From: Theodore Tso <tytso@mit.edu>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Jamie Lokier <jamie@shareable.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Chris Mason <chris.mason@oracle.com>,
James Morris <jmorris@namei.org>,
lsm <linux-security-module@vger.kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: New reflink(2) syscall
Date: Wed, 6 May 2009 03:12:30 -0400 [thread overview]
Message-ID: <20090506071230.GA6976@mit.edu> (raw)
In-Reply-To: <4A01226B.6030801@schaufler-ca.com>
On Tue, May 05, 2009 at 10:38:51PM -0700, Casey Schaufler wrote:
> It's different from 1000 separate files because I can now have
> one set of data blocks with read access controlled by 1000 different
> users.
>
> # chown user000 rfile000
> ...
> # chown user999 rfile999
>
> now 1000 different users can grant access to those blocks,
> so long as they don't change. Without reflink() I know that if
> I own the file, it isn't open (fuser says so) and it is mode 700
> that noone else can read it sans privilege. With reflink() not
> only is this not true, but I can't find out who might be able to
> read it. Changing the permissions, ACL, SELinux label, Smack label,
> or TOMOYO policy won't help, because there may be another inode
> out there somewhere that I can't even access that is granting the
> rest of the world access.
Sure, but if the file is readable by 1000 different users, then they
they could each make 1000 different copies of the file. So the
"reflink-copy-optimization" variant (i.e., do a reflink where the
initial owner is the user doing the reflink, and where the initial ACL
is the destination directory's default creation ACL, and the initial
group ownership, etc. is exactly the same as if you had created a new
file in the destination directory).... then this acts *precisely* the
same as an optimized file copy. So if you allow someone to do a
"reflink-copy" only when they would be allowed to read the file, it's
merely a low-level optimization.
In contrast, the "reflink-link" variant which OCFS2 has prototyped
acts more like a link --- except it gets a new inode number. From a
security perspective, you treat this exactly as if it were a link.
In both cases, you treat the quota as if the new file was created,
since the original file could be removed at any time, or the COW link
could be snapped and the file really copied.
> Yeah, I can see the argument, I'm just not sure that I could
> turn around and sell it to an eager-puppy security evaluator
> fresh out of a PHD program at the U of Maryland.
That's going to be true of *any* new filesystem feature, wouldn't it?
I don't think that's a justifiable reason not to implement a new
feature. In any case, if the security evaluators are that silly, you
can always simply remove the ability to use reflinks altogether. That
might break some application programs, but if the some that breaks
some General or Admiral's pet project, I'm sure pressure can be
brought to bear on the security evaluator. :-)
- Ted
next prev parent reply other threads:[~2009-05-06 7:12 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LRH.2.00.0905041655220.21713@tundra.namei.org>
[not found] ` <1241443016.3023.51.camel@localhost.localdomain>
2009-05-04 15:35 ` New reflink(2) syscall James Morris
2009-05-04 16:59 ` Stephen Smalley
2009-05-04 17:49 ` Joel Becker
2009-05-05 18:00 ` Joel Becker
2009-05-05 18:41 ` Stephen Smalley
2009-05-05 19:15 ` Joel Becker
2009-05-05 19:14 ` Stephen Smalley
2009-05-05 19:33 ` Joel Becker
2009-05-05 22:15 ` James Morris
2009-05-05 22:31 ` Joel Becker
2009-05-06 11:23 ` Stephen Smalley
[not found] ` <20090504163514.GB31249@mail.oracle.com>
[not found] ` <1241458669.3023.203.camel@localhost.localdomain>
2009-05-04 18:08 ` Joel Becker
2009-05-04 19:30 ` Stephen Smalley
2009-05-04 21:03 ` Joel Becker
2009-05-04 21:30 ` Joel Becker
2009-05-05 11:44 ` Stephen Smalley
2009-05-05 16:46 ` Joel Becker
2009-05-04 23:13 ` Theodore Tso
2009-05-05 16:47 ` Joel Becker
2009-05-05 16:56 ` Chris Mason
2009-05-05 17:13 ` Joel Becker
2009-05-05 17:34 ` Theodore Tso
2009-05-05 17:44 ` Stephen Smalley
2009-05-05 17:56 ` Joel Becker
2009-05-05 18:21 ` Theodore Tso
2009-05-06 4:27 ` Casey Schaufler
2009-05-06 4:42 ` Jamie Lokier
2009-05-06 5:38 ` Casey Schaufler
2009-05-06 7:12 ` Theodore Tso [this message]
2009-05-05 22:45 ` Jamie Lokier
2009-05-06 4:08 ` Casey Schaufler
2009-05-06 4:28 ` Jamie Lokier
2009-05-06 11:25 ` Stephen Smalley
2009-05-05 17:36 ` Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090506071230.GA6976@mit.edu \
--to=tytso@mit.edu \
--cc=casey@schaufler-ca.com \
--cc=chris.mason@oracle.com \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).