From: Linus Torvalds <torvalds@linux-foundation.org>
To: Zdenek Kabelac <zkabelac@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>, Sagi Grimberg <sagi@grimberg.me>,
Mike Snitzer <snitzer@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-block <linux-block@vger.kernel.org>,
dm-devel@redhat.com, Ilya Dryomov <idryomov@gmail.com>,
wgh@torlan.ru
Subject: Re: [dm-devel] LVM snapshot broke between 4.14 and 4.16
Date: Fri, 3 Aug 2018 12:30:49 -0700 [thread overview]
Message-ID: <CA+55aFzyNMWfkaWvFuMaLCBjcWvBQgBAe+GY=WDPiGd1YDTs=Q@mail.gmail.com> (raw)
In-Reply-To: <bc71118d-3003-6260-6ab3-ddcc4277aeed@redhat.com>
On Fri, Aug 3, 2018 at 12:18 PM Zdenek Kabelac <zkabelac@redhat.com> wrote:
>
> From my userland POV - leaving kernel write to devices that are supposed to
> be read-only 'just because' it's kernel is wrong - the fact it has NOT been
> discover for so long means - there are not many users and not many testers of
> this combination.
Sure. But at the same time, the "read-only" issue from a _security_
standpoint should never be about some device state.
Why? Because the Unix security rules aren't about "read-only devices".
They are about permissions, and if you don't want your users to have
write permissions to a device, then they shouldn't have those
permissions.
So the "set_disk_ro()" interface is simply not for security. Anybody
who uses it for security is seriously confused.
No, the "set_disk_ro()" interface is so that you can say "you
physically cannot write to this medium". It's meant for things like
CD-ROM devices, or for a floppy device when you notice that the
controller reports that the floppy itself is physically
write-protected.
THAT is what the new code checks for, and that is also why ignoring
the check really shouldn't be a security issue.
Because if it turns out that somebody wrote to it, and the write
succeeded, then obviously the "set_disk_ro()" usage was simply wrong.
Now, I do agree that it 100% makes sense to have a layer like md/lvm
be able to virtually mark volumes read-only. If only exactly to
emulate the "this is like a write-protected floppy or a cd-rom"
behavior.
So the DM_READONLY_FLAG makes conceptual sense.
But at the same time, if the DM_READONLY_FLAG was _wrong_, then it
also makes a ton of sense to just say "oh, it was wrong, we'll ignore
it".
Exactly because it was never supposed to be about security, and it was
about other things.
See?
Linus
prev parent reply other threads:[~2018-08-03 19:30 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 12:26 LVM snapshot broke between 4.14 and 4.16 WGH
2018-08-02 13:31 ` Ilya Dryomov
2018-08-02 13:31 ` Ilya Dryomov
2018-08-02 15:10 ` WGH
2018-08-02 16:41 ` Linus Torvalds
2018-08-02 18:18 ` Ilya Dryomov
2018-08-02 18:32 ` Linus Torvalds
2018-08-02 21:32 ` WGH
2018-08-02 21:39 ` WGH
2018-08-02 21:52 ` Linus Torvalds
2018-08-03 13:31 ` Mike Snitzer
2018-08-03 15:20 ` [dm-devel] " Theodore Y. Ts'o
2018-08-03 18:39 ` Mike Snitzer
2018-08-03 18:57 ` Linus Torvalds
2018-08-03 19:06 ` Mike Snitzer
2018-08-03 19:11 ` Linus Torvalds
2018-08-03 19:33 ` Mike Snitzer
2018-08-03 19:22 ` Linus Torvalds
2018-08-04 10:01 ` WGH
2018-08-04 17:04 ` Linus Torvalds
2018-08-04 17:04 ` Linus Torvalds
2018-08-04 18:19 ` Mike Snitzer
2018-08-04 20:29 ` WGH
2018-08-03 19:56 ` [dm-devel] " Alasdair G Kergon
2018-08-03 20:08 ` Alasdair G Kergon
2018-08-03 20:42 ` Linus Torvalds
2018-08-03 21:26 ` Alasdair G Kergon
2018-08-03 13:31 ` Zdenek Kabelac
2018-08-03 16:37 ` Linus Torvalds
2018-08-03 18:54 ` Mike Snitzer
2018-08-03 18:54 ` Mike Snitzer
2018-08-03 19:09 ` Linus Torvalds
2018-08-03 19:30 ` Mike Snitzer
2018-08-03 19:36 ` Linus Torvalds
2018-08-04 5:20 ` [dm-devel] " Theodore Y. Ts'o
2018-08-04 8:36 ` Zdenek Kabelac
2018-08-04 16:22 ` Theodore Y. Ts'o
2018-08-04 18:18 ` Mike Snitzer
2018-08-04 18:18 ` Mike Snitzer
2018-08-04 19:37 ` Theodore Y. Ts'o
2018-08-04 19:37 ` Theodore Y. Ts'o
2018-08-04 21:48 ` Mike Snitzer
2018-08-04 15:19 ` Mike Snitzer
2018-08-03 19:18 ` [dm-devel] " Zdenek Kabelac
2018-08-03 19:18 ` Zdenek Kabelac
2018-08-03 19:30 ` Linus Torvalds [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+55aFzyNMWfkaWvFuMaLCBjcWvBQgBAe+GY=WDPiGd1YDTs=Q@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=dm-devel@redhat.com \
--cc=idryomov@gmail.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sagi@grimberg.me \
--cc=snitzer@redhat.com \
--cc=wgh@torlan.ru \
--cc=zkabelac@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.