From mboxrd@z Thu Jan  1 00:00:00 1970
From: Theodore Tso <tytso@mit.edu>
Subject: Re: New reflink(2) syscall
Date: Tue, 5 May 2009 14:21:35 -0400
Message-ID: <20090505182135.GK17486@mit.edu>
References: <20090504180855.GE31249@mail.oracle.com> <1241465446.3023.228.camel@localhost.localdomain> <20090504210356.GA25313@mail.oracle.com> <20090504231334.GA17486@mit.edu> <20090505164700.GB7835@mail.oracle.com> <1241542618.7244.76.camel@think.oraclecorp.com> <20090505171331.GG7835@mail.oracle.com> <20090505173423.GH17486@mit.edu> <1241545451.3023.341.camel@localhost.localdomain> <20090505175603.GH7835@mail.oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
To: Stephen Smalley <sds@tycho.nsa.gov>,
	Chris Mason <chris.mason@oracle.com>,
	James Morris <jmorris@namei.org>,
	lsm <linux-security-module@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org
Return-path: <linux-security-module-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <20090505175603.GH7835@mail.oracle.com>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On Tue, May 05, 2009 at 10:56:03AM -0700, Joel Becker wrote:
> On Tue, May 05, 2009 at 01:44:11PM -0400, Stephen Smalley wrote:
> > > Both use cases are equally valid, and I imagine there would be
> > > interest in using reflinks both for snapshots and as a very
> > > lightweight copy operation by commands like /bin/cp.
> 
> 	Sure, but you can start with a reflink and then do what you want
> to it.
> 
> > Not arguing against this, but just to note:  the security model will
> > differ depending on these flags, as the link-like case doesn't require
> > the caller to have read access to the file (the data is no more
> > accessible than it was before), whereas the copy-like case requires the
> > caller to have read access to the original file since the data "leaks"
> > into a container with potentially different access constraints.
> 
> 	Yeah, another reason why I don't want to complicate the
> behavior.  I defined it as "the operation is like link(2)" for a reason
> :-)

The security model *is* the problem, however.  If we have a mode where
reflink acts like cp, then it doesn't require anything special in
terms of CAP_FOWNER.  It really is the same as a copy command.   

So sure, you could start with a reflink and then modify it, but if
you're an unprivileged user, you won't be able to create the reflink
in the first place.

					- Ted