From patchwork Wed Nov 11 23:22:33 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 7598791 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9F1ABBF90C for ; Wed, 11 Nov 2015 23:31:21 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 85BBA20617 for ; Wed, 11 Nov 2015 23:31:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4CE5A20616 for ; Wed, 11 Nov 2015 23:31:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751664AbbKKXbS (ORCPT ); Wed, 11 Nov 2015 18:31:18 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:44289 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751322AbbKKXbR (ORCPT ); Wed, 11 Nov 2015 18:31:17 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1ZwerC-000069-Lv; Wed, 11 Nov 2015 16:31:14 -0700 Received: from 67-3-201-231.omah.qwest.net ([67.3.201.231] helo=x220.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1ZwerA-00052t-Er; Wed, 11 Nov 2015 16:31:14 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Jeff Layton Cc: "J. Bruce Fields" , linux-fsdevel@vger.kernel.org, Benjamin Coddington , Dmitry Vyukov , Linux Containers References: <876118v333.fsf@x220.int.ebiederm.org> <20151111202607.GD29410@fieldses.org> <20151111174401.5778153c@tlielax.poochiereds.net> Date: Wed, 11 Nov 2015 17:22:33 -0600 In-Reply-To: <20151111174401.5778153c@tlielax.poochiereds.net> (Jeff Layton's message of "Wed, 11 Nov 2015 17:44:01 -0500") Message-ID: <876118ruiu.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 X-XM-AID: U2FsdGVkX1/lB3dFtFR3RRJT3EAx67k/URevxRK9k2c= X-SA-Exim-Connect-IP: 67.3.201.231 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Jeff Layton X-Spam-Relay-Country: X-Spam-Timing: total 1499 ms - load_scoreonly_sql: 0.07 (0.0%), signal_user_changed: 4.3 (0.3%), b_tie_ro: 3.2 (0.2%), parse: 0.82 (0.1%), extract_message_metadata: 20 (1.3%), get_uri_detail_list: 3.5 (0.2%), tests_pri_-1000: 8 (0.5%), tests_pri_-950: 1.27 (0.1%), tests_pri_-900: 1.04 (0.1%), tests_pri_-400: 31 (2.0%), check_bayes: 30 (2.0%), b_tokenize: 9 (0.6%), b_tok_get_all: 11 (0.7%), b_comp_prob: 3.5 (0.2%), b_tok_touch_all: 3.7 (0.2%), b_finish: 0.71 (0.0%), tests_pri_0: 1425 (95.0%), tests_pri_500: 5 (0.4%), poll_dns_idle: 0.29 (0.0%), rewrite_mail: 0.00 (0.0%) Subject: Re: [RFC][PATCH] locks: Allow disabling mandatory locking at compile time X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Jeff Layton writes: > On Wed, 11 Nov 2015 15:26:07 -0500 > "J. Bruce Fields" wrote: > >> On Wed, Nov 11, 2015 at 11:49:20AM -0600, Eric W. Biederman wrote: >> > >> > Mandatory locking appears to be almost unused and buggy and there >> > appears no real interest in doing anything with it. Since effectively >> > no one uses the code and since the code is buggy let's allow it to be >> > disabled at compile time. I would just suggest removing the code but >> > undoubtedly that will break some piece of userspace code somewhere. >> > >> > For the distributions that don't care about this piece of code >> > this gives a nice starting point to make mandatory locking go away. >> > >> > Cc: Benjamin Coddington >> > Cc: Dmitry Vyukov >> > Cc: Jeff Layton >> > Cc: J. Bruce Fields >> > Signed-off-by: "Eric W. Biederman" >> > --- >> > >> > A piece of userspace software having problematic interactions with >> > mandatory locking recently came up as an issue >> >> Is there any more interesting story there? Only that I overlooked them when implementing user namespace support for mounting filesystems so it is currently possible to without privilege to mount tmpfs with mandatory locking enabled and pass a file descriptor to a daemon that was not expecting them. Causing nice denial of service attacks. So I need to decide what to do with mandatory locking in user namespaces. As the consensus of this thread is that users of mandatory locking are as rare as hen's teeth I can just not allow mandatory locking if you something is being mounted just user namespace permissions. If users would be more wide spread I would need to figure out how to avoid breaking users. >> > and I am wondering if there are enough people actually using and >> > interested in mandatory locking that it makes sense to push people to >> > support it, or if mandatory locking should be confined to it's own >> > little corner of existence where it can wither and die. >> >> I hate mandatory locking and would be delighted, but my opinion probably >> shouldn't get too much weight. >> > > Ditto...It's really hard to believe that anyone uses them, given the > well documented races in the Linux implementation. >> > From what little I can glean we want to discourage people from using >> > mandatory locking and to let it wither and die. A Kconfig option that >> > allows mandatory locking to be disabled at compile time seems like the >> > first step in making that happen. Perhaps in a decade or so when all >> > linux distributions are setting the option we can remove the code. >> > >> > Does anyone know of any real world use cases of mandatory locking? >> >> Isn't byte-range locking on Windows mandatory? So Samba people might be >> the ones to talk to. (Or Wine? Or anyone else doing Windows >> interoperability.) >> >> My suspicion would be that the semantics they need are different enough >> from what we support that we'd be better off ignoring it and starting >> over from scratch anyway. But I could be wrong. >> > > Windows BRLs are mandatory but they have totally different semantics. > > I think there is little reason to keep POSIX mandatory locks for > windows emulation purposes. I'm pretty sure Samba doesn't rely on them, > for instance, given that you have to use a funky mode bit combo to > enable them. > > This patch seems like a logical step to me. I'll review it soon and > will plan to queue it up for v4.5 unless there are objections between > now and the next merge window. Thanks. Given the general concensus of this thread it looks like we will also want this incremental patch to deal with the user namespace case. From: "Eric W. Biederman" Date: Wed, 11 Nov 2015 17:18:07 -0600 Subject: [PATCH] locks: Don't allow mounts in user namespaces to enable mandatory locking Since no one uses mandatory locking and files with mandatory locks can cause problems don't allow them in user namespaces. Signed-off-by: "Eric W. Biederman" --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index dee44b4791f0..95a349d5003d 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1589,7 +1589,7 @@ static inline bool may_mandlock(void) #ifndef CONFIG_MANDATORY_FILE_LOCKING return false; #endif - return true; + return capable(CAP_SYS_ADMIN); } /*