From: Xi Ruoyao <[email protected]>
To: Huacai Chen <[email protected]>,
Christian Brauner <[email protected]>
Cc: Arnd Bergmann <[email protected]>, Mateusz Guzik <[email protected]>,
Alexander Viro <[email protected]>,
Jan Kara <[email protected]>,
[email protected], [email protected],
[email protected], Jens Axboe <[email protected]>,
Linus Torvalds <[email protected]>,
[email protected]
Subject: Re: [PATCH 2/2] vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)
Date: Wed, 03 Jul 2024 18:07:29 +0800 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAAhV-H73GpnD4hTGXDdWYBmo+Hs=088tSaVum69=4UyhZoKtOw@mail.gmail.com>
On Wed, 2024-07-03 at 17:35 +0800, Huacai Chen wrote:
> Hi, Christian,
>
> On Wed, Jul 3, 2024 at 4:46 PM Christian Brauner <[email protected]> wrote:
> >
> > On Tue, Jul 02, 2024 at 07:06:53PM GMT, Arnd Bergmann wrote:
> > > On Tue, Jul 2, 2024, at 17:36, Huacai Chen wrote:
> > > > On Mon, Jul 1, 2024 at 7:59 PM Arnd Bergmann <[email protected]> wrote:
> > > > > On Sun, Jun 30, 2024, at 04:39, Xi Ruoyao wrote:
> > > > > > On Sun, 2024-06-30 at 09:40 +0800, Huacai Chen wrote:
> > > > > > > >
> > > > > > > > Yes, both Linus and Christian hates introducing a new AT_ flag for
> > > > > > > > this.
> > > > > > > >
> > > > > > > > This patch just makes statx(fd, NULL, AT_EMPTY_PATH, ...) behave
> > > > > > > > like
> > > > > > > > statx(fd, "", AT_EMPTY_PATH, ...) instead. NULL avoids the
> > > > > > > > performance
> > > > > > > > issue and it's also audit-able by seccomp BPF.
> > > > > > > To be honest, I still want to restore __ARCH_WANT_NEW_STAT. Because
> > > > > > > even if statx() becomes audit-able, it is still blacklisted now.
> > > > > >
> > > > > > Then patch the sandbox to allow it.
> > > > > >
> > > > > > The sandbox **must** be patched anyway or it'll be broken on all 32-bit
> > > > > > systems after 2037. [Unless they'll unsupport all 32-bit systems before
> > > > > > 2037.]
> > > > >
> > > > > More importantly, the sandbox won't be able to support any 32-bit
> > > > > targets that support running after 2037, regardless of how long
> > > > > the sandbox supports them: if you turn off COMPAT_32BIT_TIME today
> > > > > in order to be sure those don't get called by accident, the
> > > > > fallback is immediately broken.
> > > > Would you mind if I restore newstat for LoongArch64 even if this patch exist?
> > >
> > > I still prefer not add newstat back: it's easier to
> > > get applications to correctly implement the statx() code
> > > path if there are more architectures that only have that.
> >
> > I agree.
> >
> > We've now added AT_EMPTY_PATH support with NULL names because we want to
> > allow that generically. But I clearly remember that this was requested
> > to make statx() work with these sandboxes. So the kernel has done its
> > part. Now it's for the sandbox to allow statx() with NULL paths and
> > AT_EMPTY_PATH but certainly not for the kernel to start reenabling old
> > system calls.
> Linux distributions don't use latest applications, so they still need
> an out-of-tree kernel patch to restore newstat. Of course they can
> also patch their applications, but patching the kernel is
> significantly easier.
>
> So in my opinion LoongArch has completed its task to drive statx()
> improvement
It'll only be finished once the apps are adapted, or they'll stop to
work after 2037 anyway.
I've informed Firefox at
https://bugzilla.mozilla.org/show_bug.cgi?id=1673771. For Google
products I guess someone else will have to do (I'm really unfamiliar
with their things, and they often block my proxy server despite I've
never used the proxy to attack them).
> now restoring newstat is a double-insurance for compatibility.
It may also introduce incompatibility: consider a seccomp sandbox which
does not handle fstat on LoongArch because __NR_fstat is not defined in
the UAPI header. Now the kernel is updated to provide fstat the sandbox
will be broken: a blocklist sandbox will fail to block fstat and leave a
security hole; a whitelist sandbox will fail to allow fstat and blow up
the app if some runtime library is updated to "take the advantage" of
fstat.
My preference (most preferable to least preferable):
1. Not to add them back at all. Just let the downstream to patch the
kernel if they must support a broken userspace.
2. Add them back with a configurable option (depending on CONFIG_EXPERT:
the distros are already enabling this anyway), make them documented
clearly as only intended to support a broken userspace and removable in
the future.
3. Add it back only for 64-bit. Add a #if **now** for ruling it out for
32-bit despite we don't have 32-bit support, to make it clear we'll not
flatter broken userspace anymore when we make the 32-bit port.
<rant>4. Remove seccomp. Personally I really wish to put this on the
top.</rant>
BTW has anyone tried to use Landlock for those browser sandboxes
instead?
--
Xi Ruoyao <[email protected]>
School of Aerospace Science and Technology, Xidian University
next prev parent reply other threads:[~2024-07-03 10:07 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-25 11:00 [PATCH 0/2] statx NULL path support Mateusz Guzik
2024-06-25 11:00 ` [PATCH 1/2] vfs: add CLASS fd_raw Mateusz Guzik
2024-06-25 12:22 ` Xi Ruoyao
2024-06-25 13:13 ` Mateusz Guzik
2024-06-25 11:00 ` [PATCH 2/2] vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) Mateusz Guzik
2024-06-25 13:24 ` Xi Ruoyao
2024-06-25 13:28 ` Xi Ruoyao
2024-06-25 13:28 ` Mateusz Guzik
2024-06-25 14:09 ` Huacai Chen
2024-06-25 14:58 ` Xi Ruoyao
2024-06-30 1:40 ` Huacai Chen
2024-06-30 2:39 ` Xi Ruoyao
2024-06-30 13:18 ` Huacai Chen
2024-07-01 11:59 ` Arnd Bergmann
2024-07-02 15:36 ` Huacai Chen
2024-07-02 17:06 ` Arnd Bergmann
2024-07-03 4:30 ` Huacai Chen
2024-07-03 8:45 ` Christian Brauner
2024-07-03 9:35 ` Huacai Chen
2024-07-03 10:07 ` Xi Ruoyao [this message]
2024-07-03 16:31 ` Linus Torvalds
2024-07-03 16:54 ` Xi Ruoyao
2024-07-03 17:09 ` Linus Torvalds
2024-07-03 17:30 ` Xi Ruoyao
2024-07-03 17:40 ` Linus Torvalds
2024-07-03 17:54 ` Linus Torvalds
2024-07-03 18:14 ` Christian Brauner
2024-07-03 18:39 ` Christian Brauner
2024-07-03 19:00 ` Linus Torvalds
2024-07-03 19:18 ` Linus Torvalds
2024-07-03 18:48 ` Xi Ruoyao
2024-07-03 19:05 ` Linus Torvalds
2024-07-03 19:33 ` Christian Brauner
2024-07-03 19:52 ` Linus Torvalds
2024-07-03 18:44 ` Arnd Bergmann
2024-07-03 19:55 ` Christian Brauner
2024-07-03 17:11 ` Xi Ruoyao
2024-07-04 2:38 ` Huacai Chen
2024-07-04 3:23 ` Xi Ruoyao
2024-07-04 4:14 ` Xi Ruoyao
2024-07-04 5:55 ` Florian Weimer
2024-07-04 6:02 ` Xi Ruoyao
2024-07-01 4:38 ` [PATCH 0/2] statx NULL path support Christoph Hellwig
2024-07-01 6:46 ` Xi Ruoyao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8b4cfe608a23100fee4b227a2610ab662d51d810.camel@xry111.site \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox