Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965864AbcCOUnG (ORCPT ); Tue, 15 Mar 2016 16:43:06 -0400 Received: from mail-ig0-f177.google.com ([209.85.213.177]:34655 "EHLO mail-ig0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934917AbcCOUnC (ORCPT ); Tue, 15 Mar 2016 16:43:02 -0400 MIME-Version: 1.0 In-Reply-To: <20160315201431.GG30721@dastard> References: <20160311135952.57a44931@lxorguk.ukuu.org.uk> <20160311223047.GZ30721@dastard> <20160312003556.GF32214@thunk.org> <20160313233049.GA30721@dastard> <56E69398.7030508@redhat.com> <20160314144603.GO29218@thunk.org> <20160315201431.GG30721@dastard> Date: Tue, 15 Mar 2016 13:43:01 -0700 X-Google-Sender-Auth: 2MHnCvFCIUwZ-E8ybksnqw84_e0 Message-ID: Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks From: Linus Torvalds To: Dave Chinner Cc: "Theodore Ts'o" , Ric Wheeler , Andy Lutomirski , One Thousand Gnomes , Gregory Farnum , "Martin K. Petersen" , Christoph Hellwig , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton , Eric Sandeen Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1166 Lines: 34 On Tue, Mar 15, 2016 at 1:14 PM, Dave Chinner wrote: > > Root can still change the group id of a file that has exposed stale > data and hence make it visible outside of the group based > containment wall. Ok, Dave, now you're just being ridiculous. The issue has never been - and *should* never be - that stale data cannot get out. The only issue is that we shouldn't make it ridiculously easy to make silly mistakes. There's no "group based containment wall" that is some kind of absolute protection border. Put another way: this is not about theoretical leaks - because those are totally irrelevant (in theory, the original discard writer had access to all that stale data anyway). This is about making it a practical interface that doesn't have serious hidden gotchas. So stop making silly theoretical arguments that make no sense. We should make sure that we have _practical_ rules that are sensible, but also not painful enough for the people who want to use this in _practice_. Reality trumps everything else. If google is already using this kind of interface, then that is _reality_. Take that into account. Linus