From patchwork Tue Nov 12 17:55:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 13872731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4004D42BBE for ; Tue, 12 Nov 2024 17:56:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4741C6B0100; Tue, 12 Nov 2024 12:56:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3FE2F6B0102; Tue, 12 Nov 2024 12:56:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2763E6B0103; Tue, 12 Nov 2024 12:56:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 053926B0100 for ; Tue, 12 Nov 2024 12:56:38 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id ADDB0404B0 for ; Tue, 12 Nov 2024 17:56:38 +0000 (UTC) X-FDA: 82778197656.28.AA8CD75 Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) by imf09.hostedemail.com (Postfix) with ESMTP id C20C6140003 for ; Tue, 12 Nov 2024 17:56:07 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=toxicpanda-com.20230601.gappssmtp.com header.s=20230601 header.b=3GRyiMZi; spf=none (imf09.hostedemail.com: domain of josef@toxicpanda.com has no SPF policy when checking 209.85.219.170) smtp.mailfrom=josef@toxicpanda.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731433963; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=iLJsKK7R4NzIWRPs6scvSLkW1qqZkqCVN1/0a/AzTQ4=; b=PhAVFvUBwpGDQ/Ltppr9X1DnqiPBhYvc5ohsvDgfhNOp45qZSpdHmujg4aB/oqx250PR2u hPsOP2BxFFxvpHZQWmrMht5+RQLlTJdybIo93VvvFFlO98BfJoyfNCFmjjC6u1GGMJg0Vp Ft719DmC+GGhv1+LpWlX8sAxlCADA0A= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=toxicpanda-com.20230601.gappssmtp.com header.s=20230601 header.b=3GRyiMZi; spf=none (imf09.hostedemail.com: domain of josef@toxicpanda.com has no SPF policy when checking 209.85.219.170) smtp.mailfrom=josef@toxicpanda.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731433963; a=rsa-sha256; cv=none; b=0lWdpIlphqRlD3o0AKbWbNncrwLg0lidhoOVKbOZKA1l//YBaMYn1GEUBzD7oA6CO1jtBm l1EnZtZ/WIVqt/C4RCHGcNBViIO5Pz+DO1UlZansPhnDjn2DLOvWPsbn6kdgP3dgezVI4B 4Iw5lfPbz2gDVrdtLnq1//DxR5VAEKU= Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-e291f1d659aso5804946276.3 for ; Tue, 12 Nov 2024 09:56:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20230601.gappssmtp.com; s=20230601; t=1731434196; x=1732038996; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iLJsKK7R4NzIWRPs6scvSLkW1qqZkqCVN1/0a/AzTQ4=; b=3GRyiMZi2XZvdHbBE5nmdo7lGHvh5FYl7tc0BZWyYSfg7+Jod5UdejHiLhXn1VXfHF 34lxzFCkO0Q9obCJ23brSQvSX4/QR9VeH0Zu4p/18Kq3MaoasASFuc56+OodbCU7ziZd 93d5skrj4rBTGRaOokksOgJxYZEPnN0QuQreLSuc8H+3H+bLPgyEwtIeFVu7qn+/eaxK AXMZCyFU0iM2iIGgqcXWcE5tPgg7A5EE1m8Y4YJCKarHqNvDJ1bnSh8sZf+x2Zf4H20y mUgt7uzER58WSFcDscmlsl4FydYq9HyvkyiQ0U7n4JWYiTJbrZEdp+Qqj7hdYo35aNDG tIyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731434196; x=1732038996; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLJsKK7R4NzIWRPs6scvSLkW1qqZkqCVN1/0a/AzTQ4=; b=dLvGS6dQP3jrS/NssPrIYT5aDrOcmvfdt2IjuXL01mTGcZHlzh1N7eMp5I1d0p95+S BjB8/4w6T5+xR0B0Tndi/bQyL3C2QQwaGLFggD1kSaLRMCoe8CJ9Vl3ZFcVTVjfz3Mxo YiL1eopg3h3SGuSwlM8Wsah8i7eBqFyMn0vuMf3oRuctMdW6SQchMBbnMk/t5eIdfNL8 OOXtdbzO8ejf1Vgr6yjPv9Bt0rHtq6f07LXuekL9s4M3SW7ZiHaYxvxYC67Fr4Bci/Z/ 8BSsxfMVPCxil/FwqR+iQyF5ZNXkGHI0SUqtPbEL9GQDRf/isBta1q0U7pyhML5ZzjH8 0VCg== X-Forwarded-Encrypted: i=1; AJvYcCVnwM6/5rLEbrezfc0pX0xz0lXtP2TFM3zHMoQrShoSVMxOoRe2RQsQyY+7NPaAhcP6/wF5kdOMFQ==@kvack.org X-Gm-Message-State: AOJu0YyYBmI07RTZpdGzOhMEw4PPhhcrHbRYyzzwUTS02uEOCMHBzHHs POOxgMtw2c1VxRN8ng7UcyNLoKlZCrJVePPYbkcxPaGiuJy5G/VoKxtglp/uZkk= X-Google-Smtp-Source: AGHT+IEOgMksI4ZuWIGKlsxQ62qh9QTja1/V58VuHmypKT67lw1RxIlzwCqUPq2uOUJYVFxRqQmgoQ== X-Received: by 2002:a05:6902:124f:b0:e2b:db9c:5366 with SMTP id 3f1490d57ef6-e337f8ced5cmr17506428276.37.1731434195837; Tue, 12 Nov 2024 09:56:35 -0800 (PST) Received: from localhost (syn-076-182-020-124.res.spectrum.com. [76.182.20.124]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e336f1edd7csm2889924276.59.2024.11.12.09.56.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Nov 2024 09:56:35 -0800 (PST) From: Josef Bacik To: kernel-team@fb.com, linux-fsdevel@vger.kernel.org, jack@suse.cz, amir73il@gmail.com, brauner@kernel.org, torvalds@linux-foundation.org, linux-xfs@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-mm@kvack.org, linux-ext4@vger.kernel.org Subject: [PATCH v7 05/18] fsnotify: introduce pre-content permission events Date: Tue, 12 Nov 2024 12:55:20 -0500 Message-ID: <141e2cc2dfac8b2f49c1c8d219dd7c20925b2cef.1731433903.git.josef@toxicpanda.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: C20C6140003 X-Stat-Signature: qigj9k8e7goczyyw1mnpjmduxyadwesc X-Rspam-User: X-HE-Tag: 1731434167-234007 X-HE-Meta: U2FsdGVkX1+DuOewpNr2DwAnFupuxj3QcQ0PgtZ7McggzO2CWCUtzoG6BuSyXQ0w3eyy/AHzSckNZtigf8qU2AsFhE1TrW/zrkSOfn6vv7ITEokZ2RctlTpBeQQJ9cueqNNF1Ep4q66xUhhguG9Bwn7WuUmVveEC/6ynUtm979vVx5QjZxpSQPvsyRTm1jitQfMw49S5Dg1BTlv5tet0+3fbkAyuSvDSvKXDjhil3PYVMOWSdMTykNcte6YTAZijoZZqMwznofjJ8Ai9oQRyjMOT3XeI+uFvIiN0xqIb38PU9RrPkX2ducJMQdtF8/8OQKpAgjyBAJa1Y2dhvSvZOjT7SoKOSCAnXAVbreDdoacFa27/H7FDKDDjmpAF2h3AvL3KnNqMwYDrv8DBuD+82BpPfXzNlDcJEpYsBgJ8czPa55X4wVTPXqONhkND48/7bw1Oh1eHUuC/OEhYXWw+TFWuvBfO+CcfC38Cd73t+jVDoag331GC2UZjSYDq11LSOyxbXwJbW4n4MDgWStpx5Tm4KcjJ416TlWsnAszL3RFK8gsmjw0g7HGwnugI8oxJIqjXS2aK3lp6PZifuJg1tac8A/HddM74Rli57Dl6IEE7DHYnHhmPadhX5VGrGTkqjgfy1A8z9IsuO/AAANv3FJjy0fAEIMtJ7PNK5HwsC1TZnadjWjC623IRaZNSNiPlKtJHOoQZM2sxJUc1hdW6yNLPsB7fNSGL/FZ+8XGGHfAeQ2fa51lT2qHJ2G37drGhQJOpRqoxIsfkUXf3FKh98tSQub+zV0GHAKIRd5szT6IlJopRcqF37zKgCIlCmb/qhUmPXKvi/JCPeMr9mJnE6cqkqu0wiB0o6ZcJ1EpXGA37NClBiOtqYpSlSjHRI+lHbInneswNb5mafp95DT/CaEopP0l3Cb82irFuk2zGQU4eMoN4FlrccMktHKrFsijGj1sZU3kxuOIbW6954T+ JGLs2v9o x4jIHlqAIAwMaiNCDvOmbKtun9JXGPezOVzwblyYuvsgStboxZxNF3hd3LE7qcpQ7bVtsMlNw3PJnmVjnZllRsc/HCrzIp55HrYADsI4j724fPCV13aTj2BY6+VDgGAlPD7XVYjwmxT++k9cpF8JcST21huNkNKV0FFKjejPeYxg3OeKlMlKjr5YJ/k2UsvJntSk4AgQmJf82w0GxtQDAIGl2wYuVDp50nIFcRtK+1bH+z0II9BGIVpre1T1d9MfON9NzImFR5XpOBizPpxyh2J23dJj5ZXoxp1zRP79uc9Y1UuBnmke2OxOzLou3PMgniiOORHszsZjCK6Z8aIVu01fJEOHlU9BBYtjZv898mA2cZOX92jbTsfmBC2c3/opXRivACRzTX+xqXPVt58kfZZHQHU7UYOJbytKX97h1d+7+RaSUlNfze+JiE15gpwJJxDk6tIAt0iQaG8I= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Amir Goldstein The new FS_PRE_ACCESS permission event is similar to FS_ACCESS_PERM, but it meant for a different use case of filling file content before access to a file range, so it has slightly different semantics. Generate FS_PRE_ACCESS/FS_ACCESS_PERM as two seperate events, so content scanners could inspect the content filled by pre-content event handler. Unlike FS_ACCESS_PERM, FS_PRE_ACCESS is also called before a file is modified by syscalls as write() and fallocate(). FS_ACCESS_PERM is reported also on blockdev and pipes, but the new pre-content events are only reported for regular files and dirs. The pre-content events are meant to be used by hierarchical storage managers that want to fill the content of files on first access. There are some specific requirements from filesystems that could be used with pre-content events, so add a flag for fs to opt-in for pre-content events explicitly before they can be used. Signed-off-by: Amir Goldstein Reviewed-by: Amir Goldstein --- fs/notify/fsnotify.c | 2 +- include/linux/fs.h | 1 + include/linux/fsnotify.h | 37 ++++++++++++++++++++++++++++---- include/linux/fsnotify_backend.h | 12 +++++++++-- security/selinux/hooks.c | 3 ++- 5 files changed, 47 insertions(+), 8 deletions(-) diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index 316eec309299..cab5a1a16e57 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c @@ -626,7 +626,7 @@ static __init int fsnotify_init(void) { int ret; - BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 23); + BUILD_BUG_ON(HWEIGHT32(ALL_FSNOTIFY_BITS) != 24); ret = init_srcu_struct(&fsnotify_mark_srcu); if (ret) diff --git a/include/linux/fs.h b/include/linux/fs.h index 9b58e9887e4b..ee0637fcb197 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1232,6 +1232,7 @@ extern int send_sigurg(struct file *file); #define SB_I_RETIRED 0x00000800 /* superblock shouldn't be reused */ #define SB_I_NOUMASK 0x00001000 /* VFS does not apply umask */ #define SB_I_NOIDMAP 0x00002000 /* No idmapped mounts on this superblock */ +#define SB_I_ALLOW_HSM 0x00004000 /* Allow HSM events on this superblock */ /* Possible states of 'frozen' field */ enum { diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index f0fd3dcae654..0f44cd60ac9a 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h @@ -154,14 +154,29 @@ static inline int fsnotify_file(struct file *file, __u32 mask) } #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS +static inline int fsnotify_pre_content(struct file *file) +{ + struct inode *inode = file_inode(file); + + /* + * Pre-content events are only reported for regular files and dirs + * if there are any pre-content event watchers on this sb. + */ + if ((!S_ISDIR(inode->i_mode) && !S_ISREG(inode->i_mode)) || + !(inode->i_sb->s_iflags & SB_I_ALLOW_HSM) || + !fsnotify_sb_has_priority_watchers(inode->i_sb, + FSNOTIFY_PRIO_PRE_CONTENT)) + return 0; + + return fsnotify_file(file, FS_PRE_ACCESS); +} + /* - * fsnotify_file_area_perm - permission hook before access to file range + * fsnotify_file_area_perm - permission hook before access of file range */ static inline int fsnotify_file_area_perm(struct file *file, int perm_mask, const loff_t *ppos, size_t count) { - __u32 fsnotify_mask = FS_ACCESS_PERM; - /* * filesystem may be modified in the context of permission events * (e.g. by HSM filling a file on access), so sb freeze protection @@ -169,10 +184,24 @@ static inline int fsnotify_file_area_perm(struct file *file, int perm_mask, */ lockdep_assert_once(file_write_not_started(file)); + /* + * read()/write and other types of access generate pre-content events. + */ + if (perm_mask & (MAY_READ | MAY_WRITE | MAY_ACCESS)) { + int ret = fsnotify_pre_content(file); + + if (ret) + return ret; + } + if (!(perm_mask & MAY_READ)) return 0; - return fsnotify_file(file, fsnotify_mask); + /* + * read() also generates the legacy FS_ACCESS_PERM event, so content + * scanners can inspect the content filled by pre-content event. + */ + return fsnotify_file(file, FS_ACCESS_PERM); } /* diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h index 53d5d0e02943..9bda354b5538 100644 --- a/include/linux/fsnotify_backend.h +++ b/include/linux/fsnotify_backend.h @@ -57,6 +57,8 @@ #define FS_OPEN_EXEC_PERM 0x00040000 /* open/exec event in a permission hook */ /* #define FS_DIR_MODIFY 0x00080000 */ /* Deprecated (reserved) */ +#define FS_PRE_ACCESS 0x00100000 /* Pre-content access hook */ + /* * Set on inode mark that cares about things that happen to its children. * Always set for dnotify and inotify. @@ -78,8 +80,14 @@ */ #define ALL_FSNOTIFY_DIRENT_EVENTS (FS_CREATE | FS_DELETE | FS_MOVE | FS_RENAME) -#define ALL_FSNOTIFY_PERM_EVENTS (FS_OPEN_PERM | FS_ACCESS_PERM | \ - FS_OPEN_EXEC_PERM) +/* Content events can be used to inspect file content */ +#define FSNOTIFY_CONTENT_PERM_EVENTS (FS_OPEN_PERM | FS_OPEN_EXEC_PERM | \ + FS_ACCESS_PERM) +/* Pre-content events can be used to fill file content */ +#define FSNOTIFY_PRE_CONTENT_EVENTS (FS_PRE_ACCESS) + +#define ALL_FSNOTIFY_PERM_EVENTS (FSNOTIFY_CONTENT_PERM_EVENTS | \ + FSNOTIFY_PRE_CONTENT_EVENTS) /* * This is a list of all events that may get sent to a parent that is watching diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fc926d3cac6e..c6f38705c715 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3404,7 +3404,8 @@ static int selinux_path_notify(const struct path *path, u64 mask, perm |= FILE__WATCH_WITH_PERM; /* watches on read-like events need the file:watch_reads permission */ - if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) + if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | + FS_CLOSE_NOWRITE)) perm |= FILE__WATCH_READS; return path_has_perm(current_cred(), path, perm);