On Fri, Mar 11, 2016 at 2:30 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote: > On Fri, Mar 11, 2016 at 10:25:30AM -0800, Linus Torvalds wrote: >> >> So you'd have to explicitly say "my setup is ok with hole punching". > > Except it's not hole punching that is the problem. [..] > The problem here is > preallocation of unwritten blocks that expose the stale data if the > filesystem skips marking those blocks as unwritten. Right you are. > It's all well and good to restrict access to the fallocate() call to > limit who can expose stale data, but it doesn't remove the fact it > is easy for stale data to unintentionally escape the privileged > group once it has been exposed because there is no record of the > fact the file contains uninitialised blocks.... Good point. It's not just that the user in question *couldn't* have exposed it other ways by reading the raw device and then writing that info into a file. You're right that the "don't initialize unwritten blocks" thing has a more insidious problem of making it easy to unintentionally expose such data just because you missed an error path (or the process died without ever doing the proper over-write).. It would be much better if we could somehow mitigate just _how_ easy it is to screw up. One way to do that would be to not just require that the user that discards the initializing writes have read access to the underlying device, but perhaps also have some strict requirement that you can discard only if the file you are working with is legible only to you? That would limit the damage, and keep the stale data "private" to the user who is already able to read the raw data off the device. Sure, you can then mark the file read-by-world by others later, but at that point you're kind of *consciously* exposing that stale data (and at that point, you have hopefully cleaned it all up and replaced the stale data with real data). But would that perhaps not be reasonable for the kind of use cases that google has now? Linus -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html