btrfs, user created subvolumes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Two questions as it relates to btrfs subvolumes created by users on Fedora.

Question 1, should new subvolumes within the ~/ hierarchy have the
same label as a new directory?

$ mkdir hi
$ btrfs subvolume create hi2
$ ls -lZ
drwxrwxr-x. 1 chris chris unconfined_u:object_r:user_home_t:s0
0 Jun 13 15:55  hi
drwxrwxr-x. 1 chris chris system_u:object_r:unlabeled_t:s0
0 Jun 13 15:55  hi2

Is this expected? Or should I file a bug?

Question 2, should users be allowed to remove subvolumes (including
subvolume snapshots) they own?

There's a bit of background here:

* Users can 'btrfs subvolume create' without privileges
* Users can't 'btrfs subvolume delete' without privileges, unless the
Btrfs file system is mounted with option "user_subvol_rm_allowed"
* Users can remove empty subvolumes without privileges, e.g. rmdir or
rm -rf so long as the user owns all the items contained in the
subvolume.

OK a bit more background. A subvolume is a file b-tree. It's where all
file and directory metadata is located: inode, datetime, permissions,
xattr, compression info, extent info.

When deleting a subvolume, none of the contents are checked for
permissions at all - the tree is just snipped off the file system, and
the extents are later freed by a kernel cleaner thread. So it's
essentially an immediately returning command, with the expensive
backref walk done by a dedicated kernel thread later.

On any file system when deleting a directory, all the contents have
permissions checked. If the user can't delete an item, then the
directory won't be empty, and they won't be able to remove it. This is
the same for btrfs subvolumes when using the same commands, rmdir and
rm -rf. The subvolume can't be deleted until it's empty. This can be
quite alot more expensive than just a subvolume delete.

I'm wondering if anyone can imagine problems with enabling
user_subvol_rm_allowed mount option on Fedora desktops by default? And
whether SELinux can or should have some role in preventing mistakes?
Like if SELinux could distinguish between an active user home
directory that is also a btrfs subvolume - don't allow the user to
stab themselves in the foot. But let them delete any other subvolume
they own. Or maybe it's low enough risk.


Thanks,



-- 
Chris Murphy
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux