| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Aug 2017 23:39:17 -0700
From: Dan Williams <dan.j.williams@...el.com>
To: darrick.wong@...cle.com
Cc: Jan Kara <jack@...e.cz>, linux-nvdimm@...ts.01.org,
linux-api@...r.kernel.org,
Trond Myklebust <trond.myklebust@...marydata.com>,
Dave Chinner <david@...morbit.com>,
linux-kernel@...r.kernel.org, Christoph Hellwig <hch@....de>,
linux-xfs@...r.kernel.org, linux-mm@...ck.org,
Jeff Moyer <jmoyer@...hat.com>,
Alexander Viro <viro@...iv.linux.org.uk>, luto@...nel.org,
Ross Zwisler <ross.zwisler@...ux.intel.com>,
linux-fsdevel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
Anna Schumaker <anna.schumaker@...app.com>
Subject: [PATCH v3 0/6] fs, xfs: block map immutable files
Changes since v2 [1]:
* Rather than have an IS_IOMAP_IMMUTABLE() check in
xfs_alloc_file_space(), place one centrally in xfs_bmapi_write() to
catch all attempts to write the block allocation map. (Dave)
* Make sealing an already sealed file, or unsealing an already unsealed
file return success (Darrick)
* Set S_IOMAP_IMMUTABLE along with the transaction that sets
XFS_DIFLAG2_IOMAP_IMMUTABLE (Darrick)
* Round the range of the allocation and extent conversion performed by
FALLOC_FL_SEAL_BLOCK_MAP up to the filesystem block size.
* Add a proof-of-concept patch for the use of immutable files with swap.
[1]: https://lkml.org/lkml/2017/8/3/996
---
The ability to make the physical block-allocation map of a file
immutable is a powerful mechanism that allows userspace to have
predictable dax-fault latencies, flush dax mappings to persistent memory
without a syscall, and otherwise enable access to storage directly
without ongoing mediation from the filesystem.
This last aspect of direct storage addressability has been called a
"horrible abuse" [2], but the reality is quite the reverse. Enabling
files to be block-map immutable allows applications that would otherwise
need to rely on dangerous raw device access to instead use a filesystem.
Security, naming, re-provisioning capacity between usages are all better
supported with safe semantics in a filesystem compared to a device file.
It is time to "give up the idea that only the filesystem can access the
storage underlying the filesystem" [3] to enable a better / safer
alternative to using a raw device for userpace block servers, dax
hypervisors, and peer-to-peer transfers to name a few use cases.
[2]: https://lkml.org/lkml/2017/8/5/56
[3]: https://lkml.org/lkml/2017/8/6/299
---
Dan Williams (6):
fs, xfs: introduce S_IOMAP_IMMUTABLE
fs, xfs: introduce FALLOC_FL_SEAL_BLOCK_MAP
fs, xfs: introduce FALLOC_FL_UNSEAL_BLOCK_MAP
xfs: introduce XFS_DIFLAG2_IOMAP_IMMUTABLE
xfs: toggle XFS_DIFLAG2_IOMAP_IMMUTABLE in response to fallocate
mm, xfs: protect swapfile contents with immutable + unwritten extents
fs/attr.c | 10 +++
fs/nfs/file.c | 7 ++
fs/open.c | 24 +++++++
fs/read_write.c | 3 +
fs/xfs/libxfs/xfs_bmap.c | 6 ++
fs/xfs/libxfs/xfs_bmap.h | 12 +++-
fs/xfs/libxfs/xfs_format.h | 5 +-
fs/xfs/xfs_aops.c | 54 ++++++++++++++++
fs/xfs/xfs_bmap_util.c | 142 +++++++++++++++++++++++++++++++++++++++++++
fs/xfs/xfs_bmap_util.h | 5 ++
fs/xfs/xfs_file.c | 16 ++++-
fs/xfs/xfs_inode.c | 2 +
fs/xfs/xfs_ioctl.c | 7 ++
fs/xfs/xfs_iops.c | 8 ++
include/linux/falloc.h | 4 +
include/linux/fs.h | 2 +
include/uapi/linux/falloc.h | 18 +++++
include/uapi/linux/fs.h | 1
mm/filemap.c | 5 ++
mm/page_io.c | 1
mm/swapfile.c | 20 ++----
21 files changed, 328 insertions(+), 24 deletions(-)
Powered by blists - more mailing lists