|
|
Subscribe / Log in / New account

Notes from the "mount" unconference session at the 2014 Kernel Summit

[Posted August 23, 2014 by corbet]

Thanks to Paul McKenney for providing these notes. 

o	Mount based on file descriptor.  Generated from openfs()
	or some such.  Ted: Want mount(), remount(), bind(), as separate
	things.

	Have a mountf() for mounting an openfs()ed filesystem.

	Al: Ouch.

	Andy: Want to distinguish between this mount is read-only
	and the underlying device will no longer be written to.

	Al: Three piles of garbage, not two.  Need to take care about
	userids and such.  Some of the per-superblock flags are not
	entirely private to a given filesystem, some are visible
	to the VFS layer.

	Al: First syscall to start mounting could establish an open
	descriptor.  But the descriptor would not be a root directory,
	but rather a channel for talking to a filesystem driver.  Then
	you can feed the parameters to the filesystem driver as needed,
	rather than dumping them into the open() system call.

	Al: If you want horrors, look at ncpfs (sp?).  This illustrates
	why just getting the root directory is wrong.  Root directory
	is initially empty, after some operations it suddenly has
	files in it.

	Al: Given that the syscalls are often followed by one another,
	why have them separated? 

	Al: If we are going to have this FD, then we should keep the
	FD around for the duration.  Closing it would get rid of
	everything.  Use FD to talk to filesystem driver throughout.
	Don't need a process to hang around.

	Al: Note that unmount operates purely on the namespace.  You
	might still have open files on the unmounted filesystem, so
	the filesystem is still around.

	Some discussion about getting the FD given a mounted filesystem.
	Interaction between FD and shutdown.

	Al: But if FD is around, someone might remount filesystem.
	So some hair if using FD to wait for all files from the
	filesystem to be closed.

	Mount over symlinks?

	Al: Need to be careful here.  Last I looked, this would be
	extremely painful.  Easier to hide a directory with a symlink
	than vice versa.

	Discussion of an openat() and security holes.

	Ted: Can pass a directory FD across a UNIX-domain socket and
	then do openat(), so security issue already exists.  More
	fun with mountat().

	Al: Completely insane, greatly increases attack surface.

	Ted: FS fuzzers giving bugs are first-class bugs.  But cloud
	sysadmins might not like the attack surface.

	Serge: Use fuse to mediate security.

(Log in to post comments)


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds