From: "Darrick J. Wong" <djwong@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Christoph Hellwig <hch@infradead.org>,
Cyber_black <Cyberblackk@proton.me>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Mark Fasheh <mark@fasheh.com>, Theodore Ts'o <tytso@mit.edu>,
linux-api@vger.kernel.org
Subject: Re: [RFC] fs/ioctl.c: FIBMAP requires CAP_SYS_RAWIO while FIEMAP exposes identical data unprivileged
Date: Mon, 18 May 2026 20:31:26 -0700 [thread overview]
Message-ID: <20260519033126.GD9531@frogsfrogsfrogs> (raw)
In-Reply-To: <CALCETrUFMFNnJ6FLd9SkzS5E1q3x+cqGvOvo5PzU2V_+moSEJw@mail.gmail.com>
On Mon, May 18, 2026 at 09:22:42AM -0700, Andy Lutomirski wrote:
> On Mon, May 18, 2026 at 9:21 AM Darrick J. Wong <djwong@kernel.org> wrote:
> >
> > On Sun, May 17, 2026 at 10:08:13PM -0700, Christoph Hellwig wrote:
> > > On Fri, May 15, 2026 at 05:36:45PM +0000, Cyber_black wrote:
> > > > Option B) Add a capability check to ioctl_fiemap() to match FIBMAP.
> > > > This restores the intended restriction, at the cost of breaking
> > > > unprivileged use of FIEMAP (e.g. filefrag, btrfs tools, e2freefrag).
> > > > This option is a larger ABI impact and likely undesirable.
> > > >
> > > > The preferred fix is Option A, since FIEMAP has been available
> > > > unprivileged since 2008 with no reported security issues, and read
> > > > access to physical block layout is already implicitly available
> > > > through open() permission on the file.
> > >
> > > No, FIEMAP really should not be available unprivileged. So I think B is
> > > the right thing. Can you send a proper patch with a proper signoff?
> >
> > For anyone who might be relying on FIEMAP output to find sparse regions
> > -- don't. FIEMAP is a lowlevel fs debugging interface; it won't tell
> > you about dirty pagecache backed by unwritten disk space. cp was burned
> > by that a decade and a half ago.
> >
>
> The only way that I'm personally aware of to determine whether ranges
> in two files are reflinked to each other (and the only efficient way
> to find identical blocks to, say, archive a large directory without
> reading all the contents) is FIEMAP. I wrote some code to do this
> awhile back (not in production use). Yes, I realize that it might
> have issues with dirty page cache.
>
> Is there some other way to do this? Could an API be added that
> efficiently answers the actual question without revealing information
> that shouldn't be revealed?
Well, yes, we *could* make yet another ioctl, but we could also just run
fe_physical through a one-way u64 hash function and set
FIEMAP_EXTENT_UNKNOWN if (say) you don't have CAP_SYS_RAWIO or
something. Then your comparison function might still work... maybe?
OTOH nobody really wants Linus roaring at them, so we might all just do
absolutely nothing.
Also note that FIEMAP still doesn't report devices, so you're still
playing with fire on multi-device reflink-aware filesystems like XFS.
--D
next prev parent reply other threads:[~2026-05-19 3:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <_fcorj7Aa0YnzUmrPnqdEbTjLqS6S7t84HKrzsswvKm71LC0uVmTD2cthCwpgeI-296unEpzPZYBNdFFDXjsQvZRtGfTaQlKmcRkiSI4wiQ=@proton.me>
2026-05-18 5:08 ` [RFC] fs/ioctl.c: FIBMAP requires CAP_SYS_RAWIO while FIEMAP exposes identical data unprivileged Christoph Hellwig
2026-05-18 16:20 ` Darrick J. Wong
2026-05-18 16:22 ` Andy Lutomirski
2026-05-19 3:31 ` Darrick J. Wong [this message]
2026-05-19 7:53 ` Andreas Dilger
2026-05-19 11:45 ` Christoph Hellwig
2026-05-19 20:51 ` Andy Lutomirski
2026-05-19 2:23 ` Theodore Tso
2026-05-19 11:42 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519033126.GD9531@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=Cyberblackk@proton.me \
--cc=hch@infradead.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mark@fasheh.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox