From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56621 "EHLO out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751374AbeAZRFN (ORCPT ); Fri, 26 Jan 2018 12:05:13 -0500 Message-Id: <1516986313.1023634.1249302064.27114772@webmail.messagingengine.com> From: Colin Walters To: James Bottomley , "Theodore Ts'o" Cc: "linux-fsdevel" , lsf-pc@lists.linux-foundation.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Date: Fri, 26 Jan 2018 12:05:13 -0500 Subject: Re: [Lsf-pc] [LSF/MM TOPIC] fs-verity: file system-level integrity protection References: <20180125191152.GA11197@thunk.org> <1516953519.3900697.1248768528.0ABC456B@webmail.messagingengine.com> <20180126152928.GB2841@thunk.org> <1516984812.1011043.1249268528.30144C24@webmail.messagingengine.com> <1516985364.4000.15.camel@HansenPartnership.com> In-Reply-To: <1516985364.4000.15.camel@HansenPartnership.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Fri, Jan 26, 2018, at 11:49 AM, James Bottomley wrote: > On Fri, 2018-01-26 at 11:40 -0500, Colin Walters wrote: > > On Fri, Jan 26, 2018, at 10:29 AM, Theodore Ts'o wrote: > > >=20 > > > The problem is not the userspace API, it's the bike-shedding over > > > all of the different ways we could *do* immutability, all of which > > > would require separate bits in the on-disk representation of the > > > inode.=C2=A0=C2=A0You can have any combination of: > > >=20 > > > * Immutable data > > > * Immutable metadata > > > =C2=A0=C2=A0=C2=A0* Immutable xattrs > >=20 > > Everyone here wants immutable data (*all* of the data I hope), >=20 > No, no, I don't. =C2=A0 In the world today most linux distributions from > which we produce containers do have the annoying property of writing > stuff where they shouldn't (mostly into /etc).=20 Sorry, I meant that no one was asking for *partially* immutable single file= s, like how one can F_SETLK byte ranges today. Now that I think about it though that's kind of what log files like the systemd journal want (i.e. O_= APPEND like) but honestly people who care about that kind of stuff tend to send log mess= ages remotely anyways and I personally care a whole lot more about binaries (basically ideally fs-verity covers at least everything that can gain CAP_SYS_ADMIN, including e.g. supporting local signing of installed RPMs/host extensions, and notably if one has a Docker container or whatever that is configured to gain CAP_SYS_ADMIN on start, or equivalent).