From: Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org>
To: Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
One Thousand Gnomes
<gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>,
Ric Wheeler <rwheeler-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Theodore Ts'o <tytso-3s7WtUTddSA@public.gmane.org>,
Gregory Farnum <greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org>,
"Martin K. Petersen"
<martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
"Darrick J. Wong"
<darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Jens Axboe <axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
shane.seymour-ZPxbGqLxI0U@public.gmane.org,
Bruce Fields <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>,
linux-fsdevel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>,
Eric Sandeen <esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks
Date: Sat, 12 Mar 2016 09:30:47 +1100 [thread overview]
Message-ID: <20160311223047.GZ30721@dastard> (raw)
In-Reply-To: <CA+55aFxQOgDjL643J33d-3q7gYGvyN84vCn4qJq-Ox8E-WRx9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Fri, Mar 11, 2016 at 10:25:30AM -0800, Linus Torvalds wrote:
> On Fri, Mar 11, 2016 at 9:30 AM, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> wrote:
> >
> > What if we had an ioctl to do these data-leaking operations that took,
> > as an extra parameter, an fd to the block device node. They allow
> > access if the fd points to the right inode and has FMODE_READ (and LSM
> > checks say it's okay). Sure, it's awkward, but it's much safer.
>
> That sounds absolutely horrible.
>
> I'd *much* prefer the suggestion from Alan to simply have a mount-time
> option to enable it. That way, you will never get any surprises, and
> no "subtle new behavior for somebody who set their system up in a way
> that doesn't allow for this".
>
> So you'd have to explicitly say "my setup is ok with hole punching".
Except it's not hole punching that is the problem. Hoel punching
makes sure that the underlying blocksare removed and so whatever
data is in them cannot be accessed any more. The problem here is
preallocation of unwritten blocks that expose the stale data if the
filesystem skips marking those blocks as unwritten.
And, so, what happens when a file that is preallocated with the
unwritten bit so it exposes stale data then has it's owner/group
changed? Or copied by root/user in privileged group to a different
location that other users can access? Or any of the other vectors
that can result in the stale data being copied/made available to
unprivileged users?
It's all well and good to restrict access to the fallocate() call to
limit who can expose stale data, but it doesn't remove the fact it
is easy for stale data to unintentionally escape the privileged
group once it has been exposed because there is no record of the
fact the file contains uninitialised blocks....
Cheers,
Dave.
--
Dave Chinner
david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org
next prev parent reply other threads:[~2016-03-11 22:30 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 4:09 [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Darrick J. Wong
2016-03-02 4:09 ` [PATCH 1/2] block: invalidate the page cache when issuing BLKZEROOUT Darrick J. Wong
2016-03-02 9:19 ` Christoph Hellwig
2016-03-02 4:09 ` [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Darrick J. Wong
2016-03-02 9:20 ` Christoph Hellwig
[not found] ` <20160302040947.16685.42926.stgit-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-02 18:52 ` Linus Torvalds
2016-03-02 22:56 ` Darrick J. Wong
2016-03-02 23:49 ` Linus Torvalds
2016-03-03 17:02 ` Theodore Ts'o
[not found] ` <20160303170205.GD24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 17:55 ` Linus Torvalds
[not found] ` <CA+55aFwPA1X8XGTdVZmP5uzkWMwj+X=bjkGVcEkZDme+qskrzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:00 ` Christoph Hellwig
2016-03-03 18:14 ` Martin K. Petersen
2016-03-03 18:21 ` Theodore Ts'o
[not found] ` <CA+55aFyNPnjJ-Nsu3bMr+HuLQnkj1B8FMddNnXW7HJqxdUzJmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:01 ` Martin K. Petersen
[not found] ` <yq1bn6v8mqg.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 18:09 ` Christoph Hellwig
[not found] ` <20160303180924.GA4116-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-03 18:12 ` Darrick J. Wong
2016-03-03 18:54 ` Martin K. Petersen
[not found] ` <yq1vb5375oh.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 22:39 ` Theodore Ts'o
[not found] ` <20160303223952.GE24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 23:10 ` Dave Chinner
2016-03-04 0:20 ` Theodore Ts'o
2016-03-09 22:20 ` Gregory Farnum
2016-03-09 23:08 ` Theodore Ts'o
2016-03-10 14:58 ` Ric Wheeler
[not found] ` <56E18B9B.5070503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-03-10 18:33 ` Linus Torvalds
[not found] ` <CA+55aFyw1nN4ze3-AGGE27evOZuXnkJC9C-W5QRUR=zKHqObGg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-10 21:47 ` Theodore Ts'o
2016-03-11 4:42 ` Ric Wheeler
2016-03-11 13:59 ` One Thousand Gnomes
[not found] ` <20160311135952.57a44931-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2016-03-11 15:27 ` Theodore Ts'o
2016-03-11 17:23 ` Linus Torvalds
[not found] ` <CA+55aFwX2GYYN53E9qaTym=gp1aRjSA5f1G+N5WEiRd1dOJhFA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 17:30 ` Andy Lutomirski
2016-03-11 18:25 ` Linus Torvalds
[not found] ` <CA+55aFxQOgDjL643J33d-3q7gYGvyN84vCn4qJq-Ox8E-WRx9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 22:30 ` Dave Chinner [this message]
2016-03-12 0:33 ` Linus Torvalds
2016-03-12 0:35 ` Theodore Ts'o
[not found] ` <20160312003556.GF32214-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 0:44 ` Linus Torvalds
2016-03-12 7:19 ` Theodore Ts'o
[not found] ` <20160312071945.GA3419-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 10:11 ` Thomas Schoebel-Theuer
2016-03-13 23:30 ` Dave Chinner
2016-03-14 10:34 ` Ric Wheeler
[not found] ` <56E69398.7030508-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-14 14:46 ` Theodore Ts'o
2016-03-15 20:14 ` Dave Chinner
2016-03-15 20:43 ` Linus Torvalds
[not found] ` <CA+55aFwHLJffmN-Dw=yZCGKzxe_2Tm9h2GjdaFL3JdvYXNstRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 21:29 ` Theodore Ts'o
2016-03-15 22:33 ` Dave Chinner
2016-03-15 22:52 ` Theodore Ts'o
2016-03-16 1:51 ` Darrick J. Wong
[not found] ` <20160316015139.GC5826-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-16 21:45 ` Andreas Dilger
[not found] ` <7674C689-C07E-4D38-85EB-4FD9B55CBB35-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 0:15 ` Theodore Ts'o
[not found] ` <20160317001502.GF23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-17 0:33 ` Eric Sandeen
2016-03-17 0:59 ` Theodore Ts'o
[not found] ` <56E9FB73.6040803-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-17 5:18 ` Gregory Farnum
2016-03-17 12:36 ` Theodore Ts'o
[not found] ` <CAC6JEv-CGaphHj6hVXUhFS+Dc4jS46nO1yOfKF5yA8AnDwqgOw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-17 17:47 ` Linus Torvalds
2016-03-17 17:50 ` Ric Wheeler
2016-03-17 17:59 ` Linus Torvalds
2016-03-17 18:35 ` Chris Mason
[not found] ` <20160317183512.GA76233-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 20:49 ` Andreas Dilger
[not found] ` <819F38A3-51A7-4874-8314-8A6004495716-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 21:00 ` Chris Mason
[not found] ` <20160317210018.GA78710-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-18 3:20 ` Theodore Ts'o
[not found] ` <20160318032023.GK23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 15:15 ` Jeff Moyer
[not found] ` <x491t7795ro.fsf-RRHT56Q3PSP4kTEheFKJxxDDeQx5vsVwAInAS/Ez/D0@public.gmane.org>
2016-03-18 20:05 ` Martin K. Petersen
[not found] ` <CA+55aFzbzXb9ApP5FnVZihWRpWGO1-YnJj_Giip5LfD6=uvf0w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 6:52 ` Gregory Farnum
[not found] ` <CAC6JEv-MuU2sWSvftjHhOhZsE2Fz49Ffv6cm1FMnju5egcyvmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 7:19 ` Linus Torvalds
2016-03-17 1:01 ` Dave Chinner
2016-03-17 2:38 ` Darrick J. Wong
[not found] ` <20160315225224.GD23848-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 22:55 ` NeilBrown
2016-03-15 23:06 ` Linus Torvalds
[not found] ` <CA+55aFxCpza3_3J8kP9E0gLKHiSitZHjC4UMS_ZfZ_HBTC9=Bg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 23:14 ` Linus Torvalds
[not found] ` <CA+55aFw80NXB9L7ooxV0zr3oaf4zWzZAJcb87ib58n=toiCn7g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:08 ` Dave Chinner
2016-03-15 23:52 ` Dave Chinner
2016-03-16 0:06 ` Linus Torvalds
[not found] ` <CA+55aFxZ=feGd+QGdhCN28kjd2XJO3PCj9NBoJJZ5E8_WMJiMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:30 ` Eric Sandeen
[not found] ` <56E8A916.8050702-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-16 0:51 ` Chris Mason
[not found] ` <20160316005117.GA34410-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-16 22:23 ` Chris Mason
[not found] ` <20160316222343.GA53649-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 13:49 ` Ric Wheeler
2016-03-15 22:38 ` Eric Sandeen
2016-03-03 22:56 ` Dave Chinner
2016-03-04 2:30 ` Thomas Schoebel-Theuer
2016-03-03 18:14 ` Linus Torvalds
2016-03-02 9:15 ` [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Arnd Bergmann
2016-03-02 9:44 ` Christoph Hellwig
[not found] ` <20160302094416.GA16631-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-02 10:55 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160311223047.GZ30721@dastard \
--to=david-fqsqvqoi3ljby3ivrkzq2a@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=rwheeler-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=shane.seymour-ZPxbGqLxI0U@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).