Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756970AbcCDAUj (ORCPT ); Thu, 3 Mar 2016 19:20:39 -0500 Received: from imap.thunk.org ([74.207.234.97]:58052 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751539AbcCDAUh (ORCPT ); Thu, 3 Mar 2016 19:20:37 -0500 Date: Thu, 3 Mar 2016 19:20:26 -0500 From: "Theodore Ts'o" To: Dave Chinner Cc: "Martin K. Petersen" , Christoph Hellwig , Linus Torvalds , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Message-ID: <20160304002026.GG24012@thunk.org> Mail-Followup-To: Theodore Ts'o , Dave Chinner , "Martin K. Petersen" , Christoph Hellwig , Linus Torvalds , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton References: <20160302040932.16685.62789.stgit@birch.djwong.org> <20160302040947.16685.42926.stgit@birch.djwong.org> <20160302225601.GB21890@birch.djwong.org> <20160303180924.GA4116@infradead.org> <20160303223952.GE24012@thunk.org> <20160303231050.GU29057@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160303231050.GU29057@dastard> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1303 Lines: 26 On Fri, Mar 04, 2016 at 10:10:50AM +1100, Dave Chinner wrote: > You can tempt all you want, but it does not change the basic fact > that it is dangerous and compromises system security. As such, it > does not belong in upstream kernels. Especially in this day and age > where ensuring the fundamental integrity of our systems is more > important than ever. The fact of the matter is as there are more user-space servers for cluster file systems which are trusted to do the right thing, and are considered inside the TCB, the demand for this is going to strong. We do actually use a group id to provide access control to what is admittedly a dangerous feature, so it's not available for all userspace callers, and we didn't want the file server to run as root. But I'll let the Ceph folks advocate internally for such a feature to be shipped in RHEL if they feel strongly about it, and if later one we want to come to an agreement about a better access control mechanism than membership in a privileged group id passed in as a mount option, I'm not wedded to that facility. I didn't think it was worth cracking open a new capability bit, but if we want to go down that route, or some other route to provide the appropriate security controls, we should definitely talk about it. Cheers, - Ted