From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joel Becker <Joel.Becker@oracle.com>
Cc: Andy Lutomirski <luto@mit.edu>, jim owens <jowens@hp.com>,
jmorris@namei.org, ocfs2-devel@oss.oracle.com,
viro@zeniv.linux.org.uk, mtk.manpages@gmail.com,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [Ocfs2-devel] [RFC] The reflink(2) system call v4.
Date: Mon, 18 May 2009 10:33:15 -0400 [thread overview]
Message-ID: <1242657195.20082.23.camel@localhost.localdomain> (raw)
In-Reply-To: <1242651759.20082.4.camel@localhost.localdomain>
On Mon, 2009-05-18 at 09:02 -0400, Stephen Smalley wrote:
> On Fri, 2009-05-15 at 13:53 -0700, Joel Becker wrote:
> > On Fri, May 15, 2009 at 09:42:09AM -0700, Joel Becker wrote:
> > > On Fri, May 15, 2009 at 11:55:25AM -0400, Stephen Smalley wrote:
> > > > Consider a program that wants to always preserve attributes on the
> > > > reflinks it creates. If the interface allows the program to explicitly
> > > > request that behavior and returns an error when the request cannot be
> > > > honored, then the program knows that upon a successful return, the
> > > > attributes were in fact preserved. If the interface instead silently
> > > > selects a behavior based on the current privileges of the process and
> > > > gives no indication to the caller as to what behavior was selected, then
> > > > the opportunity for error is great.
> > >
> > > I get that. I'm looking at what the programming interface is.
> > > What's the standard function for "I want the fallback behavior" called?
> > > What's the standard function for "I want preserve security" called?
> > > "int reflink(oldpath, newpath)" has to pick one of the behaviors. Which
> > > is it?
> >
> > Ok, I've been casting about how to solve the concern and provide
> > a decent interface. I'm not about to give up on either. I think,
> > though, that we do have to let the application signal its intent to the
> > system. And if we're doing that, let's add a little flexibility.
> > I think the interface will be this (ignoring the reflinkat(2)
> > bit for now):
> >
> > int reflink(const char *oldpath, const char *newpath, int preserve);
> >
> > - Data and xattrs are reflinked always.
> > - 'preserve is a bitfield describing which attributes to keep across the
> > reflink:
> > * REFLINK_ATTR_OWNER - Keeps uid/gid the same. Requires ownership or
> > CAP_CHOWN.
> > * REFLINK_ATTR_SECURITY - Keeps the security state (SELinux/SMACK/etc)
> > the same. This requires REFLINK_ATTR_OWNER (the security state makes
> > no sense if the ownership changes). If not set, the filesystem wipes
> > all security.* xattrs and reinitializes with
> > security_inode_init_security() just like a new file.
> > * REFLINK_ATTR_MODE - Keeps the mode bits the same. Requires ownership
> > or CAP_FOWNER.
> > * REFLINK_ATTR_ACL - Keeps the ACLs the same. Requires
> > REFLINK_ATTR_MODE, as ACLs have to get adjusted when the mode
> > changes, and so you can't keep them the same if the mode wasn't
> > preserved. If not set, the filesystem reinits the ACLs as for a new
> > file.
> > - REFLINK_ATTR_NONE is 0 and REFLINK_ATTR_ALL is ~0.
> >
> > That's all the relevant attributes. The timestamps behave as
> > already described (ctime is now, mtime matches the source), which is the
> > only sane behavior for this sort of thing.
> > So, a copy program would reflink(source, target,
> > REFLINK_ATTR_NONE), a snapshot program would reflink(source, target,
> > REFLINK_ATTR_ALL), and someone wanting the fallback behavior can do it
> > easily.
> > In the kernel, security_inode_reflink() gets passed the preserve
> > bits. It's responsible for determining whether REFLINK_ATTR_SECURITY is
> > allowed (vfs_reflink() will already have asserted REFLINK_ATTR_OWNER).
> > It may do other checks on the reflink and the preserve bits, that's up
> > to the LSM.
> > For scripting, we add the we add the '-p' and '-P' to "ln -r":
> >
> > - ln -r == reflink(source, target, REFLINK_ATTR_NONE);
> > - ln -r -P == reflink(source, target, REFLINK_ATTR_ALL);
> > - ln -r -p == the fallback behavior. This is like cp(1), where "cp -p"
> > is best-effort.
> >
> > Does this make everyone happy?
>
> For simplicity and robustness, I would only support the none or all
> flags, i.e. preserve can be a simple bool. I don't think you really
> want to deal with the individual flags, and I don't see a use case for
> them.
Or possibly only distinguish preserve-dac from preserve-mac, e.g.
REFLINK_ATTR_NONE (preserve none),
REFLINK_ATTR_DAC (preserve uid, gid, mode, and ACLs ala cp -p)
REFLINK_ATTR_MAC (preserve MAC security label ala cp -c)
REFLINK_ATTR_ALL (preserve all)
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2009-05-18 14:33 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-03 6:15 [RFC] The reflink(2) system call Joel Becker
2009-05-03 6:15 ` [PATCH 1/3] fs: Document the " Joel Becker
2009-05-03 8:01 ` Christoph Hellwig
2009-05-04 2:46 ` Joel Becker
2009-05-04 6:36 ` Michael Kerrisk
2009-05-04 7:12 ` Joel Becker
2009-05-03 13:08 ` Boaz Harrosh
2009-05-03 23:08 ` Al Viro
2009-05-04 2:49 ` Joel Becker
2009-05-03 23:45 ` Theodore Tso
2009-05-04 1:44 ` Tao Ma
2009-05-04 18:25 ` Joel Becker
2009-05-04 21:18 ` [Ocfs2-devel] " Joel Becker
2009-05-04 22:23 ` Theodore Tso
2009-05-05 6:55 ` Joel Becker
2009-05-05 1:07 ` Jamie Lokier
2009-05-05 7:16 ` Joel Becker
2009-05-05 8:09 ` Andreas Dilger
2009-05-05 16:56 ` Joel Becker
2009-05-05 21:24 ` Andreas Dilger
2009-05-05 21:32 ` Joel Becker
2009-05-06 7:15 ` [Ocfs2-devel] " Theodore Tso
2009-05-06 14:24 ` jim owens
2009-05-06 14:30 ` jim owens
2009-05-06 17:50 ` jim owens
2009-05-12 19:20 ` Jamie Lokier
2009-05-12 19:30 ` Jamie Lokier
2009-05-12 19:11 ` Jamie Lokier
2009-05-12 19:37 ` jim owens
2009-05-12 20:11 ` Jamie Lokier
2009-05-05 13:01 ` Theodore Tso
2009-05-05 13:19 ` Jamie Lokier
2009-05-05 13:39 ` Chris Mason
2009-05-05 15:36 ` Jamie Lokier
2009-05-05 15:41 ` Chris Mason
2009-05-05 16:03 ` Jamie Lokier
2009-05-05 16:18 ` Chris Mason
2009-05-05 20:48 ` jim owens
2009-05-05 21:57 ` Jamie Lokier
2009-05-05 22:04 ` Joel Becker
2009-05-05 22:11 ` Jamie Lokier
2009-05-05 22:24 ` Joel Becker
2009-05-05 23:14 ` Jamie Lokier
2009-05-05 22:12 ` Jamie Lokier
2009-05-05 22:21 ` Joel Becker
2009-05-05 22:32 ` James Morris
2009-05-05 22:39 ` Joel Becker
2009-05-12 19:40 ` Jamie Lokier
2009-05-05 22:28 ` jim owens
2009-05-05 23:12 ` Jamie Lokier
2009-05-05 16:46 ` Jörn Engel
2009-05-05 16:54 ` Jörn Engel
2009-05-05 22:03 ` Jamie Lokier
2009-05-05 21:44 ` copyfile semantics Andreas Dilger
2009-05-05 21:48 ` Matthew Wilcox
2009-05-05 22:25 ` Trond Myklebust
2009-05-05 22:06 ` Jamie Lokier
2009-05-06 5:57 ` Jörn Engel
2009-05-05 14:21 ` [PATCH 1/3] fs: Document the reflink(2) system call Theodore Tso
2009-05-05 15:32 ` Jamie Lokier
2009-05-05 22:49 ` James Morris
2009-05-05 17:05 ` Joel Becker
2009-05-05 17:00 ` Joel Becker
2009-05-05 17:29 ` Theodore Tso
2009-05-05 22:36 ` Jamie Lokier
2009-05-05 22:30 ` Jamie Lokier
2009-05-05 22:37 ` Joel Becker
2009-05-05 23:08 ` jim owens
2009-05-05 13:01 ` Jamie Lokier
2009-05-05 17:09 ` Joel Becker
2009-05-03 6:15 ` [PATCH 2/3] fs: Add vfs_reflink() and the ->reflink() inode operation Joel Becker
2009-05-03 8:03 ` Christoph Hellwig
2009-05-04 2:51 ` Joel Becker
2009-05-03 6:15 ` [PATCH 3/3] fs: Add the reflink(2) system call Joel Becker
2009-05-03 6:27 ` Matthew Wilcox
2009-05-03 6:39 ` Al Viro
2009-05-03 7:48 ` Christoph Hellwig
2009-05-03 11:16 ` Al Viro
2009-05-04 2:53 ` Joel Becker
2009-05-04 2:53 ` Joel Becker
2009-05-03 8:04 ` Christoph Hellwig
2009-05-07 22:15 ` [RFC] The reflink(2) system call v2 Joel Becker
2009-05-08 1:39 ` James Morris
2009-05-08 1:49 ` Joel Becker
2009-05-08 13:01 ` Tetsuo Handa
2009-05-08 2:59 ` jim owens
2009-05-08 3:10 ` Joel Becker
2009-05-08 11:53 ` jim owens
2009-05-08 12:16 ` jim owens
2009-05-08 14:11 ` jim owens
2009-05-11 20:40 ` [RFC] The reflink(2) system call v4 Joel Becker
2009-05-11 22:27 ` James Morris
2009-05-11 22:34 ` Joel Becker
2009-05-12 1:12 ` James Morris
2009-05-12 12:18 ` Stephen Smalley
2009-05-12 17:22 ` Joel Becker
2009-05-12 17:32 ` Stephen Smalley
2009-05-12 18:03 ` Joel Becker
2009-05-12 18:04 ` Stephen Smalley
2009-05-12 18:28 ` Joel Becker
2009-05-12 18:37 ` Stephen Smalley
2009-05-14 18:06 ` Stephen Smalley
2009-05-14 18:25 ` Stephen Smalley
2009-05-14 23:25 ` James Morris
2009-05-15 11:54 ` Stephen Smalley
2009-05-15 13:35 ` James Morris
2009-05-15 15:44 ` Stephen Smalley
2009-05-13 1:47 ` Casey Schaufler
2009-05-13 16:43 ` Joel Becker
2009-05-13 17:23 ` Stephen Smalley
2009-05-13 18:27 ` Joel Becker
2009-05-12 12:01 ` Stephen Smalley
2009-05-11 23:11 ` jim owens
2009-05-11 23:42 ` Joel Becker
2009-05-12 11:31 ` Jörn Engel
2009-05-12 13:12 ` jim owens
2009-05-12 20:24 ` Jamie Lokier
2009-05-14 18:43 ` Jörn Engel
2009-05-12 15:04 ` Sage Weil
2009-05-12 15:23 ` jim owens
2009-05-12 16:16 ` Sage Weil
2009-05-12 17:45 ` jim owens
2009-05-12 20:29 ` Jamie Lokier
2009-05-12 17:28 ` Joel Becker
2009-05-13 4:30 ` Sage Weil
2009-05-14 3:57 ` Andy Lutomirski
2009-05-14 18:12 ` Stephen Smalley
2009-05-14 22:00 ` Joel Becker
2009-05-15 1:20 ` Jamie Lokier
2009-05-15 12:01 ` Stephen Smalley
2009-05-15 15:22 ` Joel Becker
2009-05-15 15:55 ` Stephen Smalley
2009-05-15 16:42 ` Joel Becker
2009-05-15 17:01 ` Shaya Potter
2009-05-15 20:53 ` [Ocfs2-devel] " Joel Becker
2009-05-18 9:17 ` Jörn Engel
2009-05-18 13:02 ` Stephen Smalley
2009-05-18 14:33 ` Stephen Smalley [this message]
2009-05-18 17:15 ` Stephen Smalley
2009-05-18 18:26 ` Joel Becker
2009-05-19 16:32 ` [Ocfs2-devel] " Sage Weil
2009-05-19 19:33 ` Jonathan Corbet
2009-05-19 20:15 ` Jamie Lokier
[not found] ` <20090519132057.419b9de0@bike.lwn.net>
[not found] ` <20090519193244.GB25521@mail.oracle.com>
2009-05-19 19:41 ` Jonathan Corbet
2009-05-28 0:24 ` [RFC] The reflink(2) system call v5 Joel Becker
2009-09-14 22:24 ` Joel Becker
2009-05-11 20:49 ` [RFC] The reflink(2) system call v2 Joel Becker
2009-05-11 22:49 ` jim owens
2009-05-11 23:46 ` Joel Becker
2009-05-12 0:54 ` Chris Mason
2009-05-12 20:36 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1242657195.20082.23.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=Joel.Becker@oracle.com \
--cc=jmorris@namei.org \
--cc=jowens@hp.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mtk.manpages@gmail.com \
--cc=ocfs2-devel@oss.oracle.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).