From: Stephen Smalley <sds@tycho.nsa.gov>
To: Jamie Lokier <jamie@shareable.org>
Cc: Theodore Tso <tytso@mit.edu>,
Chris Mason <chris.mason@oracle.com>,
James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Wed, 06 May 2009 07:25:10 -0400 [thread overview]
Message-ID: <1241609110.27629.2.camel@localhost.localdomain> (raw)
In-Reply-To: <20090505224552.GH7574@shareable.org>
On Tue, 2009-05-05 at 23:45 +0100, Jamie Lokier wrote:
> Stephen Smalley wrote:
> > Not arguing against this, but just to note: the security model will
> > differ depending on these flags, as the link-like case doesn't require
> > the caller to have read access to the file (the data is no more
> > accessible than it was before)
>
> One security difference between reflink() and link() when linking to
> _other_ user's files is they can tell if you suddenly got a link to
> their file, from their i_nlink. They can be suspicious and maybe
> overwrite the file in place, truncate it or something, and look around
> for the link you created in a secret place in your /home.
>
> But they can't see if you got a reflink to their file.
>
> Even though you can't read the file if you couldn't read it before,
> you now have a link to it which might preserve data they don't want to
> be preserved.
>
> So reflink() should, perhaps, be more restricted than link().
That's why I suggested is_ower_or_cap() or a similar test in the case
where reflink(2) is applied to an inode owned by a user other than the
caller's fsuid.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2009-05-06 11:25 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley [this message]
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1241609110.27629.2.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=chris.mason@oracle.com \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.