On Thu, Mar 20, 2014 at 11:32 AM, [email protected] wrote:
>
> Looking at your patches, and what files you are modifying, you are
> enforcing this in the low-level file system.
I would love for this to be implemented in the filesystem level as
well. Something like the ext4 immutable bit, but with the ability to
still make hardlinks would be *very* useful for OSTree. And anyone
else that uses hardlinks as a data source. The vserver people do
something similiar:
http://linux-vserver.org/util-vserver:Vhashify
At the moment I have a read-only bind mount over /usr, but what I
really want is to make the individual objects in the object store in
/ostree/repo/objects be immutable, so even if a user or app navigates
out to /sysroot they still can't mutate them (or the link targets in
the visible /usr).
On 04/10/2014 07:45 AM, Colin Walters wrote:
> On Thu, Mar 20, 2014 at 11:32 AM, [email protected] wrote:
>>
>> Looking at your patches, and what files you are modifying, you are
>> enforcing this in the low-level file system.
>
> I would love for this to be implemented in the filesystem level as
> well. Something like the ext4 immutable bit, but with the ability to
> still make hardlinks would be *very* useful for OSTree. And anyone else
> that uses hardlinks as a data source. The vserver people do something
> similiar:
> http://linux-vserver.org/util-vserver:Vhashify
>
> At the moment I have a read-only bind mount over /usr, but what I really
> want is to make the individual objects in the object store in
> /ostree/repo/objects be immutable, so even if a user or app navigates
> out to /sysroot they still can't mutate them (or the link targets in the
> visible /usr).
COW links can do this already, I think. Of course, you'll have to use a
filesystem that supports them.
--Andy
On Thu, Apr 10, 2014 at 3:15 PM, Andy Lutomirski <[email protected]>
wrote:
>
>
> COW links can do this already, I think. Of course, you'll have to
> use a
> filesystem that supports them.
COW is nice if the filesystem supports them, but my userspace code
needs to be filesystem agnostic. Because of that, the design for
userspace simply doesn't allow arbitrary writes.
Instead, I have to painfully audit every rpm %post/dpkg postinst type
script to ensure they break hardlinks, and furthermore only allow
executing scripts that are known to do so.
But I think even in a btrfs world it'd still be useful to mark files as
content-immutable.