[RFC] lsm: fs: Use i_callback to free i_security in RCU callback

Song Liu song at kernel.org
Tue Dec 17 01:23:50 UTC 2024


Hi Paul,

Thanks for your quick review!

On Mon, Dec 16, 2024 at 4:22 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Mon, Dec 16, 2024 at 6:43 PM Song Liu <song at kernel.org> wrote:
> >
> > inode->i_security needes to be freed from RCU callback. A rcu_head was
> > added to i_security to call the RCU callback. However, since struct inode
> > already has i_rcu, the extra rcu_head is wasteful. Specifically, when any
> > LSM uses i_security, a rcu_head (two pointers) is allocated for each
> > inode.
> >
> > Add security_inode_free_rcu() to i_callback to free i_security so that
> > a rcu_head is saved for each inode. Special care are needed for file
> > systems that provide a destroy_inode() callback, but not a free_inode()
> > callback. Specifically, the following logic are added to handle such
> > cases:
> >
> >  - XFS recycles inode after destroy_inode. The inodes are freed from
> >    recycle logic. Let xfs_inode_free_callback() and xfs_inode_alloc()
> >    call security_inode_free_rcu() before freeing the inode.
> >  - Let pipe free inode from a RCU callback.
> >  - Let btrfs-test free inode from a RCU callback.
>
> If I recall correctly, historically the vfs devs have pushed back on
> filesystem specific changes such as this, requiring LSM hooks to
> operate at the VFS layer unless there was absolutely no other choice.
>
> From a LSM perspective I'm also a little concerned that this approach
> is too reliant on individual filesystems doing the right thing with
> respect to LSM hooks which I worry will result in some ugly bugs in
> the future.

Totally agree with the concerns. However, given the savings is quite
significant (saving two pointers per inode), I think the it may justify
the extra effort to maintain the logic. Note that, some LSMs are
enabled in most systems and cannot be easily disabled, so I am
assuming most systems will see the savings.

Thanks,
Song



More information about the Linux-security-module-archive mailing list