[RFC PATCH 2/3] add statmnt(2) syscall

Christian Brauner brauner at kernel.org
Tue Sep 19 09:07:39 UTC 2023


On Tue, Sep 19, 2023 at 10:02:17AM +0200, Miklos Szeredi wrote:
> On Tue, 19 Sept 2023 at 02:38, Matthew House <mattlloydhouse at gmail.com> wrote:
> 
> > One natural solution is to set either of the two lengths to the expected
> > size if the provided buffer are too small. That way, the caller learns both
> > which of the buffers is too small, and how large they need to be. Replacing
> > a provided size with an expected size in this way already has precedent in
> > existing syscalls:
> 
> This is where the thread started.  Knowing the size of the buffer is
> no good, since the needed buffer could change between calls.

The same problem would exist for the single buffer. Realistically, users
will most often simply use a fixed size PATH_MAX buffer that will cover
most cases and fallback to allocating a larger buffer in case things go
awry.

I don't think we need to make this atomic either. Providing a hint for
the required buffer size in case this fails is good enough and should be
a rather rare occurence and is exactly how other variable-sized buffers
are handled.

> Also having the helper allocate buffers inside the struct could easily
> result in leaks since it's not obvious what the caller needs to free,

I don't think we need to be overly concerned with how userspace
implements the wrapper here. Leaks can occur in both scenarios and
low-level userspace can use automatic cleanup macros (we even support it
in the kernel since v6.5) to harden against this.

Really, the main things I care about are 64 bit alignment of the whole
struct, typed __u64 pointers with __u32 size for mnt_root and mnt_point
and that we please spell out "mount" and not use "mnt": so statmount
because the new mount api uses "mount" (move_mount(), mount_setattr(),
fsmount(), MOUNT_ATTR_*) almost everywhere.



More information about the Linux-security-module-archive mailing list