From: Jan Kara <jack@suse.cz>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Josef Bacik <josef@toxicpanda.com>,
kernel-team@fb.com, linux-fsdevel@vger.kernel.org, jack@suse.cz,
brauner@kernel.org, linux-xfs@vger.kernel.org,
linux-btrfs@vger.kernel.org, linux-mm@kvack.org,
linux-ext4@vger.kernel.org
Subject: Re: [PATCH v7 05/18] fsnotify: introduce pre-content permission events
Date: Thu, 14 Nov 2024 16:01:27 +0100 [thread overview]
Message-ID: <20241114150127.clibtrycjd3ke5ld@quack3> (raw)
In-Reply-To: <CAOQ4uxjeWrJtcgsC0YEmjdMPBOOpfz=zQ9VuG=z-Sc6WYNJOjQ@mail.gmail.com>
On Wed 13-11-24 19:49:31, Amir Goldstein wrote:
> From 7a2cd74654a53684d545b96c57c9091e420b3add Mon Sep 17 00:00:00 2001
> From: Amir Goldstein <amir73il@gmail.com>
> Date: Tue, 12 Nov 2024 13:46:08 +0100
> Subject: [PATCH] fsnotify: opt-in for permission events at file open time
>
> Legacy inotify/fanotify listeners can add watches for events on inode,
> parent or mount and expect to get events (e.g. FS_MODIFY) on files that
> were already open at the time of setting up the watches.
>
> fanotify permission events are typically used by Anti-malware sofware,
> that is watching the entire mount and it is not common to have more that
> one Anti-malware engine installed on a system.
>
> To reduce the overhead of the fsnotify_file_perm() hooks on every file
> access, relax the semantics of the legacy FAN_ACCESS_PERM event to generate
> events only if there were *any* permission event listeners on the
> filesystem at the time that the file was opened.
>
> The new semantic is implemented by extending the FMODE_NONOTIFY bit into
> two FMODE_NONOTIFY_* bits, that are used to store a mode for which of the
> events types to report.
>
> This is going to apply to the new fanotify pre-content events in order
> to reduce the cost of the new pre-content event vfs hooks.
>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Link: https://lore.kernel.org/linux-fsdevel/CAHk-=wj8L=mtcRTi=NECHMGfZQgXOp_uix1YVh04fEmrKaMnXA@mail.gmail.com/
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Couple of notes below.
> diff --git a/fs/open.c b/fs/open.c
> index 226aca8c7909..194c2c8d8cd4 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -901,7 +901,7 @@ static int do_dentry_open(struct file *f,
> f->f_sb_err = file_sample_sb_err(f);
>
> if (unlikely(f->f_flags & O_PATH)) {
> - f->f_mode = FMODE_PATH | FMODE_OPENED;
> + f->f_mode = FMODE_PATH | FMODE_OPENED | FMODE_NONOTIFY;
> f->f_op = &empty_fops;
> return 0;
> }
> @@ -929,6 +929,12 @@ static int do_dentry_open(struct file *f,
> if (error)
> goto cleanup_all;
>
> + /*
> + * Set FMODE_NONOTIFY_* bits according to existing permission watches.
> + * If FMODE_NONOTIFY was already set for an fanotify fd, this doesn't
> + * change anything.
> + */
> + f->f_mode |= fsnotify_file_mode(f);
Maybe it would be obvious to do this like:
file_set_fsnotify_mode(f);
Because currently this depends on the details of how exactly FMODE_NONOTIFY
is encoded.
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 70359dd669ff..dd583ce7dba8 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -173,13 +173,14 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
>
> #define FMODE_NOREUSE ((__force fmode_t)(1 << 23))
>
> -/* FMODE_* bit 24 */
> -
> /* File is embedded in backing_file object */
> -#define FMODE_BACKING ((__force fmode_t)(1 << 25))
> +#define FMODE_BACKING ((__force fmode_t)(1 << 24))
> +
> +/* File shouldn't generate fanotify pre-content events */
> +#define FMODE_NONOTIFY_HSM ((__force fmode_t)(1 << 25))
>
> -/* File was opened by fanotify and shouldn't generate fanotify events */
> -#define FMODE_NONOTIFY ((__force fmode_t)(1 << 26))
> +/* File shouldn't generate fanotify permission events */
> +#define FMODE_NONOTIFY_PERM ((__force fmode_t)(1 << 26))
>
> /* File is capable of returning -EAGAIN if I/O will block */
> #define FMODE_NOWAIT ((__force fmode_t)(1 << 27))
> @@ -190,6 +191,21 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
> /* File does not contribute to nr_files count */
> #define FMODE_NOACCOUNT ((__force fmode_t)(1 << 29))
>
> +/*
> + * The two FMODE_NONOTIFY_ bits used together have a special meaning of
> + * not reporting any events at all including non-permission events.
> + * These are the possible values of FMODE_NOTIFY(f->f_mode) and their meaning:
> + *
> + * FMODE_NONOTIFY_HSM - suppress only pre-content events.
> + * FMODE_NONOTIFY_PERM - suppress permission (incl. pre-content) events.
> + * FMODE_NONOTIFY - suppress all (incl. non-permission) events.
> + */
> +#define FMODE_NONOTIFY_MASK \
> + (FMODE_NONOTIFY_HSM | FMODE_NONOTIFY_PERM)
> +#define FMODE_NONOTIFY FMODE_NONOTIFY_MASK
> +#define FMODE_NOTIFY(mode) \
> + ((mode) & FMODE_NONOTIFY_MASK)
This looks a bit error-prone to me (FMODE_NONOTIFY looks like another FMODE
flag but in fact it is not which is an invitation for subtle bugs) and the
tests below which are sometimes done as (FMODE_NOTIFY(mode) == xxx) and
sometimes as (file->f_mode & xxx) are inconsistent and confusing (unless you
understand what's happening under the hood).
So how about defining macros like FMODE_FSNOTIFY_NORMAL(),
FMODE_FSNOTIFY_CONTENT() and FMODE_FSNOTIFY_PRE_CONTENT() which evaluate to
true if we should be sending normal/content/pre-content events to the file.
With appropriate comments this should make things more obvious.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2024-11-14 15:01 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 17:55 [PATCH v7 00/18] fanotify: add pre-content hooks Josef Bacik
2024-11-12 17:55 ` [PATCH v7 01/18] fsnotify: opt-in for permission events at file_open_perm() time Josef Bacik
2024-11-12 19:45 ` Linus Torvalds
2024-11-12 22:37 ` Amir Goldstein
2024-11-12 17:55 ` [PATCH v7 02/18] fanotify: don't skip extra event info if no info_mode is set Josef Bacik
2024-11-12 17:55 ` [PATCH v7 03/18] fanotify: rename a misnamed constant Josef Bacik
2024-11-12 17:55 ` [PATCH v7 04/18] fanotify: reserve event bit of deprecated FAN_DIR_MODIFY Josef Bacik
2024-11-12 17:55 ` [PATCH v7 05/18] fsnotify: introduce pre-content permission events Josef Bacik
2024-11-12 20:12 ` Linus Torvalds
2024-11-12 23:06 ` Amir Goldstein
2024-11-12 23:48 ` Linus Torvalds
2024-11-13 0:05 ` Amir Goldstein
2024-11-13 16:57 ` Linus Torvalds
2024-11-13 18:49 ` Amir Goldstein
2024-11-14 15:01 ` Jan Kara [this message]
2024-11-14 17:22 ` Amir Goldstein
2024-11-13 0:12 ` Al Viro
2024-11-13 0:23 ` Linus Torvalds
2024-11-13 0:38 ` Linus Torvalds
2024-11-13 1:19 ` Al Viro
2024-11-13 4:30 ` Al Viro
2024-11-13 8:50 ` Amir Goldstein
2024-11-13 14:36 ` Amir Goldstein
2024-11-13 20:31 ` Al Viro
2024-11-13 10:10 ` Christian Brauner
2024-11-20 11:09 ` Christian Brauner
2024-11-20 11:36 ` Amir Goldstein
2024-11-13 19:11 ` Amir Goldstein
2024-11-13 21:22 ` Linus Torvalds
2024-11-13 22:35 ` Amir Goldstein
2024-11-13 23:07 ` Linus Torvalds
2024-11-12 17:55 ` [PATCH v7 06/18] fsnotify: pass optional file access range in pre-content event Josef Bacik
2024-11-12 17:55 ` [PATCH v7 07/18] fsnotify: generate pre-content permission event on open Josef Bacik
2024-11-12 19:54 ` Linus Torvalds
2024-11-12 23:40 ` Amir Goldstein
2024-11-13 0:58 ` Linus Torvalds
2024-11-13 10:12 ` Amir Goldstein
2024-11-12 17:55 ` [PATCH v7 08/18] fsnotify: generate pre-content permission event on truncate Josef Bacik
2024-11-12 17:55 ` [PATCH v7 09/18] fanotify: introduce FAN_PRE_ACCESS permission event Josef Bacik
2024-11-15 11:28 ` Amir Goldstein
2024-11-15 11:47 ` Jan Kara
2024-11-12 17:55 ` [PATCH v7 10/18] fanotify: report file range info with pre-content events Josef Bacik
2024-11-12 17:55 ` [PATCH v7 11/18] fanotify: allow to set errno in FAN_DENY permission response Josef Bacik
2024-11-12 17:55 ` [PATCH v7 12/18] fanotify: add a helper to check for pre content events Josef Bacik
2024-11-13 18:33 ` Amir Goldstein
2024-11-12 17:55 ` [PATCH v7 13/18] fanotify: disable readahead if we have pre-content watches Josef Bacik
2024-11-12 17:55 ` [PATCH v7 14/18] mm: don't allow huge faults for files with pre content watches Josef Bacik
2024-11-12 17:55 ` [PATCH v7 15/18] fsnotify: generate pre-content permission event on page fault Josef Bacik
2024-11-12 17:55 ` [PATCH v7 16/18] xfs: add pre-content fsnotify hook for write faults Josef Bacik
2024-11-12 17:55 ` [PATCH v7 17/18] btrfs: disable defrag on pre-content watched files Josef Bacik
2024-11-12 17:55 ` [PATCH v7 18/18] fs: enable pre-content events on supported file systems Josef Bacik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241114150127.clibtrycjd3ke5ld@quack3 \
--to=jack@suse.cz \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-xfs@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox