From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Albert Cahalan" <acahalan@gmail.com>
Subject: Re: [RFC/PATCH] revoke/frevoke system calls
Date: Sat, 22 Jul 2006 04:05:19 -0400
Message-ID: <787b0d920607220105l21251402nc98381edbc27a0c5@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from ug-out-1314.google.com ([66.249.92.172]:15643 "EHLO
	ug-out-1314.google.com") by vger.kernel.org with ESMTP
	id S1750727AbWGVIFX (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Sat, 22 Jul 2006 04:05:23 -0400
Received: by ug-out-1314.google.com with SMTP id m3so1577896ugc
        for <linux-fsdevel@vger.kernel.org>; Sat, 22 Jul 2006 01:05:19 -0700 (PDT)
To: froese@gmx.de, B.Steinbrink@gmx.de, hurtta+gmane@siilo.fmi.fi,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Content-Disposition: inline
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

Edgar Toernig writes:
> Bjvrn Steinbrink wrote:

>> In do_revoke() there is:
>>
>> +    if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) {
>> +            ret = -EPERM;
>> +            goto out;
>>
>> That pretty much matches what the BSD manpage says.
>
> Urgs, so any user may remove mappings from another process and
> let it crash?

Two good solutions come to mind:

a. substitute the zero page
b. make the mapping private and touch it as if C-O-W happened

Other concerns:

Optionally excluding the current UID/TGID/TID would be good.
(some flags) A revokeat() call seems to be required. Be sure
to handle working directories. The controlling tty is special.
Flag processes with revoked ttys in /proc/*/stat please, so
that ps can report it properly without opening another file.

BTW, it is wonderful to see this happening.