From: hooanon05@yahoo.co.jp
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [RFC 4/8] Aufs2: branch
Date: Mon, 23 Feb 2009 16:36:08 +0900 [thread overview]
Message-ID: <7793.1235374568@jrobl> (raw)
In-Reply-To: <7558.1235374266@jrobl>
> This is my second trial to ask incorporating aufs into mainline.
Branch Manipulation
Since aufs supports dynamic branch manipulation, ie. add/remove a branch
and changing its permission/attribute, there are a lot of works to do.
Add a Branch
----------------------------------------------------------------------
o Confirm the adding dir exists outside of aufs, including loopback
mount.
- and other various attributes...
o Initialize the xino file and whiteout bases if necessary.
See struct.txt.
o Check the owner/group/mode of the directory
When the owner/group/mode of the adding directory differs from the
existing branch, aufs issues a warning because it may impose a
security risk.
For example, when a upper writable branch has a world writable empty
top directory, a malicious user can create any files on the writable
branch directly, like copy-up and modify manually. If something like
/etc/{passwd,shadow} exists on the lower readonly branch but the upper
writable branch, and the writable branch is world-writable, then a
malicious guy may create /etc/passwd on the writable branch directly
and the infected file will be valid in aufs.
I am afraid it can be a security issue, but nothing to do except
producing a warning.
Delete a Branch
----------------------------------------------------------------------
o Confirm the deleting branch is not busy
To be general, there is one merit to adopt "remount" interface to
manipulate branches. It is to discard caches. At deleting a branch,
aufs checks the still cached (and connected) dentries and inodes. If
there are any, then they are all in-use. An inode without its
corresponding dentry can be alive alone (for example, inotify case).
For the cached one, aufs checks whether the same named entry exists on
other branches.
If the cached one is a directory, because aufs provides a merged view
to users, as long as one dir is left on any branch aufs can show the
dir to users. In this case, the branch can be removed from aufs.
Otherwise aufs rejects deleting the branch.
If any file on the deleting branch is opened by aufs, then aufs
rejects deleting.
Modify the Permission of a Branch
----------------------------------------------------------------------
o Re-initialize or remove the xino file and whiteout bases if necessary.
See struct.txt.
o rw --> ro: Confirm the modifying branch is not busy
Aufs rejects the request if any of these conditions are true.
- a file on the branch is mmap-ed.
- a regular file on the branch is opened for write and there is no
same named entry on the upper branch.
next prev parent reply other threads:[~2009-02-23 7:36 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-23 7:31 [RFC 0/8] Aufs2 documents hooanon05
2009-02-23 7:33 ` [RFC 1/8] Aufs2: introduction hooanon05
2009-02-23 7:34 ` [RFC 2/8] Aufs2: structure hooanon05
2009-02-23 9:13 ` Tomas M
2009-02-23 9:22 ` Tomas M
2009-02-24 8:13 ` New filesystem for Linux kernel Tomas M
2009-02-24 11:52 ` Miklos Szeredi
2009-02-24 13:18 ` hooanon05
2009-02-24 13:45 ` Tarkan Erimer
2009-02-24 13:57 ` hooanon05
2009-02-24 14:16 ` Tarkan Erimer
2009-02-24 14:50 ` Miklos Szeredi
2009-02-24 16:26 ` hooanon05
2009-02-25 10:28 ` Miklos Szeredi
2009-02-26 4:09 ` hooanon05
2009-02-26 5:51 ` hooanon05
2009-02-26 5:55 ` hooanon05
2009-02-24 14:15 ` Theodore Tso
2009-02-24 15:18 ` David P. Quigley
2009-02-24 15:41 ` hooanon05
2009-02-25 15:53 ` David P. Quigley
2009-02-26 4:21 ` hooanon05
2009-02-25 7:31 ` Tomas M
2009-02-25 9:33 ` David Newall
2009-02-25 8:12 ` Tomas M
2009-02-26 14:31 ` Amit Kucheria
2009-02-23 14:23 ` [RFC 2/8] Aufs2: structure hooanon05
2009-02-23 7:35 ` [RFC 3/8] Aufs2: lookup hooanon05
2009-02-23 7:36 ` hooanon05 [this message]
2009-02-23 7:36 ` [RFC 5/8] Aufs2: wbr_policy hooanon05
2009-02-23 7:37 ` [RFC 6/8] Aufs2: fmode_exec hooanon05
2009-02-23 7:37 ` [RFC 7/8] Aufs2: mmap hooanon05
2009-02-23 9:18 ` Tomas M
2009-02-23 14:39 ` hooanon05
2009-02-23 7:38 ` [RFC 8/8] Aufs2: plan hooanon05
2009-02-25 17:50 ` [RFC 0/8] Aufs2 documents David P. Quigley
2009-02-25 19:07 ` Matthew Wilcox
2009-02-26 4:54 ` hooanon05
2009-02-26 17:20 ` David P. Quigley
2009-02-27 14:27 ` hooanon05
2009-02-27 18:17 ` David P. Quigley
2009-02-28 8:04 ` hooanon05
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7793.1235374568@jrobl \
--to=hooanon05@yahoo.co.jp \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox