From: Christoph Hellwig <hch@infradead.org>
To: Christian Brauner <brauner@kernel.org>
Cc: Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@kernel.org>,
Amir Goldstein <amir73il@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
"Darrick J. Wong" <djwong@kernel.org>,
Erin Shepherd <erin.shepherd@e43.eu>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-nfs@vger.kernel.org, stable <stable@kernel.org>,
Greg KH <gregkh@linuxfoundation.org>,
Jens Axboe <axboe@kernel.dk>, Shaohua Li <shli@fb.com>
Subject: Re: [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles
Date: Tue, 10 Dec 2024 03:10:12 -0800 [thread overview]
Message-ID: <Z1ghlNpEOQ8jmZnW@infradead.org> (raw)
In-Reply-To: <20241210-gekonnt-pigmente-6d44d768469f@brauner>
On Tue, Dec 10, 2024 at 11:13:16AM +0100, Christian Brauner wrote:
> So I'm happy to drop the exportfs preliminary we have now preventing
> kernfs from being exported but then Christoph and you should figure out
> what the security implications of allowing kernfs instances to be
> exported areare because I'm not an NFS export expert.
I'm pretty sure you can do all kinds of really stupid things with it,
and very few if any useful ones. But the litmus tests is if those are
things that only the kernel nfs server can do vs things that a userland
nfs (or other protocol) server could do the open by handle syscalls.
Because if they aren't specific to the kernel nfs server they are just
random policy for privileged actions.
next prev parent reply other threads:[~2024-12-10 11:10 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-01 13:12 [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting file handles Christian Brauner
2024-12-01 13:12 ` [PATCH 1/4] exportfs: add flag to indicate local " Christian Brauner
2024-12-01 13:44 ` Amir Goldstein
2024-12-01 23:12 ` Dave Chinner
2024-12-02 9:19 ` Christian Brauner
2024-12-01 13:12 ` [PATCH 2/4] kernfs: restrict to " Christian Brauner
2024-12-01 13:12 ` [PATCH 3/4] ovl: restrict to exportable " Christian Brauner
2024-12-01 13:12 ` [PATCH 4/4] pidfs: restrict to local " Christian Brauner
2024-12-01 13:28 ` [PATCH 0/4] exportfs: add flag to allow marking export operations as only supporting " Jeff Layton
2024-12-01 16:22 ` Chuck Lever III
2024-12-03 9:08 ` Christian Brauner
2024-12-03 14:32 ` Jeff Layton
2024-12-01 13:44 ` Amir Goldstein
2024-12-05 0:38 ` Christoph Hellwig
2024-12-05 10:53 ` Christian Brauner
2024-12-05 11:57 ` Amir Goldstein
2024-12-06 16:03 ` Darrick J. Wong
2024-12-07 8:49 ` Amir Goldstein
2024-12-09 7:49 ` Christoph Hellwig
2024-12-09 8:58 ` Amir Goldstein
2024-12-09 9:16 ` Greg KH
2024-12-09 10:02 ` Amir Goldstein
2024-12-09 13:45 ` Christoph Hellwig
2024-12-09 13:46 ` Christoph Hellwig
2024-12-09 16:30 ` Amir Goldstein
2024-12-09 16:35 ` Chuck Lever
2024-12-09 17:15 ` Jeff Layton
2024-12-09 17:20 ` Chuck Lever
2024-12-10 10:13 ` Christian Brauner
2024-12-10 10:34 ` Christian Brauner
2024-12-10 11:10 ` Christoph Hellwig [this message]
2024-12-10 12:44 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z1ghlNpEOQ8jmZnW@infradead.org \
--to=hch@infradead.org \
--cc=amir73il@gmail.com \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=djwong@kernel.org \
--cc=erin.shepherd@e43.eu \
--cc=gregkh@linuxfoundation.org \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=shli@fb.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox