From: Casey Schaufler <casey@schaufler-ca.com>
To: Jamie Lokier <jamie@shareable.org>
Cc: Theodore Tso <tytso@mit.edu>, Stephen Smalley <sds@tycho.nsa.gov>,
Chris Mason <chris.mason@oracle.com>,
James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Tue, 05 May 2009 22:38:51 -0700 [thread overview]
Message-ID: <4A01226B.6030801@schaufler-ca.com> (raw)
In-Reply-To: <20090506044210.GB14804@shareable.org>
Jamie Lokier wrote:
> Casey Schaufler wrote:
>
>> Now I have a file that can have a thousand inodes, each of
>> which might have a different set of access control characteristics.
>>
>
> >From a security perspective, how is this different from a
> thousand separate files?
>
> The copy-on-write is just an optimisation, a filesystem implementation
> detail, from a certain perspective.
>
Yes, I understand that. It's entirely possible that I don't
actually have a valid concern, but I'm having a little trouble
convincing myself that all the bases are covered.
It's different from 1000 separate files because I can now have
one set of data blocks with read access controlled by 1000 different
users.
# chown user000 rfile000
...
# chown user999 rfile999
now 1000 different users can grant access to those blocks,
so long as they don't change. Without reflink() I know that if
I own the file, it isn't open (fuser says so) and it is mode 700
that noone else can read it sans privilege. With reflink() not
only is this not true, but I can't find out who might be able to
read it. Changing the permissions, ACL, SELinux label, Smack label,
or TOMOYO policy won't help, because there may be another inode
out there somewhere that I can't even access that is granting the
rest of the world access.
>> With a single inode there is a definitive
>> name for the file system object (device/inode) where with multiple
>> inodes there is not.
>>
>
> That's because there isn't a single object to name. Why do you want
> to pretend they are the same object?
>
Until they actually diverge you can't say which object the data
blocks belong to. That means you can't say which set of access
control information protects the information, because someone
needs access through one or the other but in either case is
looking at the same data.
> They are separate files which share some disk blocks to save space and
> time that's all. A low-level implementation detail. Completely
> separate files can share blocks like that too on some filesystems.
>
> In what way do the shared data blocks between otherwise separate files
> have any security implication?
>
> (Ok, ok, timing, ENOSPC, covert communications, but independent files
> can trigger such interactions too.)
>
> There's the actual creation of reflinks being invisible to i_nlink
> watchers yet not requiring read permission, which is new. But that
> has nothing to do with the shared data: it would have the same
> security implication even if reflink was just an ordinary file copy
> with its proposed permission check! :-)
>
Yeah, I can see the argument, I'm just not sure that I could
turn around and sell it to an eager-puppy security evaluator
fresh out of a PHD program at the U of Maryland.
next prev parent reply other threads:[~2009-05-06 5:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler [this message]
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A01226B.6030801@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=chris.mason@oracle.com \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.