[RFC PATCH] fs: obtain the inode generation number from vfs directly
Dave Chinner
david at fromorbit.com
Wed Aug 28 05:38:49 UTC 2024
On Tue, Aug 27, 2024 at 10:11:48AM -0700, Darrick J. Wong wrote:
> On Tue, Aug 27, 2024 at 11:22:17AM +0200, Christian Brauner wrote:
> > On Mon, Aug 26, 2024 at 10:37:12PM GMT, Darrick J. Wong wrote:
> > > On Tue, Aug 27, 2024 at 10:32:38AM +0800, Hongbo Li wrote:
> > > >
> > > >
> > > > On 2024/8/27 10:13, Darrick J. Wong wrote:
> > > > > On Tue, Aug 27, 2024 at 01:41:08AM +0000, Hongbo Li wrote:
> > > > > > Many mainstream file systems already support the GETVERSION ioctl,
> > > > > > and their implementations are completely the same, essentially
> > > > > > just obtain the value of i_generation. We think this ioctl can be
> > > > > > implemented at the VFS layer, so the file systems do not need to
> > > > > > implement it individually.
> > > > >
> > > > > What if a filesystem never touches i_generation? Is it ok to advertise
> > > > > a generation number of zero when that's really meaningless? Or should
> > > > > we gate the generic ioctl on (say) whether or not the fs implements file
> > > > > handles and/or supports nfs?
> > > >
> > > > This ioctl mainly returns the i_generation, and whether it has meaning is up
> > > > to the specific file system. Some tools will invoke IOC_GETVERSION, such as
> > > > `lsattr -v`(but if it's lattr, it won't), but users may not necessarily
> > > > actually use this value.
> > >
> > > That's not how that works. If the kernel starts exporting a datum,
> > > people will start using it, and then the expectation that it will
> > > *continue* to work becomes ingrained in the userspace ABI forever.
> > > Be careful about establishing new behaviors for vfat.
> >
> > Is the meaning even the same across all filesystems? And what is the
> > meaning of this anyway? Is this described/defined for userspace
> > anywhere?
>
> AFAICT there's no manpage so I guess we could return getrandom32() if we
> wanted to. ;)
>
> But in seriousness, the usual four filesystems return i_generation.
We do?
I thought we didn't expose it except via bulkstat (which requires
CAP_SYS_ADMIN in the initns).
/me goes looking
Ugh. Well, there you go. I've been living a lie for 20 years.
> That is changed every time an inumber gets reused so that anyone with an
> old file handle cannot accidentally open the wrong file. In theory one
> could use GETVERSION to construct file handles
Not theory. We've been constructing XFS filehandles in -privileged-
userspace applications since the late 90s. Both DMAPI applications
(HSMs) and xfsdump do this in combination with bulkstat to retreive
the generation to enable full filesystem access without directory
traversal being necessary.
I was completely unaware that FS_IOC_GETVERSION was implemented by
XFS and so this information is available to unprivileged users...
> (if you do, UHLHAND!)
Not familiar with that acronym.
> instead of using name_to_handle_at, which is why it's dangerous to
> implement GETVERSION for everyone without checking if i_generation makes
> sense.
Yup. If you have predictable generation numbers then it's trivial to
guess filehandles once you know the inode number. Exposing
generation numbers to unprivileged users allows them to determine if
the generation numbers are predictable. Determining patterns is
often as simple as a loop doing open(create); get inode number +
generation; unlink().
That's one of the reasons we moved to randomised base generation
numbers in XFS back in 2008 - making NFS filehandles on XFS
filesystems less predictable and less prone to collisions. Given
that we are actually exposing them to unprivileged users, we
probably also need to get rid of the monotonic increment when the
inode is freed and randomise that as well.
And now I see EXT4_IOC_SETVERSION, and I want to run screaming.....
-Dave.
--
Dave Chinner
david at fromorbit.com
More information about the Linux-security-module-archive
mailing list