From: david@fromorbit.com (Dave Chinner)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 3/3] fs: detect that the i_rwsem has already been taken exclusively
Date: Mon, 2 Oct 2017 14:54:19 +1100 [thread overview]
Message-ID: <20171002035419.GH15067@dastard> (raw)
In-Reply-To: <CA+55aFwV=mO4NjJ2nqOsme7Pg_Lno7hPO6o+ahf-qSpunm9scA@mail.gmail.com>
On Sun, Oct 01, 2017 at 04:15:07PM -0700, Linus Torvalds wrote:
> On Sun, Oct 1, 2017 at 3:34 PM, Dave Chinner <david@fromorbit.com> wrote:
> >
> > We already have a change counter on the inode, which is modified on
> > any data or metadata write (i_version) under filesystem locks. The
> > i_version counter has well defined semantics - it's required by
> > NFSv4 to increment on any metadata or data change - so we should be
> > able to rely on it's behaviour to implement IMA as well.
>
> I actually think i_version has exactly the wrong semantics.
>
> Afaik, it doesn't actually version the file _data_ at all, it only
> versions "inode itself changed".
No, the NFSv4 change attribute must change if either data or
metadata on the inode is changed, and be consistent and persistent
across server crashes. For data updates, they piggy back on mtime
updates ....
> But I might have missed something obvious. The updates are hidden in
> some odd places sometimes.
... which are in file_update_time().
Hence every data write or write page fault will call
file_update_time() and trigger an i_version increment, even if the
mtime doesn't change.
Cheers,
Dave.
--
Dave Chinner
david at fromorbit.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-02 3:54 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-28 12:39 [RFC PATCH 0/3] define new read_iter file operation rwf flag Mimi Zohar
2017-09-28 12:39 ` [RFC PATCH 1/3] fs: define new read_iter " Mimi Zohar
2017-09-28 13:54 ` Matthew Wilcox
2017-09-28 14:33 ` Mimi Zohar
2017-09-28 15:51 ` Linus Torvalds
2017-09-28 12:39 ` [RFC PATCH 2/3] integrity: use call_read_iter to calculate the file hash Mimi Zohar
2017-09-28 12:39 ` [RFC PATCH 3/3] fs: detect that the i_rwsem has already been taken exclusively Mimi Zohar
2017-09-28 22:02 ` Dave Chinner
2017-09-28 23:39 ` Linus Torvalds
2017-09-29 0:12 ` Mimi Zohar
2017-09-29 0:33 ` Linus Torvalds
2017-09-29 1:53 ` Mimi Zohar
2017-09-29 3:26 ` Linus Torvalds
2017-10-01 1:33 ` Eric W. Biederman
[not found] ` <CA+55aFx726wT4VprN-sHm6s8Q_PV_VjhTBC4goEbMcerYU1Tig@mail.gmail.com>
2017-10-01 12:08 ` Mimi Zohar
2017-10-01 18:41 ` Linus Torvalds
2017-10-01 22:34 ` Dave Chinner
2017-10-01 23:15 ` Linus Torvalds
2017-10-02 3:54 ` Dave Chinner [this message]
2017-10-01 23:42 ` Mimi Zohar
2017-10-02 3:25 ` Eric W. Biederman
2017-10-02 12:25 ` Mimi Zohar
2017-10-02 4:35 ` Dave Chinner
2017-10-02 12:09 ` Mimi Zohar
2017-10-02 12:43 ` Jeff Layton
2017-10-01 22:06 ` Eric W. Biederman
2017-10-01 22:20 ` Linus Torvalds
2017-10-01 23:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171002035419.GH15067@dastard \
--to=david@fromorbit.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).