[RFC] lsm: fs: Use i_callback to free i_security in RCU callback

Song Liu song at kernel.org
Tue Dec 17 18:09:09 UTC 2024


On Tue, Dec 17, 2024 at 8:44 AM Paul Moore <paul at paul-moore.com> wrote:
>
> On Mon, Dec 16, 2024 at 8:24 PM Song Liu <song at kernel.org> wrote:
> > On Mon, Dec 16, 2024 at 4:22 PM Paul Moore <paul at paul-moore.com> wrote:
> > >
> > > On Mon, Dec 16, 2024 at 6:43 PM Song Liu <song at kernel.org> wrote:
> > > >
> > > > inode->i_security needes to be freed from RCU callback. A rcu_head was
> > > > added to i_security to call the RCU callback. However, since struct inode
> > > > already has i_rcu, the extra rcu_head is wasteful. Specifically, when any
> > > > LSM uses i_security, a rcu_head (two pointers) is allocated for each
> > > > inode.
> > > >
> > > > Add security_inode_free_rcu() to i_callback to free i_security so that
> > > > a rcu_head is saved for each inode. Special care are needed for file
> > > > systems that provide a destroy_inode() callback, but not a free_inode()
> > > > callback. Specifically, the following logic are added to handle such
> > > > cases:
> > > >
> > > >  - XFS recycles inode after destroy_inode. The inodes are freed from
> > > >    recycle logic. Let xfs_inode_free_callback() and xfs_inode_alloc()
> > > >    call security_inode_free_rcu() before freeing the inode.
> > > >  - Let pipe free inode from a RCU callback.
> > > >  - Let btrfs-test free inode from a RCU callback.
> > >
> > > If I recall correctly, historically the vfs devs have pushed back on
> > > filesystem specific changes such as this, requiring LSM hooks to
> > > operate at the VFS layer unless there was absolutely no other choice.
> > >
> > > From a LSM perspective I'm also a little concerned that this approach
> > > is too reliant on individual filesystems doing the right thing with
> > > respect to LSM hooks which I worry will result in some ugly bugs in
> > > the future.
> >
> > Totally agree with the concerns. However, given the savings is quite
> > significant (saving two pointers per inode), I think the it may justify
> > the extra effort to maintain the logic. Note that, some LSMs are
> > enabled in most systems and cannot be easily disabled, so I am
> > assuming most systems will see the savings.
>
> I suggest trying to find a solution that is not as fragile in the face
> of cross subsystem changes and ideally also limits the number of times
> the LSM calls must be made in individual filesystems.

There are three (groups of) subsystems here: VFS, file systems, and
LSM. It is not really possible to do this without crossing subsystem
boundaries. Specifically, since VFS allow a file system to have
destroy_inode callback, but not free_inode callback, we will need
such file systems to handle rcu callback. Does this make sense?

Suggestions on how we can solve this better are always appreciated.

Thanks,
Song



More information about the Linux-security-module-archive mailing list