Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5076670yba; Tue, 30 Apr 2019 08:46:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqx72UkKzcChy2SB7m6a39013cm+2CNBW4RHyzPU3lUhpz/LIP9qx/fVVh2YU3+fBtVXE1Pf X-Received: by 2002:a17:902:aa5:: with SMTP id 34mr54216481plp.263.1556639188214; Tue, 30 Apr 2019 08:46:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556639188; cv=none; d=google.com; s=arc-20160816; b=DMRj29MGhdINShcSy95AkE6bIiCuIZScVZGJFACSoe9KVd/QJJ25SGT9l/jYIcnUaJ qrMFDAZDI1oL7mlugN1IKRjsNjWTZqNoNvq+mKoOD3sj0NRweYvhoZNBDI6T1s+wnMen 8s6oak8wPGx1FIk62/5gPE54R+4b1ZN9CpisN5hYMNBc8gG2aUj1g+3NUoyBmWWbIeFf 4mL8ELqksAo+osfMC2m6PJHrOGt9zPdyC/7HpN3F1li0C3bCDWEGEGkbYJgsQyTu7HGy 0yNhGIPi0cpYRKJyz7Gf91gdO6p88nkyZXuI4p03KLXs2Sy8zB0kaWKmVBfe9hS2MhCT EQow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :reply-to:message-id:subject:cc:to:from:date; bh=vfP2S2iii+DA6ccQoZJ7lIc8jHRYfYHozd7udFAc+Mg=; b=bsKuXaDR3zYOXb2y0An0vf8Kw8A0iAE5OVii0TfdDU6mu5C96En8hI+eX7G1pYmXki cUOVVKD5gVrIJpjN/pZPZa9OuKDzOG9RNgnaL1AKyt5NKaoOWG7/RxHzxo10woSsVqU1 5xQMyV37MwG2f7e3PcHEWo5IT6RvGlyIhZYTUF6V2op1ttSBZm2Wri0a7QDa8kez3FQ/ s6jNe6GNDhCJIflt1lAoyNZwzDcAJAlWq/5TW3McRmtvlT5+Oi6mJQd6pJRXKXnvkefC yt/tNOFpuFr2/VvBYKCD0MVntQgOXefCq7jZspN6N67ddpwr+PD/jpV9LdaPOOqrR+04 nyPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 16si38123689pfh.244.2019.04.30.08.46.01; Tue, 30 Apr 2019 08:46:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726112AbfD3Pp1 (ORCPT + 99 others); Tue, 30 Apr 2019 11:45:27 -0400 Received: from mx2.suse.de ([195.135.220.15]:37584 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725906AbfD3Pp0 (ORCPT ); Tue, 30 Apr 2019 11:45:26 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 47528AD94; Tue, 30 Apr 2019 15:45:25 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id 2CC4DDA88B; Tue, 30 Apr 2019 17:46:25 +0200 (CEST) Date: Tue, 30 Apr 2019 17:46:23 +0200 From: David Sterba To: "Darrick J. Wong" Cc: linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-mm@kvack.org Subject: Re: [PATCH v2 0/8] vfs: make immutable files actually immutable Message-ID: <20190430154622.GA20156@twin.jikos.cz> Reply-To: dsterba@suse.cz Mail-Followup-To: dsterba@suse.cz, "Darrick J. Wong" , linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-mm@kvack.org References: <155552786671.20411.6442426840435740050.stgit@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <155552786671.20411.6442426840435740050.stgit@magnolia> User-Agent: Mutt/1.5.23.1 (2014-03-12) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Apr 17, 2019 at 12:04:26PM -0700, Darrick J. Wong wrote: > Hi all, > > The chattr(1) manpage has this to say about the immutable bit that > system administrators can set on files: > > "A file with the 'i' attribute cannot be modified: it cannot be deleted > or renamed, no link can be created to this file, most of the file's > metadata can not be modified, and the file can not be opened in write > mode." > > Given the clause about how the file 'cannot be modified', it is > surprising that programs holding writable file descriptors can continue > to write to and truncate files after the immutable flag has been set, > but they cannot call other things such as utimes, fallocate, unlink, > link, setxattr, or reflink. > > Since the immutable flag is only settable by administrators, resolve > this inconsistent behavior in favor of the documented behavior -- once > the flag is set, the file cannot be modified, period. The manual page leaves the case undefined, though the word 'modified' can be interpreted in the same sense as 'mtime' ie. modifying the file data. The enumerated file operations that don't work on an immutable file suggest that it's more like the 'ctime', ie. (state) changes are forbidden. Tthe patchset makes some sense, but it changes the semantics a bit. From 'not changed but still modified' to 'neither changed nor modified'. It starts to sound like a word game, but I think both are often used interchangeably in the language. See the changelog of 1/8 where you used them in the other meaning regarding ctime and mtime. I personally doubt there's a real use of the undefined case, though something artificial like 'a process opens a fd, sets up file in a very specific way, sets immutable and hands the fd to an unprivileged process' can be made up. The overhead of the new checks seems to be small so performance is not the concern here. Overall, I don't see a strong reason for either semantics. As long as it's documented possibly with some of the corner cases described in more detail, fine.