xref: /linux-6.15/Documentation/core-api/watch_queue.rst (revision f5461124)

==============================
General notification mechanism
==============================

The general notification mechanism is built on top of the standard pipe driver
whereby it effectively splices notification messages from the kernel into pipes
opened by userspace.  This can be used in conjunction with::

  * Key/keyring notifications


The notifications buffers can be enabled by:

	"General setup"/"General notification queue"
	(CONFIG_WATCH_QUEUE)

This document has the following sections:

.. contents:: :local:


Overview
========

This facility appears as a pipe that is opened in a special mode.  The pipe's
internal ring buffer is used to hold messages that are generated by the kernel.
These messages are then read out by read().  Splice and similar are disabled on
such pipes due to them wanting to, under some circumstances, revert their
additions to the ring - which might end up interleaved with notification
messages.

The owner of the pipe has to tell the kernel which sources it would like to
watch through that pipe.  Only sources that have been connected to a pipe will
insert messages into it.  Note that a source may be bound to multiple pipes and
insert messages into all of them simultaneously.

Filters may also be emplaced on a pipe so that certain source types and
subevents can be ignored if they're not of interest.

A message will be discarded if there isn't a slot available in the ring or if
no preallocated message buffer is available.  In both of these cases, read()
will insert a WATCH_META_LOSS_NOTIFICATION message into the output buffer after
the last message currently in the buffer has been read.

Note that when producing a notification, the kernel does not wait for the
consumers to collect it, but rather just continues on.  This means that
notifications can be generated whilst spinlocks are held and also protects the
kernel from being held up indefinitely by a userspace malfunction.


Message Structure
=================

Notification messages begin with a short header::

	struct watch_notification {
		__u32	type:24;
		__u32	subtype:8;
		__u32	info;
	};

"type" indicates the source of the notification record and "subtype" indicates
the type of record from that source (see the Watch Sources section below).  The
type may also be "WATCH_TYPE_META".  This is a special record type generated
internally by the watch queue itself.  There are two subtypes:

  * WATCH_META_REMOVAL_NOTIFICATION
  * WATCH_META_LOSS_NOTIFICATION

The first indicates that an object on which a watch was installed was removed
or destroyed and the second indicates that some messages have been lost.

"info" indicates a bunch of things, including:

  * The length of the message in bytes, including the header (mask with
    WATCH_INFO_LENGTH and shift by WATCH_INFO_LENGTH__SHIFT).  This indicates
    the size of the record, which may be between 8 and 127 bytes.

  * The watch ID (mask with WATCH_INFO_ID and shift by WATCH_INFO_ID__SHIFT).
    This indicates that caller's ID of the watch, which may be between 0
    and 255.  Multiple watches may share a queue, and this provides a means to
    distinguish them.

  * A type-specific field (WATCH_INFO_TYPE_INFO).  This is set by the
    notification producer to indicate some meaning specific to the type and
    subtype.

Everything in info apart from the length can be used for filtering.

The header can be followed by supplementary information.  The format of this is
at the discretion is defined by the type and subtype.


Watch List (Notification Source) API
====================================

A "watch list" is a list of watchers that are subscribed to a source of
notifications.  A list may be attached to an object (say a key or a superblock)
or may be global (say for device events).  From a userspace perspective, a
non-global watch list is typically referred to by reference to the object it
belongs to (such as using KEYCTL_NOTIFY and giving it a key serial number to
watch that specific key).

To manage a watch list, the following functions are provided:

  * ::

	void init_watch_list(struct watch_list *wlist,
			     void (*release_watch)(struct watch *wlist));

    Initialise a watch list.  If ``release_watch`` is not NULL, then this
    indicates a function that should be called when the watch_list object is
    destroyed to discard any references the watch list holds on the watched
    object.

  * ``void remove_watch_list(struct watch_list *wlist);``

    This removes all of the watches subscribed to a watch_list and frees them
    and then destroys the watch_list object itself.


Watch Queue (Notification Output) API
=====================================

A "watch queue" is the buffer allocated by an application that notification
records will be written into.  The workings of this are hidden entirely inside
of the pipe device driver, but it is necessary to gain a reference to it to set
a watch.  These can be managed with:

  * ``struct watch_queue *get_watch_queue(int fd);``

    Since watch queues are indicated to the kernel by the fd of the pipe that
    implements the buffer, userspace must hand that fd through a system call.
    This can be used to look up an opaque pointer to the watch queue from the
    system call.

  * ``void put_watch_queue(struct watch_queue *wqueue);``

    This discards the reference obtained from ``get_watch_queue()``.


Watch Subscription API
======================

A "watch" is a subscription on a watch list, indicating the watch queue, and
thus the buffer, into which notification records should be written.  The watch
queue object may also carry filtering rules for that object, as set by
userspace.  Some parts of the watch struct can be set by the driver::

	struct watch {
		union {
			u32		info_id;	/* ID to be OR'd in to info field */
			...
		};
		void			*private;	/* Private data for the watched object */
		u64			id;		/* Internal identifier */
		...
	};

The ``info_id`` value should be an 8-bit number obtained from userspace and
shifted by WATCH_INFO_ID__SHIFT.  This is OR'd into the WATCH_INFO_ID field of
struct watch_notification::info when and if the notification is written into
the associated watch queue buffer.

The ``private`` field is the driver's data associated with the watch_list and
is cleaned up by the ``watch_list::release_watch()`` method.

The ``id`` field is the source's ID.  Notifications that are posted with a
different ID are ignored.

The following functions are provided to manage watches:

  * ``void init_watch(struct watch *watch, struct watch_queue *wqueue);``

    Initialise a watch object, setting its pointer to the watch queue, using
    appropriate barriering to avoid lockdep complaints.

  * ``int add_watch_to_object(struct watch *watch, struct watch_list *wlist);``

    Subscribe a watch to a watch list (notification source).  The
    driver-settable fields in the watch struct must have been set before this
    is called.

  * ::

	int remove_watch_from_object(struct watch_list *wlist,
				     struct watch_queue *wqueue,
				     u64 id, false);

    Remove a watch from a watch list, where the watch must match the specified
    watch queue (``wqueue``) and object identifier (``id``).  A notification
    (``WATCH_META_REMOVAL_NOTIFICATION``) is sent to the watch queue to
    indicate that the watch got removed.

  * ``int remove_watch_from_object(struct watch_list *wlist, NULL, 0, true);``

    Remove all the watches from a watch list.  It is expected that this will be
    called preparatory to destruction and that the watch list will be
    inaccessible to new watches by this point.  A notification
    (``WATCH_META_REMOVAL_NOTIFICATION``) is sent to the watch queue of each
    subscribed watch to indicate that the watch got removed.


Notification Posting API
========================

To post a notification to watch list so that the subscribed watches can see it,
the following function should be used::

	void post_watch_notification(struct watch_list *wlist,
				     struct watch_notification *n,
				     const struct cred *cred,
				     u64 id);

The notification should be preformatted and a pointer to the header (``n``)
should be passed in.  The notification may be larger than this and the size in
units of buffer slots is noted in ``n->info & WATCH_INFO_LENGTH``.

The ``cred`` struct indicates the credentials of the source (subject) and is
passed to the LSMs, such as SELinux, to allow or suppress the recording of the
note in each individual queue according to the credentials of that queue
(object).

The ``id`` is the ID of the source object (such as the serial number on a key).
Only watches that have the same ID set in them will see this notification.


Watch Sources
=============

Any particular buffer can be fed from multiple sources.  Sources include:

  * WATCH_TYPE_KEY_NOTIFY

    Notifications of this type indicate changes to keys and keyrings, including
    the changes of keyring contents or the attributes of keys.

    See Documentation/security/keys/core.rst for more information.


Event Filtering
===============

Once a watch queue has been created, a set of filters can be applied to limit
the events that are received using::

	struct watch_notification_filter filter = {
		...
	};
	ioctl(fd, IOC_WATCH_QUEUE_SET_FILTER, &filter)

The filter description is a variable of type::

	struct watch_notification_filter {
		__u32	nr_filters;
		__u32	__reserved;
		struct watch_notification_type_filter filters[];
	};

Where "nr_filters" is the number of filters in filters[] and "__reserved"
should be 0.  The "filters" array has elements of the following type::

	struct watch_notification_type_filter {
		__u32	type;
		__u32	info_filter;
		__u32	info_mask;
		__u32	subtype_filter[8];
	};

Where:

  * ``type`` is the event type to filter for and should be something like
    "WATCH_TYPE_KEY_NOTIFY"

  * ``info_filter`` and ``info_mask`` act as a filter on the info field of the
    notification record.  The notification is only written into the buffer if::

	(watch.info & info_mask) == info_filter

    This could be used, for example, to ignore events that are not exactly on
    the watched point in a mount tree.

  * ``subtype_filter`` is a bitmask indicating the subtypes that are of
    interest.  Bit 0 of subtype_filter[0] corresponds to subtype 0, bit 1 to
    subtype 1, and so on.

If the argument to the ioctl() is NULL, then the filters will be removed and
all events from the watched sources will come through.


Userspace Code Example
======================

A buffer is created with something like the following::

	pipe2(fds, O_TMPFILE);
	ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, 256);

It can then be set to receive keyring change notifications::

	keyctl(KEYCTL_WATCH_KEY, KEY_SPEC_SESSION_KEYRING, fds[1], 0x01);

The notifications can then be consumed by something like the following::

	static void consumer(int rfd, struct watch_queue_buffer *buf)
	{
		unsigned char buffer[128];
		ssize_t buf_len;

		while (buf_len = read(rfd, buffer, sizeof(buffer)),
		       buf_len > 0
		       ) {
			void *p = buffer;
			void *end = buffer + buf_len;
			while (p < end) {
				union {
					struct watch_notification n;
					unsigned char buf1[128];
				} n;
				size_t largest, len;

				largest = end - p;
				if (largest > 128)
					largest = 128;
				memcpy(&n, p, largest);

				len = (n->info & WATCH_INFO_LENGTH) >>
					WATCH_INFO_LENGTH__SHIFT;
				if (len == 0 || len > largest)
					return;

				switch (n.n.type) {
				case WATCH_TYPE_META:
					got_meta(&n.n);
				case WATCH_TYPE_KEY_NOTIFY:
					saw_key_change(&n.n);
					break;
				}

				p += len;
			}
		}
	}