From: Ram Pai <linuxram@us.ibm.com>
To: Dawid Ciezarkiewicz <dawid.ciezarkiewicz@rubrik.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: Read-only `slaves` with shared subtrees?
Date: Thu, 19 Oct 2017 11:13:00 -0700 [thread overview]
Message-ID: <20171019181300.GY5617@ram.oc3035372033.ibm.com> (raw)
In-Reply-To: <CAOEu9U5NfikC1piW10ep2pTmanFbUv7gABsKzaC8SOHEorCFRA@mail.gmail.com>
On Mon, Oct 09, 2017 at 02:39:49PM -0700, Dawid Ciezarkiewicz wrote:
> On Sun, Oct 8, 2017 at 5:15 PM, Ram Pai <linuxram@us.ibm.com> wrote:
> >>
> >> One thing that I don't plan to use, but might be worth thinking about is
> >> `slave + RW + STICKY` combination. If `master` mounts something RO,
> >> and `slave`
> >> is `RW + STICKY`, should the mount appear RW inside the slave? I don't
> >> find it particularly useful,
> >> but still...
> >
> > As per the implemented semantics it will become "RW". Should it be "RO"
> > aswell? Will that open up security holes?
>
> It is a mechanism that could be used to potentially increase the scope
> of privileges, which is a fertile ground for security issues. There is
> some room for using it to circumvent mechanisms that were unaware of
> this new feature. I guess for this reason alone, it might be worth
> limiting to RO only.l
ok. makes sense. It puts a twist to what I thought would have been
straight-forward-semantics. :-(
>
> >>
> >> Another thing that popped into my head: Is it worth considering any
> >> dynamic changes to `slave`'s
> >> RO status? It complicates everything a lot (it seems to me), since it
> >> adds a retroactive
> >> dynamic propagation. I don't currently have any plans to use it, but I
> >> could imagine scenarios
> >> in which a slave mount with all it's sub-mounts is remounted from RO
> >> to RW, in response to
> >> some external authorization trigger.
> >
> > The sematics should be something like this. Check if it makes sense.
> >
> > a) anything mounted under stick-mount will be a sticky-mount and will
> > inherit the mount's access-attribute;i.e RO RW attribute.
> > b) a mount when made sticky will propagate its sticky attribute
> > as well as its access-attribute recursively to its children
> > c) anything mounted under non-sticky mount will not inherit the
> > mount's access-attribute and will be non-sticky aswell.
> > d) a mount when made non-sticky will just change itself to non-sticky.
> > (will NOT propagate its non-sticky attribute and its
> > access-attribue recursively to its children.)
>
> a), b) and c), seem uncontroversial. d) seems OK, but I'm unsure as it
> is asymmetrical to b). Both recursive and non-recursive D seem to make
> sense. I'm just unsure if any is more useful than the other.
>
> What happens when a sticky RO slave mount is remounted as RW? Does it
> loose stickiness? Does this change propagate to its children?
>
> Another angle, that just appeared to me: If we have a double link A
> (master) -> (slave) B (master) -> (slave) C
>
> If A is RW and B is RO + sticky, does mount propagated to C will also
> be RO? It seems to me it should.
that seems to be the right thing to do.
Do you want to code up something and send? I can aswell.. but bit
occupied with other high-priority stuff.
@Eric: Any thoughts on the proposed semantics?
RP
next prev parent reply other threads:[~2017-10-19 18:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOEu9U6WWH+ekbRTQOi=BfvtV+DiPXTKf3+aKbQ7Rz04VKZr-g@mail.gmail.com>
[not found] ` <20170918204710.GI5698@ram.oc3035372033.ibm.com>
[not found] ` <CAOEu9U5zUc2K_BE5xUW42vgVQuSOyDT74sW66Ki_APhVr2pyBA@mail.gmail.com>
[not found] ` <20170920193954.GK5698@ram.oc3035372033.ibm.com>
[not found] ` <20170920194108.GB5721@ram.oc3035372033.ibm.com>
2017-09-20 22:56 ` Read-only `slaves` with shared subtrees? Eric W. Biederman
2017-09-20 23:06 ` Eric W. Biederman
2017-09-21 0:39 ` Ram Pai
2017-09-21 3:00 ` Dawid Ciezarkiewicz
2017-09-21 19:14 ` Ram Pai
2017-09-22 18:43 ` Dawid Ciezarkiewicz
2017-09-29 23:02 ` Dawid Ciezarkiewicz
2017-10-09 0:15 ` Ram Pai
2017-10-09 21:39 ` Dawid Ciezarkiewicz
2017-10-19 18:13 ` Ram Pai [this message]
2017-10-20 2:23 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171019181300.GY5617@ram.oc3035372033.ibm.com \
--to=linuxram@us.ibm.com \
--cc=dawid.ciezarkiewicz@rubrik.com \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).