From: Joel Becker <Joel.Becker@oracle.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Mon, 4 May 2009 11:08:55 -0700 [thread overview]
Message-ID: <20090504180855.GE31249@mail.oracle.com> (raw)
In-Reply-To: <1241458669.3023.203.camel@localhost.localdomain>
[Re-adding linux-fsdevel]
On Mon, May 04, 2009 at 01:37:49PM -0400, Stephen Smalley wrote:
> On Mon, 2009-05-04 at 09:35 -0700, Joel Becker wrote:
> > On Mon, May 04, 2009 at 09:16:56AM -0400, Stephen Smalley wrote:
> > > BTW, the DAC permission checking here also needs some thought, and
> > > wouldn't be handled by the LSM hook. Should reflink(2) require DAC read
> > > permission to the file, like a file copy would? And if the owner of the
> > > original differs from the fsuid of the current process, should
> > > reflink(2) require CAP_CHOWN in order to set the ownership of the copy
> > > to the original's owner?
> >
> > I'm thinking it should require read, yes. That's part of what
> > I'm asking. Regarding CAP_CHOWN - I don't want to limit the call to
> > root-only. Are you saying something like "If you have CAP_CHOWN, you
> > can reflink() the sucker and keep the original ownership, otherwise
> > sorry, it's gotta be owned by the current process"?
>
> Is reflink() supposed to be more like link(2) or more like an in-kernel
> optimized file copy?
More like link(2).
> And what is the real usage scenario? Are users likely to need/want to
> be able to reflink() to files that they do not own? If so, will they be
> more likely to want to own the new copies or preserve the original
> ownership?
The real usage scenarios are varied. The idea came out of inode
snapshots. And for that, you really want to preserve everything. But
when we came up with the reflink(2) interface as a more generic way to
invoke it, we came up with a lot of fun uses.
The other mail had a good point - if you can allow someone the
ability to reflink() a file but not read or write it, you might not even
need read permission. I'm thinking of a snapshotter that can make
snapshots with only the permissions to create in the snapshot directory.
That's neat.
> If you want to support multiple attribute assignment behaviors (e.g.
> sometimes preservation, sometimes inherit from the process), then you
> should make that explicit in the interface, e.g. preservation flags for
> the different attributes, and fail the operation if unable to honor the
> request.
Yeah, I really don't want to create multiple behaviors. I
wasn't proposing the "behaves differently on CAP_CHOWN," I was trying to
clarify what you were thinking.
JOel
--
"Sometimes I think the surest sign intelligent
life exists elsewhere in the universe is that
none of it has tried to contact us."
-Calvin & Hobbes
Joel Becker
Principal Software Developer
Oracle
E-mail: joel.becker@oracle.com
Phone: (650) 506-8127
next prev parent reply other threads:[~2009-05-04 18:08 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker [this message]
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090504180855.GE31249@mail.oracle.com \
--to=joel.becker@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).