From: Al Viro <viro@ZenIV.linux.org.uk>
To: Brad Boyer <flar@allandria.com>
Cc: Christoph Hellwig <hch@infradead.org>,
Damian Stewart <damian@frey.co.nz>,
linux-fsdevel@vger.kernel.org
Subject: Re: PROBLEM: hfsplus filesystem allows opendir() on plain files
Date: Sat, 6 Dec 2008 22:31:33 +0000 [thread overview]
Message-ID: <20081206223133.GR28946@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20081206072122.GC13807@cynthia.pants.nu>
On Fri, Dec 05, 2008 at 11:21:22PM -0800, Brad Boyer wrote:
> Apple added hard links with osx. Back when I wrote hfsplus originally,
> there wasn't any such thing on HFS+ either. The support for the hack
> that added the appearance of hard links was added after I stopped
> maintaining the code. It's really just a matter of hiding the real
> file in a special place and putting stubs with special settings where
> all the links appear in the namespace. In all truth both HFS and HFS+
> are inherently incompatible with the very concept of a hard link or
> having a file still exist after removal. It's just a horrible hack
> that makes it look like it works.
Well... That's not too unreasonably way to do them, actually - just
treat your hidden directory as real inode table. The tricky part is
keeping i_ino stable through all that, but if it's done...
FWIW, fs/qnx4 uses a somewhat similar scheme, IIRC.
To make things workable you need
* hidden directory that would never be reachable by syscalls
* recognizable files that would contain references to names
in that directory
* lookup that would normally lead to such file getting inode
of object in hidden directory
* link(2) with target being *not* one of those would start with
moving target to hidden directory and creating such "link" file in its
place. Then it would create a link file in source. That, BTW, would have
interesting implications wrt locking - we'd need to modify target's parent,
which can get sucky.
* unlink(2) with victim dentry not being a "link" file *and* being
busy would move the victim to hidden. Otherwise it'd kill the victim
outright.
* final iput() of file that'd been taken to hidden does deletion
of directory entry in hidden if i_nlink is 0.
The interesting part is locking - you need to deal with lookup vs. eviction
of link(2) target to hidden and with rename vs. the same thing.
> > Which is to say, this stuff *must* go. In case of HFS it's obnoxious,
> > but not immediately letal. In case of HFS+ it's an instant DoS.
>
> Feel free. I disavowed any responsibility for this code years ago. And
> before anyone thinks of complaining, I'll point out that I wasn't the
> one that submitted hfsplus for inclusion in the kernel either.
Not blaming you...
next prev parent reply other threads:[~2008-12-06 22:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-02 15:26 PROBLEM: hfsplus filesystem allows opendir() on plain files Damian Stewart
2008-12-02 22:21 ` Brad Boyer
2008-12-05 8:53 ` Damian Stewart
2008-12-06 6:00 ` Brad Boyer
2008-12-05 9:39 ` Christoph Hellwig
2008-12-06 6:32 ` Brad Boyer
2008-12-06 6:47 ` Al Viro
2008-12-06 7:21 ` Brad Boyer
2008-12-06 22:31 ` Al Viro [this message]
2008-12-06 22:35 ` Al Viro
2008-12-06 12:06 ` Anton Altaparmakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081206223133.GR28946@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=damian@frey.co.nz \
--cc=flar@allandria.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).