From: Stephen Smalley <sds@tycho.nsa.gov> To: James Morris <jmorris@namei.org> Cc: Joel Becker <Joel.Becker@oracle.com>, jim owens <jowens@hp.com>, ocfs2-devel@oss.oracle.com, viro@zeniv.linux.org.uk, mtk.manpages@gmail.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [RFC] The reflink(2) system call v4. Date: Tue, 12 May 2009 08:01:56 -0400 [thread overview] Message-ID: <1242129716.31807.8.camel@localhost.localdomain> (raw) In-Reply-To: <alpine.LRH.2.00.0905120819460.3090@tundra.namei.org> On Tue, 2009-05-12 at 08:27 +1000, James Morris wrote: > On Mon, 11 May 2009, Joel Becker wrote: > > > and other security attributes (in all, I'm gonna call that the "security > > context") as well. So I defined reflink() as such. This meant > > "security context" is an term associated with SELinux, so you may want to > use something like "security attributes" or "security state" to avoid > confusing people. > > > + error = security_inode_reflink(old_dentry, dir); > > + if (error) > > + return error; > > We'll need the new_dentry now, to set up new security state before the > dentry is instantiated. I don't think the inode exists yet for the new_dentry (not until after the call to i_op->reflink), and thus we cannot set up the new inode state at the point of security_inode_reflink(). We will need the filesystem to call into the security module to get the right security attribute name/value pair when creating the new inode, just as with normal inode creation, unless it is preserving the name/value pair from the original. The security_inode_init_security() hook is for that purpose - you can see its usage in existing filesystems when creating new inodes. > e.g. SELinux will need to perform some checks on the operation, then > calculate a new security context for the new file. > > > - James -- Stephen Smalley National Security Agency
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov> To: James Morris <jmorris@namei.org> Cc: Joel Becker <Joel.Becker@oracle.com>, jim owens <jowens@hp.com>, ocfs2-devel@oss.oracle.com, viro@zeniv.linux.org.uk, mtk.manpages@gmail.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [Ocfs2-devel] [RFC] The reflink(2) system call v4. Date: Tue, 12 May 2009 08:01:56 -0400 [thread overview] Message-ID: <1242129716.31807.8.camel@localhost.localdomain> (raw) In-Reply-To: <alpine.LRH.2.00.0905120819460.3090@tundra.namei.org> On Tue, 2009-05-12 at 08:27 +1000, James Morris wrote: > On Mon, 11 May 2009, Joel Becker wrote: > > > and other security attributes (in all, I'm gonna call that the "security > > context") as well. So I defined reflink() as such. This meant > > "security context" is an term associated with SELinux, so you may want to > use something like "security attributes" or "security state" to avoid > confusing people. > > > + error = security_inode_reflink(old_dentry, dir); > > + if (error) > > + return error; > > We'll need the new_dentry now, to set up new security state before the > dentry is instantiated. I don't think the inode exists yet for the new_dentry (not until after the call to i_op->reflink), and thus we cannot set up the new inode state at the point of security_inode_reflink(). We will need the filesystem to call into the security module to get the right security attribute name/value pair when creating the new inode, just as with normal inode creation, unless it is preserving the name/value pair from the original. The security_inode_init_security() hook is for that purpose - you can see its usage in existing filesystems when creating new inodes. > e.g. SELinux will need to perform some checks on the operation, then > calculate a new security context for the new file. > > > - James -- Stephen Smalley National Security Agency
next prev parent reply other threads:[~2009-05-12 12:01 UTC|newest] Thread overview: 304+ messages / expand[flat|nested] mbox.gz Atom feed top 2009-05-03 6:15 [RFC] The reflink(2) system call Joel Becker 2009-05-03 6:15 ` [Ocfs2-devel] " Joel Becker 2009-05-03 6:15 ` [PATCH 1/3] fs: Document the " Joel Becker 2009-05-03 6:15 ` [Ocfs2-devel] " Joel Becker 2009-05-03 8:01 ` Christoph Hellwig 2009-05-03 8:01 ` [Ocfs2-devel] " Christoph Hellwig 2009-05-04 2:46 ` Joel Becker 2009-05-04 2:46 ` [Ocfs2-devel] " Joel Becker 2009-05-04 6:36 ` Michael Kerrisk 2009-05-04 6:36 ` [Ocfs2-devel] " Michael Kerrisk 2009-05-04 7:12 ` Joel Becker 2009-05-04 7:12 ` [Ocfs2-devel] " Joel Becker 2009-05-03 13:08 ` Boaz Harrosh 2009-05-03 13:08 ` [Ocfs2-devel] " Boaz Harrosh 2009-05-03 23:08 ` Al Viro 2009-05-03 23:08 ` [Ocfs2-devel] " Al Viro 2009-05-04 2:49 ` Joel Becker 2009-05-04 2:49 ` [Ocfs2-devel] " Joel Becker 2009-05-03 23:45 ` Theodore Tso 2009-05-03 23:45 ` [Ocfs2-devel] " Theodore Tso 2009-05-04 1:44 ` Tao Ma 2009-05-04 1:44 ` [Ocfs2-devel] " Tao Ma 2009-05-04 18:25 ` Joel Becker 2009-05-04 18:25 ` [Ocfs2-devel] " Joel Becker 2009-05-04 21:18 ` Joel Becker 2009-05-04 21:18 ` Joel Becker 2009-05-04 22:23 ` Theodore Tso 2009-05-04 22:23 ` Theodore Tso 2009-05-05 6:55 ` Joel Becker 2009-05-05 6:55 ` Joel Becker 2009-05-05 1:07 ` Jamie Lokier 2009-05-05 1:07 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 7:16 ` Joel Becker 2009-05-05 7:16 ` [Ocfs2-devel] " Joel Becker 2009-05-05 8:09 ` Andreas Dilger 2009-05-05 8:09 ` [Ocfs2-devel] " Andreas Dilger 2009-05-05 16:56 ` Joel Becker 2009-05-05 16:56 ` [Ocfs2-devel] " Joel Becker 2009-05-05 21:24 ` Andreas Dilger 2009-05-05 21:24 ` [Ocfs2-devel] " Andreas Dilger 2009-05-05 21:32 ` Joel Becker 2009-05-05 21:32 ` [Ocfs2-devel] " Joel Becker 2009-05-06 7:15 ` Theodore Tso 2009-05-06 7:15 ` Theodore Tso 2009-05-06 14:24 ` jim owens 2009-05-06 14:24 ` jim owens 2009-05-06 14:30 ` jim owens 2009-05-06 14:30 ` jim owens 2009-05-06 17:50 ` jim owens 2009-05-06 17:50 ` jim owens 2009-05-12 19:20 ` Jamie Lokier 2009-05-12 19:20 ` Jamie Lokier 2009-05-12 19:30 ` Jamie Lokier 2009-05-12 19:30 ` Jamie Lokier 2009-05-12 19:11 ` Jamie Lokier 2009-05-12 19:11 ` Jamie Lokier 2009-05-12 19:37 ` jim owens 2009-05-12 19:37 ` jim owens 2009-05-12 20:11 ` Jamie Lokier 2009-05-12 20:11 ` Jamie Lokier 2009-05-05 13:01 ` Theodore Tso 2009-05-05 13:01 ` [Ocfs2-devel] " Theodore Tso 2009-05-05 13:19 ` Jamie Lokier 2009-05-05 13:19 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 13:39 ` Chris Mason 2009-05-05 13:39 ` [Ocfs2-devel] " Chris Mason 2009-05-05 15:36 ` Jamie Lokier 2009-05-05 15:36 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 15:41 ` Chris Mason 2009-05-05 15:41 ` [Ocfs2-devel] " Chris Mason 2009-05-05 16:03 ` Jamie Lokier 2009-05-05 16:03 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 16:18 ` Chris Mason 2009-05-05 16:18 ` [Ocfs2-devel] " Chris Mason 2009-05-05 20:48 ` jim owens 2009-05-05 20:48 ` [Ocfs2-devel] " jim owens 2009-05-05 21:57 ` Jamie Lokier 2009-05-05 21:57 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:04 ` Joel Becker 2009-05-05 22:04 ` [Ocfs2-devel] " Joel Becker 2009-05-05 22:11 ` Jamie Lokier 2009-05-05 22:11 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:24 ` Joel Becker 2009-05-05 22:24 ` [Ocfs2-devel] " Joel Becker 2009-05-05 23:14 ` Jamie Lokier 2009-05-05 23:14 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:12 ` Jamie Lokier 2009-05-05 22:12 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:21 ` Joel Becker 2009-05-05 22:21 ` [Ocfs2-devel] " Joel Becker 2009-05-05 22:32 ` James Morris 2009-05-05 22:32 ` [Ocfs2-devel] " James Morris 2009-05-05 22:39 ` Joel Becker 2009-05-05 22:39 ` [Ocfs2-devel] " Joel Becker 2009-05-12 19:40 ` Jamie Lokier 2009-05-12 19:40 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:28 ` jim owens 2009-05-05 22:28 ` [Ocfs2-devel] " jim owens 2009-05-05 23:12 ` Jamie Lokier 2009-05-05 23:12 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 16:46 ` Jörn Engel 2009-05-05 16:46 ` [Ocfs2-devel] " Jörn Engel 2009-05-05 16:54 ` Jörn Engel 2009-05-05 16:54 ` [Ocfs2-devel] " Jörn Engel 2009-05-05 22:03 ` Jamie Lokier 2009-05-05 22:03 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 21:44 ` copyfile semantics Andreas Dilger 2009-05-05 21:44 ` [Ocfs2-devel] " Andreas Dilger 2009-05-05 21:48 ` Matthew Wilcox 2009-05-05 21:48 ` [Ocfs2-devel] " Matthew Wilcox 2009-05-05 22:25 ` Trond Myklebust 2009-05-05 22:25 ` [Ocfs2-devel] " Trond Myklebust 2009-05-05 22:06 ` Jamie Lokier 2009-05-05 22:06 ` [Ocfs2-devel] " Jamie Lokier 2009-05-06 5:57 ` Jörn Engel 2009-05-06 5:57 ` [Ocfs2-devel] " Jörn Engel 2009-05-05 14:21 ` [PATCH 1/3] fs: Document the reflink(2) system call Theodore Tso 2009-05-05 14:21 ` [Ocfs2-devel] " Theodore Tso 2009-05-05 15:32 ` Jamie Lokier 2009-05-05 15:32 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:49 ` James Morris 2009-05-05 22:49 ` [Ocfs2-devel] " James Morris 2009-05-05 17:05 ` Joel Becker 2009-05-05 17:05 ` [Ocfs2-devel] " Joel Becker 2009-05-05 17:00 ` Joel Becker 2009-05-05 17:00 ` [Ocfs2-devel] " Joel Becker 2009-05-05 17:29 ` Theodore Tso 2009-05-05 17:29 ` [Ocfs2-devel] " Theodore Tso 2009-05-05 22:36 ` Jamie Lokier 2009-05-05 22:36 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:30 ` Jamie Lokier 2009-05-05 22:30 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 22:37 ` Joel Becker 2009-05-05 22:37 ` [Ocfs2-devel] " Joel Becker 2009-05-05 23:08 ` jim owens 2009-05-05 23:08 ` [Ocfs2-devel] " jim owens 2009-05-05 13:01 ` Jamie Lokier 2009-05-05 13:01 ` [Ocfs2-devel] " Jamie Lokier 2009-05-05 17:09 ` Joel Becker 2009-05-05 17:09 ` [Ocfs2-devel] " Joel Becker 2009-05-03 6:15 ` [PATCH 2/3] fs: Add vfs_reflink() and the ->reflink() inode operation Joel Becker 2009-05-03 6:15 ` [Ocfs2-devel] " Joel Becker 2009-05-03 8:03 ` Christoph Hellwig 2009-05-03 8:03 ` [Ocfs2-devel] " Christoph Hellwig 2009-05-04 2:51 ` Joel Becker 2009-05-04 2:51 ` [Ocfs2-devel] " Joel Becker 2009-05-03 6:15 ` [PATCH 3/3] fs: Add the reflink(2) system call Joel Becker 2009-05-03 6:15 ` [Ocfs2-devel] " Joel Becker 2009-05-03 6:27 ` Matthew Wilcox 2009-05-03 6:27 ` [Ocfs2-devel] " Matthew Wilcox 2009-05-03 6:39 ` Al Viro 2009-05-03 6:39 ` [Ocfs2-devel] " Al Viro 2009-05-03 7:48 ` Christoph Hellwig 2009-05-03 7:48 ` [Ocfs2-devel] " Christoph Hellwig 2009-05-03 11:16 ` Al Viro 2009-05-03 11:16 ` [Ocfs2-devel] " Al Viro 2009-05-04 2:53 ` Joel Becker 2009-05-04 2:53 ` [Ocfs2-devel] " Joel Becker 2009-05-04 2:53 ` Joel Becker 2009-05-04 2:53 ` [Ocfs2-devel] " Joel Becker 2009-05-03 8:04 ` Christoph Hellwig 2009-05-03 8:04 ` [Ocfs2-devel] " Christoph Hellwig 2009-05-07 22:15 ` [RFC] The reflink(2) system call v2 Joel Becker 2009-05-07 22:15 ` [Ocfs2-devel] " Joel Becker 2009-05-08 1:39 ` James Morris 2009-05-08 1:39 ` [Ocfs2-devel] " James Morris 2009-05-08 1:49 ` Joel Becker 2009-05-08 1:49 ` [Ocfs2-devel] " Joel Becker 2009-05-08 13:01 ` Tetsuo Handa 2009-05-08 2:59 ` jim owens 2009-05-08 2:59 ` [Ocfs2-devel] " jim owens 2009-05-08 3:10 ` Joel Becker 2009-05-08 3:10 ` [Ocfs2-devel] " Joel Becker 2009-05-08 11:53 ` jim owens 2009-05-08 11:53 ` [Ocfs2-devel] " jim owens 2009-05-08 12:16 ` jim owens 2009-05-08 12:16 ` [Ocfs2-devel] " jim owens 2009-05-08 14:11 ` jim owens 2009-05-08 14:11 ` [Ocfs2-devel] " jim owens 2009-05-11 20:40 ` [RFC] The reflink(2) system call v4 Joel Becker 2009-05-11 20:40 ` [Ocfs2-devel] " Joel Becker 2009-05-11 22:27 ` James Morris 2009-05-11 22:27 ` [Ocfs2-devel] " James Morris 2009-05-11 22:34 ` Joel Becker 2009-05-11 22:34 ` [Ocfs2-devel] " Joel Becker 2009-05-12 1:12 ` James Morris 2009-05-12 1:12 ` [Ocfs2-devel] " James Morris 2009-05-12 12:18 ` Stephen Smalley 2009-05-12 12:18 ` [Ocfs2-devel] " Stephen Smalley 2009-05-12 17:22 ` Joel Becker 2009-05-12 17:22 ` [Ocfs2-devel] " Joel Becker 2009-05-12 17:32 ` Stephen Smalley 2009-05-12 17:32 ` [Ocfs2-devel] " Stephen Smalley 2009-05-12 18:03 ` Joel Becker 2009-05-12 18:03 ` [Ocfs2-devel] " Joel Becker 2009-05-12 18:04 ` Stephen Smalley 2009-05-12 18:04 ` [Ocfs2-devel] " Stephen Smalley 2009-05-12 18:28 ` Joel Becker 2009-05-12 18:28 ` [Ocfs2-devel] " Joel Becker 2009-05-12 18:37 ` Stephen Smalley 2009-05-12 18:37 ` [Ocfs2-devel] " Stephen Smalley 2009-05-14 18:06 ` Stephen Smalley 2009-05-14 18:06 ` [Ocfs2-devel] " Stephen Smalley 2009-05-14 18:25 ` Stephen Smalley 2009-05-14 18:25 ` [Ocfs2-devel] " Stephen Smalley 2009-05-14 23:25 ` James Morris 2009-05-14 23:25 ` [Ocfs2-devel] " James Morris 2009-05-15 11:54 ` Stephen Smalley 2009-05-15 11:54 ` [Ocfs2-devel] " Stephen Smalley 2009-05-15 13:35 ` James Morris 2009-05-15 13:35 ` [Ocfs2-devel] " James Morris 2009-05-15 15:44 ` Stephen Smalley 2009-05-15 15:44 ` [Ocfs2-devel] " Stephen Smalley 2009-05-13 1:47 ` Casey Schaufler 2009-05-13 1:47 ` [Ocfs2-devel] " Casey Schaufler 2009-05-13 16:43 ` Joel Becker 2009-05-13 16:43 ` [Ocfs2-devel] " Joel Becker 2009-05-13 17:23 ` Stephen Smalley 2009-05-13 17:23 ` [Ocfs2-devel] " Stephen Smalley 2009-05-13 18:27 ` Joel Becker 2009-05-13 18:27 ` [Ocfs2-devel] " Joel Becker 2009-05-12 12:01 ` Stephen Smalley [this message] 2009-05-12 12:01 ` Stephen Smalley 2009-05-11 23:11 ` jim owens 2009-05-11 23:11 ` [Ocfs2-devel] " jim owens 2009-05-11 23:42 ` Joel Becker 2009-05-11 23:42 ` [Ocfs2-devel] " Joel Becker 2009-05-12 11:31 ` Jörn Engel 2009-05-12 11:31 ` [Ocfs2-devel] " Jörn Engel 2009-05-12 13:12 ` jim owens 2009-05-12 13:12 ` [Ocfs2-devel] " jim owens 2009-05-12 20:24 ` Jamie Lokier 2009-05-12 20:24 ` [Ocfs2-devel] " Jamie Lokier 2009-05-14 18:43 ` Jörn Engel 2009-05-14 18:43 ` [Ocfs2-devel] " Jörn Engel 2009-05-12 15:04 ` Sage Weil 2009-05-12 15:04 ` [Ocfs2-devel] " Sage Weil 2009-05-12 15:23 ` jim owens 2009-05-12 15:23 ` [Ocfs2-devel] " jim owens 2009-05-12 16:16 ` Sage Weil 2009-05-12 16:16 ` [Ocfs2-devel] " Sage Weil 2009-05-12 17:45 ` jim owens 2009-05-12 17:45 ` [Ocfs2-devel] " jim owens 2009-05-12 20:29 ` Jamie Lokier 2009-05-12 20:29 ` [Ocfs2-devel] " Jamie Lokier 2009-05-12 17:28 ` Joel Becker 2009-05-12 17:28 ` [Ocfs2-devel] " Joel Becker 2009-05-13 4:30 ` Sage Weil 2009-05-13 4:30 ` [Ocfs2-devel] " Sage Weil 2009-05-14 3:57 ` Andy Lutomirski 2009-05-14 3:57 ` [Ocfs2-devel] " Andy Lutomirski 2009-05-14 18:12 ` Stephen Smalley 2009-05-14 18:12 ` [Ocfs2-devel] " Stephen Smalley 2009-05-14 22:00 ` Joel Becker 2009-05-14 22:00 ` [Ocfs2-devel] " Joel Becker 2009-05-15 1:20 ` Jamie Lokier 2009-05-15 1:20 ` [Ocfs2-devel] " Jamie Lokier 2009-05-15 12:01 ` Stephen Smalley 2009-05-15 12:01 ` [Ocfs2-devel] " Stephen Smalley 2009-05-15 15:22 ` Joel Becker 2009-05-15 15:22 ` [Ocfs2-devel] " Joel Becker 2009-05-15 15:55 ` Stephen Smalley 2009-05-15 15:55 ` [Ocfs2-devel] " Stephen Smalley 2009-05-15 16:42 ` Joel Becker 2009-05-15 16:42 ` [Ocfs2-devel] " Joel Becker 2009-05-15 17:01 ` Shaya Potter 2009-05-15 17:01 ` Shaya Potter 2009-05-15 20:53 ` [Ocfs2-devel] " Joel Becker 2009-05-15 20:53 ` Joel Becker 2009-05-18 9:17 ` Jörn Engel 2009-05-18 9:17 ` Jörn Engel 2009-05-18 13:02 ` Stephen Smalley 2009-05-18 13:02 ` Stephen Smalley 2009-05-18 14:33 ` Stephen Smalley 2009-05-18 14:33 ` Stephen Smalley 2009-05-18 17:15 ` Stephen Smalley 2009-05-18 17:15 ` Stephen Smalley 2009-05-18 18:26 ` Joel Becker 2009-05-18 18:26 ` [Ocfs2-devel] " Joel Becker 2009-05-19 16:32 ` Sage Weil 2009-05-19 16:32 ` Sage Weil 2009-05-19 19:20 ` Jonathan Corbet 2009-05-19 19:32 ` Joel Becker 2009-05-19 19:41 ` Jonathan Corbet 2009-05-19 19:41 ` Jonathan Corbet 2009-05-19 19:33 ` Jonathan Corbet 2009-05-19 20:15 ` Jamie Lokier 2009-05-25 7:44 ` [Ocfs2-devel] [RFC] The reflink(2) system call v4. - Question for suitability Mihail Daskalov 2009-05-25 20:42 ` Joel Becker 2009-05-28 0:24 ` [Ocfs2-devel] [RFC] The reflink(2) system call v5 Joel Becker 2009-05-28 0:24 ` Joel Becker 2009-09-14 22:24 ` Joel Becker 2009-09-14 22:24 ` Joel Becker 2009-09-14 22:24 ` [Ocfs2-devel] " Joel Becker 2009-05-11 20:49 ` [RFC] The reflink(2) system call v2 Joel Becker 2009-05-11 20:49 ` [Ocfs2-devel] " Joel Becker 2009-05-11 22:49 ` jim owens 2009-05-11 22:49 ` [Ocfs2-devel] " jim owens 2009-05-11 23:46 ` Joel Becker 2009-05-11 23:46 ` [Ocfs2-devel] " Joel Becker 2009-05-12 0:54 ` Chris Mason 2009-05-12 0:54 ` [Ocfs2-devel] " Chris Mason 2009-05-12 20:36 ` Jamie Lokier 2009-05-12 20:36 ` [Ocfs2-devel] " Jamie Lokier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1242129716.31807.8.camel@localhost.localdomain \ --to=sds@tycho.nsa.gov \ --cc=Joel.Becker@oracle.com \ --cc=jmorris@namei.org \ --cc=jowens@hp.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mtk.manpages@gmail.com \ --cc=ocfs2-devel@oss.oracle.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.