Re: [PATCH v3 0/2] quota: Add mountpath based quota support

From: Jan Kara
Date: Mon May 17 2021 - 08:50:33 EST


On Wed 12-05-21 17:36:21, Christian Brauner wrote:
> On Wed, May 12, 2021 at 03:14:29PM +0200, Jan Kara wrote:
> > On Wed 12-05-21 14:53:10, Christian Brauner wrote:
> > > On Wed, May 12, 2021 at 01:01:49PM +0200, Jan Kara wrote:
> > > > Added a few more CCs.
> > > >
> > > > On Tue 16-03-21 12:29:16, Jan Kara wrote:
> > > > > On Thu 04-03-21 13:35:38, Sascha Hauer wrote:
> > > > > > Current quotactl syscall uses a path to a block device to specify the
> > > > > > filesystem to work on which makes it unsuitable for filesystems that
> > > > > > do not have a block device. This series adds a new syscall quotactl_path()
> > > > > > which replaces the path to the block device with a mountpath, but otherwise
> > > > > > behaves like original quotactl.
> > > > > >
> > > > > > This is done to add quota support to UBIFS. UBIFS quota support has been
> > > > > > posted several times with different approaches to put the mountpath into
> > > > > > the existing quotactl() syscall until it has been suggested to make it a
> > > > > > new syscall instead, so here it is.
> > > > > >
> > > > > > I'm not posting the full UBIFS quota series here as it remains unchanged
> > > > > > and I'd like to get feedback to the new syscall first. For those interested
> > > > > > the most recent series can be found here: https://lwn.net/Articles/810463/
> > > > >
> > > > > Thanks. I've merged the two patches into my tree and will push them to
> > > > > Linus for the next merge window.
> > > >
> > > > So there are some people at LWN whining that quotactl_path() has no dirfd
> > > > and flags arguments for specifying the target. Somewhat late in the game
> > > > but since there's no major release with the syscall and no userspace using
> > > > it, I think we could still change that. What do you think? What they
> > > > suggest does make some sense. But then, rather then supporting API for
> > > > million-and-one ways in which I may wish to lookup a fs object, won't it be
> > > > better to just pass 'fd' in the new syscall (it may well be just O_PATH fd
> > > > AFAICT) and be done with that?
> > >
> > > I think adding a dirfd argument makes a lot of sense (Unless there are
> > > some restrictions around quotas I'm misunderstanding.).
> > >
> > > If I may: in general, I think we should aim to not add additional system
> > > calls that operate on paths only. Purely path-based apis tend to be the
> > > source of security issues especially when scoped lookups are really
> > > important which given the ubiquity of sandboxing solutions nowadays is
> > > quite often actually.
> > > For example, when openat2() landed it gave such a boost in lookup
> > > capabilities that I switched some libraries over to only ever do scoped
> > > lookups, i.e. I decide on a starting point that gets opened path-based
> > > and then explicitly express how I want that lookup to proceed ultimately
> > > opening the final path component on which I want to perform operations.
> > > Combined with the mount API almost everything can be done purely fd
> > > based.
> > >
> > > In addition to that dirfd-scopable system calls allow for a much nicer
> > > api experience when programming in userspace.
> >
> > OK, thanks for your insights. But when we add 'dirfd' I wonder whether we
> > still need the 'path' component then. I mean you can always do fd =
> > openat2(), quotactl_fd(fd, ...). After all ioctl() works exactly that way
> > since the beginning. The only advantage of quotactl_xxx() taking path would
> > be saving the open(2) call. That is somewhat convenient for simple cases
> > (but also error prone in complex setups as you point out) and can be also
> > sligthly faster (but quotactl is hardly a performance sensitive thing)...
>
> That's a bit tricky indeed. It would feel consistent to add a path
> argument as most of our fs apis seems to work that way even stuff like
> fanotify_mark() but indeed a fd-only based api would be fine too. I
> would try to follow recent additions/prior art here, I think.

Thanks for opinion Christian. Sasha, I've decided to disable the syscall
for now (I plan to push attached patch to Linus later this week). Will you
please update the syscall to just take 'fd' argument instead of the path to
leave dealing with path pitfalls to syscalls such as openat2()? Probably
renaming to quotactl_fd() would be also good. Thanks!

Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR