On Tue, Mar 15, 2016 at 1:14 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
>
> Root can still change the group id of a file that has exposed stale
> data and hence make it visible outside of the group based
> containment wall.
Ok, Dave, now you're just being ridiculous.
The issue has never been - and *should* never be - that stale data
cannot get out.
The only issue is that we shouldn't make it ridiculously easy to make
silly mistakes.
There's no "group based containment wall" that is some kind of
absolute protection border.
Put another way: this is not about theoretical leaks - because those
are totally irrelevant (in theory, the original discard writer had
access to all that stale data anyway). This is about making it a
practical interface that doesn't have serious hidden gotchas.
So stop making silly theoretical arguments that make no sense.
We should make sure that we have _practical_ rules that are sensible,
but also not painful enough for the people who want to use this in
_practice_.
Reality trumps everything else.
If google is already using this kind of interface, then that is
_reality_. Take that into account.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
