[RFC] lsm: fs: Use i_callback to free i_security in RCU callback
Paul Moore
paul at paul-moore.com
Tue Dec 17 00:22:01 UTC 2024
On Mon, Dec 16, 2024 at 6:43 PM Song Liu <song at kernel.org> wrote:
>
> inode->i_security needes to be freed from RCU callback. A rcu_head was
> added to i_security to call the RCU callback. However, since struct inode
> already has i_rcu, the extra rcu_head is wasteful. Specifically, when any
> LSM uses i_security, a rcu_head (two pointers) is allocated for each
> inode.
>
> Add security_inode_free_rcu() to i_callback to free i_security so that
> a rcu_head is saved for each inode. Special care are needed for file
> systems that provide a destroy_inode() callback, but not a free_inode()
> callback. Specifically, the following logic are added to handle such
> cases:
>
> - XFS recycles inode after destroy_inode. The inodes are freed from
> recycle logic. Let xfs_inode_free_callback() and xfs_inode_alloc()
> call security_inode_free_rcu() before freeing the inode.
> - Let pipe free inode from a RCU callback.
> - Let btrfs-test free inode from a RCU callback.
If I recall correctly, historically the vfs devs have pushed back on
filesystem specific changes such as this, requiring LSM hooks to
operate at the VFS layer unless there was absolutely no other choice.
>From a LSM perspective I'm also a little concerned that this approach
is too reliant on individual filesystems doing the right thing with
respect to LSM hooks which I worry will result in some ugly bugs in
the future.
> Signed-off-by: Song Liu <song at kernel.org>
> ---
> Documentation/filesystems/vfs.rst | 8 ++++-
> fs/btrfs/fs.h | 1 +
> fs/btrfs/inode.c | 4 +++
> fs/btrfs/tests/btrfs-tests.c | 1 +
> fs/inode.c | 2 ++
> fs/pipe.c | 1 -
> fs/xfs/xfs_icache.c | 3 ++
> include/linux/security.h | 4 +++
> security/security.c | 49 +++++++++++++++++++------------
> 9 files changed, 53 insertions(+), 20 deletions(-)
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list