Details

Reviewers

kib
markj

Commits

rG92bb74fd4f01: vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL

Summary

This changes vn_deallocate() to match the behavior of vn_rdwr() when
picking which ucred to use. That is, vn_deallocate() uses file_cred for
making VOP call if it is non-NULL, or use active_cred otherwise.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

khng created this revision.Aug 29 2021, 5:00 PM

Herald added a subscriber: imp. · View Herald TranscriptAug 29 2021, 5:00 PM

khng requested review of this revision.Aug 29 2021, 5:00 PM

Harbormaster completed remote builds in B41248: Diff 94326.Aug 29 2021, 5:00 PM

Why is it correct? fspacectl() is called by usermode, active_cred are current credentials. f_cred AKA file_cred are credentials of the thread that opened the file. So e.g. if root opened a file and passed fd around, fspacectl(fd) would be executed with root credentials.

vn_rdwr() is different, it is not called by syscall directly.

Just checked the behavior of .fo_read/.fo_write.

khng reclaimed this revision.Aug 29 2021, 8:06 PM

khng edited the summary of this revision. (Show Details)

Make such change specific to vn_deallocate instead.

Harbormaster completed remote builds in B41251: Diff 94332.Aug 29 2021, 8:08 PM

Oops.

Harbormaster completed remote builds in B41252: Diff 94333.Aug 29 2021, 8:09 PM

kib added inline comments.Aug 29 2021, 9:01 PM

sys/kern/vfs_vnops.c
3576	why passing fp->f_cred there at all? from_fops is ugly and arguably not needed. vn_deallocate() needs explanation about active_cre/file_cred in a comment, nobody would read man page for this (or in both)

khng added inline comments.Aug 29 2021, 9:18 PM

sys/kern/vfs_vnops.c
3576	The fp->f_cred was there to for mac_vnode_check_write's policy checking (although all the policy modules in base so far are not taking f_cred into consideration at all).

khng retitled this revision from vfs: Use file_cred for VOP_DEALLOCATE when available to vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL.Aug 30 2021, 6:05 AM

Use vn_deallocate_args to pass around most of the args to vn_deallocate_impl.
Comment vn_deallocate(9)'s active_cred/file_cred preference.

Harbormaster completed remote builds in B41262: Diff 94358.Aug 30 2021, 6:12 AM

khng added inline comments.Aug 30 2021, 10:38 AM

sys/kern/vfs_vnops.c
3576	A mental note to myself: Though mac_vnode_check_write()'s file_cred is not inspected by in base policy module, it is possibly used by outside world to implement capability semantic.

kib added inline comments.Aug 30 2021, 11:30 PM

sys/kern/vfs_vnops.c
191	Why do you need this? For rw it was needed due to the vn_io_fault() structure, for vn_deallocate() it is pointless complication.

The upper 16bit of ioflag is used to pass internal flag to vn_deallocate_impl.

Harbormaster completed remote builds in B41304: Diff 94463.Sep 1 2021, 6:05 AM

Don't do this either.

Right now I see the only place which uses vn_deallocate(), it is md(4). Do you envision any more places which would do that?
I suggest to change vn_deallocate_impl() to take three creds arg. One to pass to VOP_DEALLOCATE(), and two others active_cred/f_cred. Then the caller of vn_deallocate_impl() would decide directly what to pass to the vop, so vn_deallocate() should do the if (f_cred != NULL) dance, and vn_deallocate_impl() passes active_cred to vop. This seems to be most streamlined and natural implementation.

In D31712#716746, @kib wrote:

Don't do this either.

Right now I see the only place which uses vn_deallocate(), it is md(4). Do you envision any more places which would do that?

My change to ctl(4) which translate UNMAP to VOP_DEALLOCATE for file-backed LUNS also calls vn_deallocate().

I suggest to change vn_deallocate_impl() to take three creds arg. One to pass to VOP_DEALLOCATE(), and two others active_cred/f_cred. Then the caller of vn_deallocate_impl() would decide directly what to pass to the vop, so vn_deallocate() should do the if (f_cred != NULL) dance, and vn_deallocate_impl() passes active_cred to vop. This seems to be most streamlined and natural implementation.

vn_deallocate_impl takes three kinds of cred so it's the caller to decide which cred to pass to the VOP call. Suggested by kib@.

Harbormaster completed remote builds in B41308: Diff 94475.Sep 1 2021, 10:56 AM

kib added inline comments.Sep 1 2021, 11:09 AM

sys/kern/vfs_vnops.c
3535	When I talked about commenting the use, I mean that it should explain that function is supposed to be used in the situations where the op is not triggered by a user request. In other words, currthread->td_ucred == active_cred is generally not the right credentials to account the operation to. Your line above just repeats the code.
3553	`cred = file_cred != NOCRED ? file_cred : active_cred;`

Comments
ternary instead.

Harbormaster completed remote builds in B41309: Diff 94476.Sep 1 2021, 11:38 AM

kib accepted this revision.Sep 1 2021, 12:11 PM

This revision is now accepted and ready to land.Sep 1 2021, 12:11 PM

Closed by commit rG92bb74fd4f01: vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL (authored by khng). · Explain WhySep 1 2021, 12:19 PM

This revision was automatically updated to reflect the committed changes.

khng added a commit: rG92bb74fd4f01: vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL.

vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 94480

sys/kern/vfs_vnops.c

vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULLClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 94480

sys/kern/vfs_vnops.c

vfs: Use file_cred for VOP_DEALLOCATE in vn_deallocate if non-NULL
ClosedPublic
Actions

Revision Contents
Changeset List