From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joel Becker Subject: Re: New reflink(2) syscall Date: Mon, 4 May 2009 14:30:32 -0700 Message-ID: <20090504213032.GE25313@mail.oracle.com> References: <1241443016.3023.51.camel@localhost.localdomain> <20090504163514.GB31249@mail.oracle.com> <1241458669.3023.203.camel@localhost.localdomain> <20090504180855.GE31249@mail.oracle.com> <1241465446.3023.228.camel@localhost.localdomain> <20090504210356.GA25313@mail.oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii To: Stephen Smalley , James Morris , lsm , linux-fsdevel@vger.kernel.org Return-path: Content-Disposition: inline In-Reply-To: <20090504210356.GA25313@mail.oracle.com> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Mon, May 04, 2009 at 02:03:56PM -0700, Joel Becker wrote: > On Mon, May 04, 2009 at 03:30:46PM -0400, Stephen Smalley wrote: > > > Yeah, I really don't want to create multiple behaviors. I > > > wasn't proposing the "behaves differently on CAP_CHOWN," I was trying to > > > clarify what you were thinking. > > > > Given that normally users can't create files with other ownerships, it > > seemed that we might want to require CAP_CHOWN or some other capability > > in order to reflink(2) a file that isn't owned by the fsuid of the > > process. Possibly is_owner_or_cap(), i.e. owner or CAP_FOWNER, would be > > suitable. > > Yeah, the more I think about it the more I agree. It's a simple > story - you're creating a file with ownership !you, you need > owner_or_cap. Wouldn't testing inode_change_ok() be the right thing here? Hits up uid, gid, perms, times. Joel -- "In the beginning, the universe was created. This has made a lot of people very angry, and is generally considered to have been a bad move." - Douglas Adams Joel Becker Principal Software Developer Oracle E-mail: joel.becker@oracle.com Phone: (650) 506-8127