fanotify_user.c::create_fd() using dentry_open() on the detached
path. When the listener will read proc/self/fd/<fd> symlink, it will see
the path from the fs root.

Assuming that marks were set on a group of files or directories
with FAN_OPEN_PERM in the event mask, the path from fs root provides
enough information to understand what is going on and in any case the
fd can be used to read metadata or content from the file before making the
permission decision.

Is there a reason for the fake path besides the displayed path in
/proc/self/maps?

Does it make sense to keep one realfile with fake path for mmaped
files along side a realfile with private/detached path used for all the
other operations?

While at it, we can also cache both upper and lower realfiles in case
file was copied up after open.

Better ideas?

Thanks,
Amir.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help