From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joel Becker <Joel.Becker@oracle.com>
Cc: James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Mon, 04 May 2009 15:30:46 -0400 [thread overview]
Message-ID: <1241465446.3023.228.camel@localhost.localdomain> (raw)
In-Reply-To: <20090504180855.GE31249@mail.oracle.com>
On Mon, 2009-05-04 at 11:08 -0700, Joel Becker wrote:
> [Re-adding linux-fsdevel]
>
> On Mon, May 04, 2009 at 01:37:49PM -0400, Stephen Smalley wrote:
> > On Mon, 2009-05-04 at 09:35 -0700, Joel Becker wrote:
> > > On Mon, May 04, 2009 at 09:16:56AM -0400, Stephen Smalley wrote:
> > > > BTW, the DAC permission checking here also needs some thought, and
> > > > wouldn't be handled by the LSM hook. Should reflink(2) require DAC read
> > > > permission to the file, like a file copy would? And if the owner of the
> > > > original differs from the fsuid of the current process, should
> > > > reflink(2) require CAP_CHOWN in order to set the ownership of the copy
> > > > to the original's owner?
> > >
> > > I'm thinking it should require read, yes. That's part of what
> > > I'm asking. Regarding CAP_CHOWN - I don't want to limit the call to
> > > root-only. Are you saying something like "If you have CAP_CHOWN, you
> > > can reflink() the sucker and keep the original ownership, otherwise
> > > sorry, it's gotta be owned by the current process"?
> >
> > Is reflink() supposed to be more like link(2) or more like an in-kernel
> > optimized file copy?
>
> More like link(2).
>
> > And what is the real usage scenario? Are users likely to need/want to
> > be able to reflink() to files that they do not own? If so, will they be
> > more likely to want to own the new copies or preserve the original
> > ownership?
>
> The real usage scenarios are varied. The idea came out of inode
> snapshots. And for that, you really want to preserve everything. But
> when we came up with the reflink(2) interface as a more generic way to
> invoke it, we came up with a lot of fun uses.
> The other mail had a good point - if you can allow someone the
> ability to reflink() a file but not read or write it, you might not even
> need read permission. I'm thinking of a snapshotter that can make
> snapshots with only the permissions to create in the snapshot directory.
> That's neat.
>
> > If you want to support multiple attribute assignment behaviors (e.g.
> > sometimes preservation, sometimes inherit from the process), then you
> > should make that explicit in the interface, e.g. preservation flags for
> > the different attributes, and fail the operation if unable to honor the
> > request.
>
> Yeah, I really don't want to create multiple behaviors. I
> wasn't proposing the "behaves differently on CAP_CHOWN," I was trying to
> clarify what you were thinking.
Given that normally users can't create files with other ownerships, it
seemed that we might want to require CAP_CHOWN or some other capability
in order to reflink(2) a file that isn't owned by the fsuid of the
process. Possibly is_owner_or_cap(), i.e. owner or CAP_FOWNER, would be
suitable.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2009-05-04 19:30 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley [this message]
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1241465446.3023.228.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=Joel.Becker@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).