From mboxrd@z Thu Jan 1 00:00:00 1970 From: Colin Walters Subject: immutable files via O_OBJECT Date: Fri, 09 May 2014 10:10:22 +0000 Message-ID: <1399630462.17314.3@mail.messagingengine.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed To: Linux-Fsdevel Return-path: Received: from out5-smtp.messagingengine.com ([66.111.4.29]:34349 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752551AbaEIKO0 (ORCPT ); Fri, 9 May 2014 06:14:26 -0400 Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 587BA210B4 for ; Fri, 9 May 2014 06:14:23 -0400 (EDT) Received: from [192.168.1.4] (unknown [66.31.18.51]) by mail.messagingengine.com (Postfix) with ESMTPA id 1BC616800A4 for ; Fri, 9 May 2014 06:14:23 -0400 (EDT) Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Hi, I'm the author of https://live.gnome.org/Projects/OSTree which is a new general purpose update system for Linux-based operating systems. Basically it does updates by creating a new hardlink farm chroot. (There's nothing really new about this, OSTree is just a polished version of it with a new twist or two) Now present, I have a read-only bind mount over /usr. What I'd really like is something like the existing S_IMMUTABLE bit except with the ability to make hardlinks. Also unlike S_IMMUTABLE I don't want it to be removable at all. And the more I thought about it, the more I realized what would be neat is a new open flag "O_OBJECT". What this would do is disallow any further changes to content after the file has been close()d or so. (It would also be nice to have a way to make xattrs immutable, but I see that as a separate thing) I can imagine that beyond the security aspect, filesystems could make some interesting optimizations if userspace opted out of the ability to mutate files post-creation. Both OSTree and git could use it (git for loose objects). There's been stuff somewhat related to this in the past, like linux-vserver was carrying a hack to do CoW hardlinks. But I think it's really better to just disallow mutation and force userspace to break hardlinks. If you guys give me this flag, I'll make use of it in userspace pretty much right away =)