xfs
[Top] [All Lists]

Re: [PATCH v2 1/2] xfs: fix tmpfile/selinux deadlock and initialize secu

To: Andreas Gruenbacher <andreas.gruenbacher@xxxxxxxxxx>
Subject: Re: [PATCH v2 1/2] xfs: fix tmpfile/selinux deadlock and initialize security/acl
From: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Date: Wed, 16 Apr 2014 04:14:02 -0700
Cc: Brian Foster <bfoster@xxxxxxxxxx>, linux-man@xxxxxxxxxxxxxxx, xfs@xxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx, linux-ext4@xxxxxxxxxxxxxxx
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <1188577823.463241.1397590262478.JavaMail.zimbra@xxxxxxxxxx>
References: <1397071311-28371-1-git-send-email-bfoster@xxxxxxxxxx> <1397071311-28371-2-git-send-email-bfoster@xxxxxxxxxx> <20140410102421.GA17641@xxxxxxxxxxxxx> <20140410121947.GA14124@xxxxxxxxxxxxxxx> <20140410122944.GA6579@xxxxxxxxxxxxx> <20140415175228.GE26404@xxxxxxxxxxxxx> <1188577823.463241.1397590262478.JavaMail.zimbra@xxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)
On Tue, Apr 15, 2014 at 09:31:02PM +0200, Andreas Gruenbacher wrote:
> from how O_TMPFILE is documented right now [*], creating such a file and
> then linking it into the namespace is one of the obvious use cases.

Btw, I think the man page is wrong - given that the tmpfile is not
visible in the namespace it is obviously not created in the directory.
The directory passed in is just a handle for the filesystem it should be
created in.

Michael, should I send you an update for this, or do you want to do it
yourself as you can probably come up with better language anyway?

> The
> intent seems to be to make it seem like the file was created and populated
> atomically, possibly with inherited permissions and all.
> I think this
> behavior require that the O_TMPFILE file inherits from the directory it
> was "created" in.
> 
> Adding code to achieve the effect of create-time inheritance at link
> time, only for O_TMPFILE files or files without any links, doesn't seem 
> reasonable to me: it would duplicate create code in the link code path,
> and it would make it harder to override inherited permissions or labels.

Inheriting any ACL on creating an anonymous file seems utterly wrong.
Inheriting on link seems somewhat more sensible and not too bad in terms
of code, but very confusing in terms of semantics.  I think the best
method is to make sure it simply does not inherit any ACL and document
that clearly.

> (Trying to fake inheritance by reimplementing it in user space seems like
> a much worse idea still.)

We don't fake inheritance when linking any other file either.  And
creating a file in a /tmp without any ACL and then linking it into the
filesystem already is very common today.

<Prev in Thread] Current Thread [Next in Thread>