From: "Theodore Ts'o" <tytso@mit.edu>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: matthew.garrett@nebula.com, yuchao0@huawei.com,
ard.biesheuvel@linaro.org, josef@toxicpanda.com, clm@fb.com,
adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com,
dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org,
reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org,
devel@lists.orangefs.org, linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, linux-mm@kvack.org,
linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org,
ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 1/6] mm/fs: don't allow writes to immutable files
Date: Thu, 20 Jun 2019 17:52:12 -0400 [thread overview]
Message-ID: <20190620215212.GG4650@mit.edu> (raw)
In-Reply-To: <156022837711.3227213.11787906519006016743.stgit@magnolia>
On Mon, Jun 10, 2019 at 09:46:17PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> The chattr manpage has this to say about immutable files:
>
> "A file with the 'i' attribute cannot be modified: it cannot be deleted
> or renamed, no link can be created to this file, most of the file's
> metadata can not be modified, and the file can not be opened in write
> mode."
>
> Once the flag is set, it is enforced for quite a few file operations,
> such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we
> don't check for immutability when doing a write(), a PROT_WRITE mmap(),
> a truncate(), or a write to a previously established mmap.
>
> If a program has an open write fd to a file that the administrator
> subsequently marks immutable, the program still can change the file
> contents. Weird!
>
> The ability to write to an immutable file does not follow the manpage
> promise that immutable files cannot be modified. Worse yet it's
> inconsistent with the behavior of other syscalls which don't allow
> modifications of immutable files.
>
> Therefore, add the necessary checks to make the write, mmap, and
> truncate behavior consistent with what the manpage says and consistent
> with other syscalls on filesystems which support IMMUTABLE.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
I note that this patch doesn't allow writes to swap files. So Amir's
generic/554 test will still fail for those file systems that don't use
copy_file_range.
I'm indifferent as to whether you add a new patch, or include that
change in this patch, but perhaps we should fix this while we're
making changes in these code paths?
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: Theodore Ts'o <tytso@mit.edu>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: matthew.garrett@nebula.com, yuchao0@huawei.com,
ard.biesheuvel@linaro.org, josef@toxicpanda.com, clm@fb.com,
adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com,
dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org,
reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org,
devel@lists.orangefs.org, linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, linux-mm@kvack.org,
linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org,
ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org
Subject: [Ocfs2-devel] [PATCH 1/6] mm/fs: don't allow writes to immutable files
Date: Thu, 20 Jun 2019 17:52:12 -0400 [thread overview]
Message-ID: <20190620215212.GG4650@mit.edu> (raw)
In-Reply-To: <156022837711.3227213.11787906519006016743.stgit@magnolia>
On Mon, Jun 10, 2019 at 09:46:17PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> The chattr manpage has this to say about immutable files:
>
> "A file with the 'i' attribute cannot be modified: it cannot be deleted
> or renamed, no link can be created to this file, most of the file's
> metadata can not be modified, and the file can not be opened in write
> mode."
>
> Once the flag is set, it is enforced for quite a few file operations,
> such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we
> don't check for immutability when doing a write(), a PROT_WRITE mmap(),
> a truncate(), or a write to a previously established mmap.
>
> If a program has an open write fd to a file that the administrator
> subsequently marks immutable, the program still can change the file
> contents. Weird!
>
> The ability to write to an immutable file does not follow the manpage
> promise that immutable files cannot be modified. Worse yet it's
> inconsistent with the behavior of other syscalls which don't allow
> modifications of immutable files.
>
> Therefore, add the necessary checks to make the write, mmap, and
> truncate behavior consistent with what the manpage says and consistent
> with other syscalls on filesystems which support IMMUTABLE.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
I note that this patch doesn't allow writes to swap files. So Amir's
generic/554 test will still fail for those file systems that don't use
copy_file_range.
I'm indifferent as to whether you add a new patch, or include that
change in this patch, but perhaps we should fix this while we're
making changes in these code paths?
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Ts'o" <tytso@mit.edu>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: linux-efi@vger.kernel.org, linux-btrfs@vger.kernel.org,
linux-mm@kvack.org, clm@fb.com, adilger.kernel@dilger.ca,
matthew.garrett@nebula.com, linux-nilfs@vger.kernel.org,
linux-ext4@vger.kernel.org, devel@lists.orangefs.org,
josef@toxicpanda.com, reiserfs-devel@vger.kernel.org,
viro@zeniv.linux.org.uk, dsterba@suse.com, jaegeuk@kernel.org,
ard.biesheuvel@linaro.org, linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, jk@ozlabs.org, jack@suse.com,
linux-fsdevel@vger.kernel.org, linux-mtd@lists.infradead.org,
ocfs2-devel@oss.oracle.com
Subject: Re: [f2fs-dev] [PATCH 1/6] mm/fs: don't allow writes to immutable files
Date: Thu, 20 Jun 2019 17:52:12 -0400 [thread overview]
Message-ID: <20190620215212.GG4650@mit.edu> (raw)
In-Reply-To: <156022837711.3227213.11787906519006016743.stgit@magnolia>
On Mon, Jun 10, 2019 at 09:46:17PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> The chattr manpage has this to say about immutable files:
>
> "A file with the 'i' attribute cannot be modified: it cannot be deleted
> or renamed, no link can be created to this file, most of the file's
> metadata can not be modified, and the file can not be opened in write
> mode."
>
> Once the flag is set, it is enforced for quite a few file operations,
> such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we
> don't check for immutability when doing a write(), a PROT_WRITE mmap(),
> a truncate(), or a write to a previously established mmap.
>
> If a program has an open write fd to a file that the administrator
> subsequently marks immutable, the program still can change the file
> contents. Weird!
>
> The ability to write to an immutable file does not follow the manpage
> promise that immutable files cannot be modified. Worse yet it's
> inconsistent with the behavior of other syscalls which don't allow
> modifications of immutable files.
>
> Therefore, add the necessary checks to make the write, mmap, and
> truncate behavior consistent with what the manpage says and consistent
> with other syscalls on filesystems which support IMMUTABLE.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
I note that this patch doesn't allow writes to swap files. So Amir's
generic/554 test will still fail for those file systems that don't use
copy_file_range.
I'm indifferent as to whether you add a new patch, or include that
change in this patch, but perhaps we should fix this while we're
making changes in these code paths?
- Ted
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Ts'o" <tytso@mit.edu>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: linux-efi@vger.kernel.org, linux-btrfs@vger.kernel.org,
yuchao0@huawei.com, linux-mm@kvack.org, clm@fb.com,
adilger.kernel@dilger.ca, matthew.garrett@nebula.com,
linux-nilfs@vger.kernel.org, linux-ext4@vger.kernel.org,
devel@lists.orangefs.org, josef@toxicpanda.com,
reiserfs-devel@vger.kernel.org, viro@zeniv.linux.org.uk,
dsterba@suse.com, jaegeuk@kernel.org, ard.biesheuvel@linaro.org,
linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, jk@ozlabs.org, jack@suse.com,
linux-fsdevel@vger.kernel.org, linux-mtd@lists.infradead.org,
ocfs2-devel@oss.oracle.com
Subject: Re: [PATCH 1/6] mm/fs: don't allow writes to immutable files
Date: Thu, 20 Jun 2019 17:52:12 -0400 [thread overview]
Message-ID: <20190620215212.GG4650@mit.edu> (raw)
In-Reply-To: <156022837711.3227213.11787906519006016743.stgit@magnolia>
On Mon, Jun 10, 2019 at 09:46:17PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> The chattr manpage has this to say about immutable files:
>
> "A file with the 'i' attribute cannot be modified: it cannot be deleted
> or renamed, no link can be created to this file, most of the file's
> metadata can not be modified, and the file can not be opened in write
> mode."
>
> Once the flag is set, it is enforced for quite a few file operations,
> such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we
> don't check for immutability when doing a write(), a PROT_WRITE mmap(),
> a truncate(), or a write to a previously established mmap.
>
> If a program has an open write fd to a file that the administrator
> subsequently marks immutable, the program still can change the file
> contents. Weird!
>
> The ability to write to an immutable file does not follow the manpage
> promise that immutable files cannot be modified. Worse yet it's
> inconsistent with the behavior of other syscalls which don't allow
> modifications of immutable files.
>
> Therefore, add the necessary checks to make the write, mmap, and
> truncate behavior consistent with what the manpage says and consistent
> with other syscalls on filesystems which support IMMUTABLE.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
I note that this patch doesn't allow writes to swap files. So Amir's
generic/554 test will still fail for those file systems that don't use
copy_file_range.
I'm indifferent as to whether you add a new patch, or include that
change in this patch, but perhaps we should fix this while we're
making changes in these code paths?
- Ted
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2019-06-20 21:53 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-11 4:46 [PATCH v3 0/6] vfs: make immutable files actually immutable Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-11 4:46 ` [PATCH 1/6] mm/fs: don't allow writes to immutable files Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-20 21:52 ` Theodore Ts'o [this message]
2019-06-20 21:52 ` Theodore Ts'o
2019-06-20 21:52 ` [f2fs-dev] " Theodore Ts'o
2019-06-20 21:52 ` [Ocfs2-devel] " Theodore Ts'o
2019-06-20 22:13 ` Darrick J. Wong
2019-06-20 22:13 ` Darrick J. Wong
2019-06-20 22:13 ` [f2fs-dev] " Darrick J. Wong
2019-06-20 22:13 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-21 0:54 ` Theodore Ts'o
2019-06-21 0:54 ` Theodore Ts'o
2019-06-21 0:54 ` [f2fs-dev] " Theodore Ts'o
2019-06-21 0:54 ` [Ocfs2-devel] " Theodore Ts'o
2019-06-11 4:46 ` [PATCH 2/6] vfs: flush and wait for io when setting the immutable flag via SETFLAGS Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-20 14:00 ` Jan Kara
2019-06-20 14:00 ` Jan Kara
2019-06-20 14:00 ` [f2fs-dev] " Jan Kara
2019-06-20 14:00 ` [Ocfs2-devel] " Jan Kara
2019-06-20 22:09 ` Darrick J. Wong
2019-06-20 22:09 ` Darrick J. Wong
2019-06-20 22:09 ` [f2fs-dev] " Darrick J. Wong
2019-06-20 22:09 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-11 4:46 ` [PATCH 3/6] vfs: flush and wait for io when setting the immutable flag via FSSETXATTR Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-11 4:46 ` [PATCH 4/6] vfs: don't allow most setxattr to immutable files Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-20 14:03 ` Jan Kara
2019-06-20 14:03 ` Jan Kara
2019-06-20 14:03 ` [f2fs-dev] " Jan Kara
2019-06-20 14:03 ` [Ocfs2-devel] " Jan Kara
2019-06-20 21:36 ` Darrick J. Wong
2019-06-20 21:36 ` Darrick J. Wong
2019-06-20 21:36 ` Darrick J. Wong
2019-06-20 21:36 ` [f2fs-dev] " Darrick J. Wong
2019-06-20 21:36 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-11 4:46 ` [PATCH 5/6] xfs: refactor setflags to use setattr code directly Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:46 ` Darrick J. Wong
2019-06-11 4:46 ` [Ocfs2-devel] " Darrick J. Wong
2019-06-11 4:47 ` [PATCH 6/6] xfs: clean up xfs_merge_ioc_xflags Darrick J. Wong
2019-06-11 4:47 ` Darrick J. Wong
2019-06-11 4:47 ` [f2fs-dev] " Darrick J. Wong
2019-06-11 4:47 ` Darrick J. Wong
2019-06-11 4:47 ` [Ocfs2-devel] " Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620215212.GG4650@mit.edu \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=ard.biesheuvel@linaro.org \
--cc=clm@fb.com \
--cc=darrick.wong@oracle.com \
--cc=devel@lists.orangefs.org \
--cc=dsterba@suse.com \
--cc=jack@suse.com \
--cc=jaegeuk@kernel.org \
--cc=jk@ozlabs.org \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-nilfs@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=ocfs2-devel@oss.oracle.com \
--cc=reiserfs-devel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.