From: "Theodore Ts'o" <tytso@mit.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ric Wheeler <ricwheeler@gmail.com>,
Gregory Farnum <greg@gregs42.com>,
Dave Chinner <david@fromorbit.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Christoph Hellwig <hch@infradead.org>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Jens Axboe <axboe@kernel.dk>,
Andrew Morton <akpm@linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
shane.seymour@hpe.com, Bruce Fields <bfields@fieldses.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Jeff Layton <jlayton@poochiereds.net>,
Eric Sandeen <esandeen@redhat.com>
Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks
Date: Thu, 10 Mar 2016 16:47:04 -0500 [thread overview]
Message-ID: <20160310214704.GA8890@thunk.org> (raw)
In-Reply-To: <CA+55aFyw1nN4ze3-AGGE27evOZuXnkJC9C-W5QRUR=zKHqObGg@mail.gmail.com>
On Thu, Mar 10, 2016 at 10:33:49AM -0800, Linus Torvalds wrote:
> On Thu, Mar 10, 2016 at 6:58 AM, Ric Wheeler <ricwheeler@gmail.com> wrote:
> >
> > What was objectionable at the time this patch was raised years back (not
> > just to me, but to pretty much every fs developer at LSF/MM that year)
> > centered on the concern that this would be viewed as a "performance" mode
> > and we get pressure to support this for non-priveleged users. It gives any
> > user effectively the ability to read the block device content for previously
> > allocated data without restriction.
Sure, but it was never "any user". We always had group-based
permissions from the beginning. Sure, we passed it in via a mount
option which was a bit hacky, but we never got to the point of
discussing the way that we would modulate the access --- the complaint
seemed to be that if it was a non-root user, it was an unacceptable
security hole. And the pushback I got was more in the way of a
religious objection more than anything else. Heck, even reserving a
code point for the out-of-tree patch received a huge amount of
pushback.
> The sane way to do it would be to just check permissions of the
> underlying block device.
>
> That way, people can just set the permissions for that to whatever
> they want. If google right now uses some magical group for this, they
> could make the underlying block device be writable for that group.
I'd suggest making it be if you had *read* access to the block device.
After all, the risk that everyone was all excited about was the risk
of being able to read stale (deleted) data from old files. And
there's no point giving the userspace cluster file system daemon the
ability to corrupt the file system or set the setuid bit on some
arbitrary executable.
And if we are going to go this far, then I'd also suggest using this
permission check to the user the ability to issue BLKDISCARD on a
file. Allowing BLKDISCARD on files is one that should have been even
more of a no-brainer, since it could never reveal stale data, but
simply wasn't guaranteed to have reliable results because it was a
hint to the underlying storage device. But this has also received a
huge amount of religious pushback, which is why this is also an
out-of-tree patch in the Google kernel. (If that means that our
competitors have a higher flash TCO than us, again, no skin off my
nose. I tried to get it upstream, and cost of forward porting the
patch each time we rebase the kernel isn't _that_ annoying.)
- Ted
> We can do the security check at the filesystem level, because we have
> sb->s_bdev->bd_inode, and if you have read and write permissions to
> that inode, you might as well have permission to create a unsafe hole.
>
> That doesn't sound very hacky to me.
>
> Linus
next prev parent reply other threads:[~2016-03-10 21:47 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 4:09 [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Darrick J. Wong
2016-03-02 4:09 ` [PATCH 1/2] block: invalidate the page cache when issuing BLKZEROOUT Darrick J. Wong
2016-03-02 9:19 ` Christoph Hellwig
2016-03-02 4:09 ` [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Darrick J. Wong
2016-03-02 9:20 ` Christoph Hellwig
2016-03-02 18:52 ` Linus Torvalds
2016-03-02 22:56 ` Darrick J. Wong
2016-03-02 23:49 ` Linus Torvalds
2016-03-03 17:02 ` Theodore Ts'o
2016-03-03 17:55 ` Linus Torvalds
2016-03-03 18:00 ` Christoph Hellwig
2016-03-03 18:14 ` Martin K. Petersen
2016-03-03 18:21 ` Theodore Ts'o
2016-03-03 18:01 ` Martin K. Petersen
2016-03-03 18:09 ` Christoph Hellwig
2016-03-03 18:12 ` Darrick J. Wong
2016-03-03 18:54 ` Martin K. Petersen
2016-03-03 22:39 ` Theodore Ts'o
2016-03-03 23:10 ` Dave Chinner
2016-03-04 0:20 ` Theodore Ts'o
2016-03-09 22:20 ` Gregory Farnum
2016-03-09 23:08 ` Theodore Ts'o
2016-03-10 14:58 ` Ric Wheeler
2016-03-10 18:33 ` Linus Torvalds
2016-03-10 21:47 ` Theodore Ts'o [this message]
2016-03-11 4:42 ` Ric Wheeler
2016-03-11 13:59 ` One Thousand Gnomes
2016-03-11 15:27 ` Theodore Ts'o
2016-03-11 17:23 ` Linus Torvalds
2016-03-11 17:30 ` Andy Lutomirski
2016-03-11 18:25 ` Linus Torvalds
2016-03-11 22:30 ` Dave Chinner
2016-03-12 0:33 ` Linus Torvalds
2016-03-12 0:35 ` Theodore Ts'o
2016-03-12 0:44 ` Linus Torvalds
2016-03-12 7:19 ` Theodore Ts'o
2016-03-12 10:11 ` Thomas Schoebel-Theuer
2016-03-13 23:30 ` Dave Chinner
2016-03-14 10:34 ` Ric Wheeler
2016-03-14 14:46 ` Theodore Ts'o
2016-03-15 20:14 ` Dave Chinner
2016-03-15 20:43 ` Linus Torvalds
2016-03-15 21:29 ` Theodore Ts'o
2016-03-15 22:33 ` Dave Chinner
2016-03-15 22:52 ` Theodore Ts'o
2016-03-16 1:51 ` Darrick J. Wong
2016-03-16 21:45 ` Andreas Dilger
2016-03-17 0:15 ` Theodore Ts'o
2016-03-17 0:33 ` Eric Sandeen
2016-03-17 0:59 ` Theodore Ts'o
2016-03-17 5:18 ` Gregory Farnum
2016-03-17 12:36 ` Theodore Ts'o
2016-03-17 17:47 ` Linus Torvalds
2016-03-17 17:50 ` Ric Wheeler
2016-03-17 17:59 ` Linus Torvalds
2016-03-17 18:35 ` Chris Mason
2016-03-17 20:49 ` Andreas Dilger
2016-03-17 21:00 ` Chris Mason
2016-03-18 3:20 ` Theodore Ts'o
2016-03-18 15:15 ` Jeff Moyer
2016-03-18 20:05 ` Martin K. Petersen
2016-03-18 6:52 ` Gregory Farnum
2016-03-18 7:19 ` Linus Torvalds
2016-03-17 1:01 ` Dave Chinner
2016-03-17 2:38 ` Darrick J. Wong
2016-03-18 22:55 ` NeilBrown
2016-03-15 23:06 ` Linus Torvalds
2016-03-15 23:14 ` Linus Torvalds
2016-03-16 0:08 ` Dave Chinner
2016-03-15 23:52 ` Dave Chinner
2016-03-16 0:06 ` Linus Torvalds
2016-03-16 0:30 ` Eric Sandeen
2016-03-16 0:51 ` Chris Mason
2016-03-16 22:23 ` Chris Mason
2016-03-17 13:49 ` Ric Wheeler
2016-03-15 22:38 ` Eric Sandeen
2016-03-03 22:56 ` Dave Chinner
2016-03-04 2:30 ` Thomas Schoebel-Theuer
2016-03-03 18:14 ` Linus Torvalds
2016-03-02 9:15 ` [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Arnd Bergmann
2016-03-02 9:44 ` Christoph Hellwig
2016-03-02 10:55 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160310214704.GA8890@thunk.org \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bfields@fieldses.org \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=esandeen@redhat.com \
--cc=greg@gregs42.com \
--cc=hch@infradead.org \
--cc=jlayton@poochiereds.net \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=ricwheeler@gmail.com \
--cc=shane.seymour@hpe.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox