From: Casey Schaufler <casey@schaufler-ca.com>
To: Theodore Tso <tytso@mit.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Chris Mason <chris.mason@oracle.com>,
James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Tue, 05 May 2009 21:27:41 -0700 [thread overview]
Message-ID: <4A0111BD.204@schaufler-ca.com> (raw)
In-Reply-To: <20090505182135.GK17486@mit.edu>
Theodore Tso wrote:
> On Tue, May 05, 2009 at 10:56:03AM -0700, Joel Becker wrote:
>
>> On Tue, May 05, 2009 at 01:44:11PM -0400, Stephen Smalley wrote:
>>
>>>> Both use cases are equally valid, and I imagine there would be
>>>> interest in using reflinks both for snapshots and as a very
>>>> lightweight copy operation by commands like /bin/cp.
>>>>
>> Sure, but you can start with a reflink and then do what you want
>> to it.
>>
>>
>>> Not arguing against this, but just to note: the security model will
>>> differ depending on these flags, as the link-like case doesn't require
>>> the caller to have read access to the file (the data is no more
>>> accessible than it was before), whereas the copy-like case requires the
>>> caller to have read access to the original file since the data "leaks"
>>> into a container with potentially different access constraints.
>>>
>> Yeah, another reason why I don't want to complicate the
>> behavior. I defined it as "the operation is like link(2)" for a reason
>> :-)
>>
>
> The security model *is* the problem, however. If we have a mode where
> reflink acts like cp, then it doesn't require anything special in
> terms of CAP_FOWNER. It really is the same as a copy command.
>
> So sure, you could start with a reflink and then modify it, but if
> you're an unprivileged user, you won't be able to create the reflink
> in the first place.
>
>
On the topic of security modeling, I'd like to point out that one of
the reasons that Linux has been such a hit with the security community
is that you can model the file system accesses easily because no
matter what you do you end up at a definitive access control point,
the inode. Now I have a file that can have a thousand inodes, each of
which might have a different set of access control characteristics.
All existing Linux security descriptions go strait out the window.
Once a chown() has occurred any chance of limiting the propagation
of access rights is lost. With a single inode there is a definitive
name for the file system object (device/inode) where with multiple
inodes there is not. I'm not ignoring the copy-on-write, for a file
that has not been changed since the reflink() call that doesn't matter.
next prev parent reply other threads:[~2009-05-06 4:27 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler [this message]
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A0111BD.204@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=chris.mason@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.