Re: [Patch 04/18] include/linux/logfs.h

[David Woodhouse]

On Tue, 2007-06-05 at 20:49 +0200, Segher Boessenkool wrote:
  It would be better if GCC had a 'nopadding' attribute which gave us
  what we need without the _extra_ implications about alignment.
 
  That's impossible; removing the padding from a struct
  _will_ make accesses to its members unaligned (think
  about arrays of that struct).
 
  It _might_ make accesses to _some_ of its members unaligned.
 
 It _will_ make accesses to _at least one_ of the members
 unaligned, in the second array element.

It _might_, but not necessarily.

Won't a simple struct { uint16_t } get padded to a size of 4 bytes on
ARM? Even if I'm misremembering that, I certainly can't guarantee that
such a thing will _never_ happen on any newly-invented ABI. If you had
'nopadding' instead of 'packed', then there's no need to emit code to
handle unaligned loads.

Likewise, with a struct which looks like this: 
   { uint32_t, uint16_t, uint16_t, uint32_t, uint32_t }
I cannot _guarantee_ that there will never be an architecture on which
we'll end up using 32 bits of space for each uint16_t. I might _guess_
that and hope, but that's precisely the kind of moronic empirical
behaviour which caused Linux to have so many problems with newer
compilers in the past. If it isn't _guaranteed_ then I shouldn't be
assuming it.

Thus, I want a way to tell the compiler not to insert _any_ padding. But
without the compiler making extra inferences about the whole thing being
found at arbitrary alignments.

And if I had something like this (which is admittedly contrived, but
hardware people _do_ do stupid things to us):
   { uint32_t, uint8_t, uint16_t, uint8_t, uint32_t, uint32_t }

With the 'packed' attribute the compiler would assume arbitrary
alignment of all the 32-bit integers. But in reality it's only necessary
for the uint16_t in the middle. A 'nopadding' attribute would deal with
that correctly.

-- 
dwmw2

-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] CIFS: make cifsd (more) signal-safe

[Christoph Hellwig]

On Tue, Jun 05, 2007 at 03:23:40PM -0400, Jeff Layton wrote:
 I recently sent a similar, smaller patch for this problem. After some
 discussion with Steve and Shaggy, I think I better understand why cifsd
 allows signals through, and I realize that my earlier patch wasn't
 comprehensive enough
 
 The mount and unmount calls will send a KILL signal to cifsd to wake it
 up if it happens to be blocked in kernel_recvmsg. The problem is that
 it doesn't distinguish between legitimate signals sent for this
 reason and spurious signals sent by a userspace process (for instance).
 While this is definitely a don't do that sort of situation, we might
 as well try to have cifsd be as signal-safe as possible.
 
 The following patch does this by making sure that we set tcpStatus to
 CifsExiting before sending cifsd a signal, and having cifsd check for
 that when it sees that it's been signalled. If the tcpStatus is not set
 correctly, it ignores it, flushes signals and moves on.
 
 I've tested a similar backported version of this on an earlier kernel,
 but have not tested this particular patch as of yet.

The right way to fix this is to stop sending signals at all and have
a kernel-internal way to get out of kernel_recvmsg.  Uses of signals by
kernel thread generally are bugs.

-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch 04/18] include/linux/logfs.h

[Andreas Schwab]

David Woodhouse [EMAIL PROTECTED] writes:

 Won't a simple struct { uint16_t } get padded to a size of 4 bytes on
 ARM? Even if I'm misremembering that, I certainly can't guarantee that
 such a thing will _never_ happen on any newly-invented ABI. If you had
 'nopadding' instead of 'packed', then there's no need to emit code to
 handle unaligned loads.

You can add aligned(N) to increase the alignment again.

Andreas.

-- 
Andreas Schwab, SuSE Labs, [EMAIL PROTECTED]
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
And now for something completely different.
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch 05/18] fs/logfs/logfs.h

[Jörn Engel]

On Wed, 6 June 2007 12:29:13 +0100, Paulo Marques wrote:
 Jörn Engel wrote:
 --- /dev/null2007-03-13 19:15:28.862769062 +0100
 +++ linux-2.6.21logfs/fs/logfs/logfs.h   2007-06-03 
 19:34:07.0 +0200
 @@ -0,0 +1,398 @@
 +/*
 + * fs/logfs/logfs.h
 + *
 + * As should be obvious for Linux kernel code, license is GPLv2
 + *
 + * Copyright (c) 2005-2007 Joern Engel
 + *
 + * Private header for logfs.
 + */
 +#ifndef fs_logfs_logfs_h
 +#define fs_logfs_logfs_h
 +
 +#define __CHECK_ENDIAN__
 +
 +
 +#include linux/crc32.h
 +#include linux/fs.h
 +#include linux/kallsyms.h
 
 Including kallsyms.h is not really needed in this header file, is it?

Another piece of historic cruft to remove.  Thanks for spotting.

Jörn

-- 
Joern's library part 5:
http://www.faqs.org/faqs/compression-faq/part2/section-9.html
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch 05/18] fs/logfs/logfs.h

[Paulo Marques]

Jörn Engel wrote:

--- /dev/null   2007-03-13 19:15:28.862769062 +0100
+++ linux-2.6.21logfs/fs/logfs/logfs.h  2007-06-03 19:34:07.0 +0200
@@ -0,0 +1,398 @@
+/*
+ * fs/logfs/logfs.h
+ *
+ * As should be obvious for Linux kernel code, license is GPLv2
+ *
+ * Copyright (c) 2005-2007 Joern Engel
+ *
+ * Private header for logfs.
+ */
+#ifndef fs_logfs_logfs_h
+#define fs_logfs_logfs_h
+
+#define __CHECK_ENDIAN__
+
+
+#include linux/crc32.h
+#include linux/fs.h
+#include linux/kallsyms.h


Including kallsyms.h is not really needed in this header file, is it?

I don't have time / knowledge to review the rest of the code, but I 
always keep an eye out for kallsyms usage...


--
Paulo Marques - www.grupopie.com

Very funny Scotty. Now beam up my clothes.
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [Patch 04/18] include/linux/logfs.h

[Arnd Bergmann]

On Wednesday 06 June 2007, David Woodhouse wrote:
 And if I had something like this (which is admittedly contrived, but
 hardware people _do_ do stupid things to us):
    { uint32_t, uint8_t, uint16_t, uint8_t, uint32_t, uint32_t }
 
 With the 'packed' attribute the compiler would assume arbitrary
 alignment of all the 32-bit integers. But in reality it's only necessary
 for the uint16_t in the middle. A 'nopadding' attribute would deal with
 that correctly.

I would argue that a newly invented 'nopadding' attribute should reject
such a structure as invalid, because it should not let members be
unaligned. Unfortunately, this also gets tricky if you consider

struct {
uint32_t a;
uint64_t b;
uint32_t c;
};

which does have an unaligned member by default in i386, but not on
any modern platform.

Arnd 
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [AppArmor 38/45] AppArmor: Module and LSM hooks

[Stephen Smalley]

On Mon, 2007-06-04 at 16:30 +0200, Andreas Gruenbacher wrote:
 On Monday 04 June 2007 15:12, Pavel Machek wrote:
  How will kernel work with very long paths? I'd suspect some problems,
  if path is 1MB long and I attempt to print it in /proc
  somewhere.
 
 Pathnames are only used for informational purposes in the kernel, except in 
 AppArmor of course.

I don't mean this as a flame, but isn't the above statement the very
crux of this discussion?  Why should AppArmor be different from the rest
of the kernel in its usage of pathnames (basis for decisions vs.
informational reporting to userspace)?  And if it is ok for AppArmor to
generate and use pathnames as its basis of decisions on each open, then
is it also ok for audit, inotify, and others to use them in the same
manner?  If the audit developers or inotify developers had come with
patches that used d_path or equivalent in the same manner as AppArmor,
don't you think they would have gotten the same resistance?  And if you
are truly trying to create a mechanism (in AppArmor) that you can
ultimately apply widely to the system (going beyond AppArmor's original
limited focus on a small set of network-facing daemons), aren't you
concerned about the implications of having to generate a pathname on
each open just to decide what to do?  Is this really the path you want
to take ;)?

Another question:  it seems like the read-only bind mount folks gave up
on propagating the vfsmounts down and switched to a rather different
approach (checking near the entry points, using mount writer counters).
So similarly, what makes AppArmor fundamentally different that it
wouldn't take a similar approach to what they are doing vs. propagating
the vfsmounts down?  Or do you think they made the wrong choice?  If so,
why?

Just trying to understand your position better...

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

[Stephen Smalley]

On Mon, 2007-06-04 at 23:03 +0200, Andreas Gruenbacher wrote:
 On Tuesday 15 May 2007 11:20, Pavel Machek wrote:
  Hi!
  
   Pathname matching, transition table loading, profile loading and
   manipulation.
  
  So we get small interpretter of state machines, and reason we need is
  is 'apparmor is misdesigned and works with paths when it should have
  worked with handles'.
 
 I assume you mean labels instead of handles.
 
 AppArmor's design is around paths not labels, and independent of whether or 
 not you like AppArmor, this design leads to a useful security model distinct 
 from the SELinux security model (which is useful in its own ways). The 
 differences between those models cannot be argued away, neither is a subset 
 of the other, and neither is a misdesign. I would be thankful if you could 
 stop spreading this lie.

I have a hard time distinguishing AppArmor's model from its
implementation; every time we suggest that one might emulate much of
AppArmor's functionality on SELinux (as in SEEdit), someone points to a
specific characteristic of the AppArmor implementation that cannot be
emulated in this manner.  But is that implementation characteristic an
actual requirement or just how it happens to have been done to date in
AA?  And I get the impression that even if we extended SELinux in
certain ways to ease such emulation, the AA folks would never be
satisfied because the implementation would still differ.  Can we
separate the desired functionality and actual requirements from the
implementation specifics?

  If you solve the 'new file problem', aa becomes subset of selinux.
  And I'm pretty sure patch will be nicer than this. 
 
 You are quite mistaken. SELinux turns pathnames into labels when it initially 
 labels all files (when a policy is rolled out), whereas AppArmor computes 
 the label of each file when a file is opened. The two models start to 
 diverge as soon as files are renamed: in SELinux, labels stick with the 
 files. In AppArmor, labels stick with the names.

I'd argue a bit with that characterization, given that:
- in the case of SELinux, the pathname is never used as a basis for
decisions by the kernel,
- under AA, each file may have an arbitrary set of labels or
policies applied to it depending on what programs are accessing it and
what names are being used to reference it - there is no system view of
the subjects and objects and thus no way to identify the overall system
policy for a given file.
- names are far less tranquil than labels.
 
 So what you advocate for is a hybrid between the SELinux and the AppArmor 
 model, not a superset.
 
 It could be that the SELinux folks will solve the issues they are having with 
 new files using something better than restorecond in the future, perhaps even 
 an in-kernel mechanism (although I somewhat doubt it). But then again, their 
 basic model makes sense even without any live file relabeling, and so that's 
 probably not very high up on the priority list.

Live file relabeling (non-tranquility) tends to break one's ability to
show anything about preservation of confidentiality or integrity
(particularly in the absence of complete revocation support).

On the new files issue, it wouldn't be difficult or even a real
divergence from our existing model to introduce the component name (not
a full pathname, but the last component) as an additional input to the
decision for labeling new files (along with the existing use of the
creating process' label, the parent directory label, and the kind of new
file) at creation time, and that would reduce the need somewhat to
modify some applications that create files of multiple security contexts
in the same directory.  That would further help the SEEdit folks in
emulating AA on top of SELinux, but as before, I don't get the
impression that the AA folks will ever be satisfied with such an
emulation, not because of any real requirement but merely because they
are tied to their implementation specifics.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] obsoleting /etc/mtab

[Ian Kent]

On Thu, 2007-05-31 at 18:29 +0200, Miklos Szeredi wrote:
 I started working on adding support for unprivileged mounts[1] to
 util-linux.
 
 The big obstacle seems to be the reliance on /etc/mtab, since that
 won't be kept up-to-date after mount(2) or umount(2) calls by
 unprivileged users.

snip ...

 Can someone think of any other problem with getting rid of /etc/mtab?

This presents a couple of problems for autofs, version 5.

First, autofs will function if /etc/mtab is a symlink to /proc/mounts
(or better if we could mount /proc/mounts as the file /etc/mtab). 

There are however two problems, first for people that have a large
number of mounts, particularly direct mounts, the listing of mounts
would be terrible. An implementation of automount on an old version of
AIX did this and it was just about impossible to tell what mounts where
present besides the autofs internal mounts. Solaris uses a mount option,
hide or hidden or something which prevents them from being listed
and that works fine. We would need to do something like that in all the
utilities that read /etc/mtab.

The second, and also maybe not such a big issue, is that if there are
many autofs entries to read through this has the potential to kill
autofs performance for mounting, expiring and checking if something is
mounted, whether the entries have a hidden flag or not utilities will
still need to read through all the entries. The same performance issue
applies for all the utilities that read the mount table. I'd expect a
typical small to medium site that makes wide use of direct mounts to
have between 500 and 1000 entries in their maps, and so 500 - 1000
autofs direct mount triggers, similar to Solaris. Also, people that have
large filers with many exports will have many internal autofs mounts if
using the commonly used hosts map, we use a different implementation
for this than Solaris so there are less internal autofs mounts than in
Solaris, but still many.

Ideas?

Ian


-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] unionfs section mismatch

[Randy Dunlap]

From: Randy Dunlap [EMAIL PROTECTED]

Fix section marker in header file:

WARNING: fs/unionfs/unionfs.o(.init.text+0x56): Section mismatch: reference to 
.exit.text:stop_sioq (between 'init_module' and 'init_sioq')

Signed-off-by: Randy Dunlap [EMAIL PROTECTED]
---
 fs/unionfs/sioq.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.22-rc4-mm1.orig/fs/unionfs/sioq.h
+++ linux-2.6.22-rc4-mm1/fs/unionfs/sioq.h
@@ -76,7 +76,7 @@ struct sioq_args {
 
 /* Extern definitions for SIOQ functions */
 extern int __init init_sioq(void);
-extern __exit void stop_sioq(void);
+extern void stop_sioq(void);
 extern void run_sioq(work_func_t func, struct sioq_args *args);
 
 /* Extern definitions for our privilege escalation helpers */
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] unionfs section mismatch

[Josef Sipek]

On Wed, Jun 06, 2007 at 02:51:02PM -0700, Randy Dunlap wrote:
 From: Randy Dunlap [EMAIL PROTECTED]
 
Applied.

Thanks.

Josef Jeff Sipek.

-- 
Don't drink and derive. Alcohol and algebra don't mix.
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html