From: Stephen Smalley <sds@tycho.nsa.gov>
To: Theodore Tso <tytso@mit.edu>
Cc: Chris Mason <chris.mason@oracle.com>,
James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Tue, 05 May 2009 13:44:11 -0400 [thread overview]
Message-ID: <1241545451.3023.341.camel@localhost.localdomain> (raw)
In-Reply-To: <20090505173423.GH17486@mit.edu>
On Tue, 2009-05-05 at 13:34 -0400, Theodore Tso wrote:
> On Tue, May 05, 2009 at 10:13:31AM -0700, Joel Becker wrote:
> > On Tue, May 05, 2009 at 12:56:58PM -0400, Chris Mason wrote:
> > > On Tue, 2009-05-05 at 09:47 -0700, Joel Becker wrote:
> > > > Because then you have to change the entire security structure,
> > > > and you aren't a snapshot anymore.
> > >
> > > I won't argue with the security part, but the snapshot part could just
> > > as easily be defined by the data and not the inode.
> >
> > In ZFS/btrfs/WAFL/disk array snaps, if you go back to a snap
> > does the selinux context or acls or equivalent appear different? I don't
> > think so, and I expect people would be really upset if they had to know
> > all the restorecon/acl-fu to get it right.
>
> OK, now I understand; sorry, I didn't realize that when you said
> "snapshot", what you were really talking about was a way to implement
> WAFL-style snapshots, where reflink was a low-level operation that
> would be used to implement that particular use case. Hmm, maybe the
> answer is that we implement reflinkat(2) with flags that indicate
> whether this is supposed to be more like a hard link (i.e., acl and
> ownership should be preserved) or more a like a copy (i.e., acl is
> inherited from the new containing directory's directory creation acl,
> uid/guid are set using the standard rules for creating new inodes).
>
> Both use cases are equally valid, and I imagine there would be
> interest in using reflinks both for snapshots and as a very
> lightweight copy operation by commands like /bin/cp.
Not arguing against this, but just to note: the security model will
differ depending on these flags, as the link-like case doesn't require
the caller to have read access to the file (the data is no more
accessible than it was before), whereas the copy-like case requires the
caller to have read access to the original file since the data "leaks"
into a container with potentially different access constraints.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2009-05-05 17:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley [this message]
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1241545451.3023.341.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=chris.mason@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).