Re: Read-only `slaves` with shared subtrees?

From: Ram Pai
Date: Sun Oct 08 2017 - 20:16:01 EST

Next message: Paul Burton: "[PATCH v2] Update MIPS email addresses"
Previous message: Brijesh Singh: "Re: [Part2 PATCH v5.1 12.1/31] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support"
Next in thread: Dawid Ciezarkiewicz: "Re: Read-only `slaves` with shared subtrees?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 29, 2017 at 04:02:42PM -0700, Dawid Ciezarkiewicz wrote:
> On Fri, Sep 22, 2017 at 11:43 AM, Dawid Ciezarkiewicz
> <dawid.ciezarkiewicz@xxxxxxxxxx> wrote:
> > On Thu, Sep 21, 2017 at 12:14 PM, Ram Pai <linuxram@xxxxxxxxxx> wrote:
> >> Here is a patch that accomplishes the job. tested to work with
> >> some simple use cases. check if this works for you. If it does
> >> than we will have to think through all the edge cases and make it
> >> acceptable.
> >
> > From your experiments, it looks exactly right.
> >
> > I'll give it a try in the upcoming week. Thank you!
>
>
> I've reproduced your setup and results.
>
> I've played with it for a while, mostly checking some recursive mount scenarios.
> My biggest concern is transitivity of the RO attribute. Once a root of
> slave directory
> is set to be RO + STICKY, it is very important that host directories
> propagated there,
> even recursively (rslave), or any other, are not RW. From what I was
> able to test, everything
> seemed OK, but I don't grok all the semantics around it, so I'm just
> pointing it out, as I might
> have missed something.

yes it will be RO. the patch takes care of that.

>
> One thing that I don't plan to use, but might be worth thinking about is
> `slave + RW + STICKY` combination. If `master` mounts something RO,
> and `slave`
> is `RW + STICKY`, should the mount appear RW inside the slave? I don't
> find it particularly useful,
> but still...

As per the implemented semantics it will become "RW". Should it be "RO"
aswell? Will that open up security holes?

>
> Another thing that popped into my head: Is it worth considering any
> dynamic changes to `slave`'s
> RO status? It complicates everything a lot (it seems to me), since it
> adds a retroactive
> dynamic propagation. I don't currently have any plans to use it, but I
> could imagine scenarios
> in which a slave mount with all it's sub-mounts is remounted from RO
> to RW, in response to
> some external authorization trigger.

The sematics should be something like this. Check if it makes sense.

a) anything mounted under stick-mount will be a sticky-mount and will
inherit the mount's access-attribute;i.e RO RW attribute.
b) a mount when made sticky will propagate its sticky attribute
as well as its access-attribute recursively to its children
c) anything mounted under non-sticky mount will not inherit the
mount's access-attribute and will be non-sticky aswell.
d) a mount when made non-sticky will just change itself to non-sticky.
(will NOT propagate its non-sticky attribute and its
access-attribue recursively to its children.)

Will this work?

> Regards,
> Dawid Ciezarkiewicz

--
Ram Pai

Next message: Paul Burton: "[PATCH v2] Update MIPS email addresses"
Previous message: Brijesh Singh: "Re: [Part2 PATCH v5.1 12.1/31] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support"
Next in thread: Dawid Ciezarkiewicz: "Re: Read-only `slaves` with shared subtrees?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]