Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932552AbcCKP2H (ORCPT ); Fri, 11 Mar 2016 10:28:07 -0500 Received: from imap.thunk.org ([74.207.234.97]:33116 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932328AbcCKP2E (ORCPT ); Fri, 11 Mar 2016 10:28:04 -0500 Date: Fri, 11 Mar 2016 10:27:39 -0500 From: "Theodore Ts'o" To: One Thousand Gnomes Cc: Ric Wheeler , Linus Torvalds , Gregory Farnum , Dave Chinner , "Martin K. Petersen" , Christoph Hellwig , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton , Eric Sandeen Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Message-ID: <20160311152739.GC32214@thunk.org> Mail-Followup-To: Theodore Ts'o , One Thousand Gnomes , Ric Wheeler , Linus Torvalds , Gregory Farnum , Dave Chinner , "Martin K. Petersen" , Christoph Hellwig , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton , Eric Sandeen References: <20160303180924.GA4116@infradead.org> <20160303223952.GE24012@thunk.org> <20160303231050.GU29057@dastard> <20160309230819.GB3949@thunk.org> <56E18B9B.5070503@gmail.com> <56E24CA5.3030702@redhat.com> <20160311135952.57a44931@lxorguk.ukuu.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160311135952.57a44931@lxorguk.ukuu.org.uk> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1332 Lines: 28 On Fri, Mar 11, 2016 at 01:59:52PM +0000, One Thousand Gnomes wrote: > > > We can do the security check at the filesystem level, because we have > > > sb->s_bdev->bd_inode, and if you have read and write permissions to > > > that inode, you might as well have permission to create a unsafe hole. > > Not if you don't have access to a block device node to open it, or there > are SELinux rules that control the access. There are cases it isn't > entirely the same thing as far as I can see. Consider within a container > for example. In a container shouldn't be a problem so long as we use uid mapping when making the group id check. > The paranoid approach would IMHO to have a mount option so you can > explicitly declare a file system mount should trust its owner/group and > then that can also be used to wire up any other "unsafe" activities in a > general "mounted for a special use" option. Indeed, that's what we're currently doing. We've acutally been using different gid's for each "privileged" operation, though, since we want to have fine-grained access controls. The process who can perform an operation which can result in the ability to read stale data might not need (and therefore should not be given) access to be able to issue TCG/Opal management commands to the HDD, for example. - Ted