Re: New reflink(2) syscall

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jamie Lokier <jamie@shareable.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Theodore Tso <tytso@mit.edu>, Stephen Smalley <sds@tycho.nsa.gov>,
	Chris Mason <chris.mason@oracle.com>,
	James Morris <jmorris@namei.org>,
	lsm <linux-security-module@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Wed, 6 May 2009 05:42:10 +0100	[thread overview]
Message-ID: <20090506044210.GB14804@shareable.org> (raw)
In-Reply-To: <4A0111BD.204@schaufler-ca.com>

Casey Schaufler wrote:
> Now I have a file that can have a thousand inodes, each of
> which might have a different set of access control characteristics.

>From a security perspective, how is this different from a
thousand separate files?

The copy-on-write is just an optimisation, a filesystem implementation
detail, from a certain perspective.

> With a single inode there is a definitive
> name for the file system object (device/inode) where with multiple
> inodes there is not. 

That's because there isn't a single object to name.  Why do you want
to pretend they are the same object?

They are separate files which share some disk blocks to save space and
time that's all.  A low-level implementation detail.  Completely
separate files can share blocks like that too on some filesystems.

In what way do the shared data blocks between otherwise separate files
have any security implication?

(Ok, ok, timing, ENOSPC, covert communications, but independent files
can trigger such interactions too.)

There's the actual creation of reflinks being invisible to i_nlink
watchers yet not requiring read permission, which is new.  But that
has nothing to do with the shared data: it would have the same
security implication even if reflink was just an ordinary file copy
with its proposed permission check!  :-)

-- Jamie

next prev parent reply	other threads:[~2009-05-06  4:42 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
     [not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35   ` New reflink(2) syscall James Morris
2009-05-04 16:59     ` Stephen Smalley
2009-05-04 17:49       ` Joel Becker
2009-05-05 18:00       ` Joel Becker
2009-05-05 18:41         ` Stephen Smalley
2009-05-05 19:15           ` Joel Becker
2009-05-05 19:14             ` Stephen Smalley
2009-05-05 19:33               ` Joel Becker
2009-05-05 22:15         ` James Morris
2009-05-05 22:31           ` Joel Becker
2009-05-06 11:23           ` Stephen Smalley
     [not found]   ` <20090504163514.GB31249@mail.oracle.com>
     [not found]     ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08       ` Joel Becker
2009-05-04 19:30         ` Stephen Smalley
2009-05-04 21:03           ` Joel Becker
2009-05-04 21:30             ` Joel Becker
2009-05-05 11:44               ` Stephen Smalley
2009-05-05 16:46                 ` Joel Becker
2009-05-04 23:13             ` Theodore Tso
2009-05-05 16:47               ` Joel Becker
2009-05-05 16:56                 ` Chris Mason
2009-05-05 17:13                   ` Joel Becker
2009-05-05 17:34                     ` Theodore Tso
2009-05-05 17:44                       ` Stephen Smalley
2009-05-05 17:56                         ` Joel Becker
2009-05-05 18:21                           ` Theodore Tso
2009-05-06  4:27                             ` Casey Schaufler
2009-05-06  4:42                               ` Jamie Lokier [this message]
2009-05-06  5:38                                 ` Casey Schaufler
2009-05-06  7:12                                   ` Theodore Tso
2009-05-05 22:45                         ` Jamie Lokier
2009-05-06  4:08                           ` Casey Schaufler
2009-05-06  4:28                             ` Jamie Lokier
2009-05-06 11:25                           ` Stephen Smalley
2009-05-05 17:36                     ` Chris Mason

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090506044210.GB14804@shareable.org \
    --to=jamie@shareable.org \
    --cc=casey@schaufler-ca.com \
    --cc=chris.mason@oracle.com \
    --cc=jmorris@namei.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=sds@tycho.nsa.gov \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).