On Thu, 9 Oct 2008, Linus Torvalds wrote:
> Of course, I think POSIX is crazy, and we probably _should_ always honor
> O_APPEND, and returning -EINVAL is the right thing for both pwrite and
> splice, but this is all a murkier issue than it looked like originally,
> and any possible "security" implications are dubious in that you cannot
> really depend on O_APPEND/IS_APPEND anyway.
The thing is, the append-only attribute is absolutely useless without
being able to depend on it. So in that sense I think the IS_APPEND
issue is important, and I'm fine with your original proposal for that
(except we don't need the IS_IMMUTABLE check).
I also agree that the O_APPEND issue is murky and should probably be
discussed separately.
Thanks,
Miklos
----
Subject: splice: disallow random writes for append-only inodes
From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
It was possible to write to a random location in an append-only file
using splice.
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx>
---
fs/splice.c | 5 +++++
1 file changed, 5 insertions(+)
Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c 2008-10-09 21:46:07.000000000 +0200
+++ linux-2.6/fs/splice.c 2008-10-09 21:47:42.000000000 +0200
@@ -891,6 +891,7 @@ static long do_splice_from(struct pipe_i
loff_t *ppos, size_t len, unsigned int flags)
{
int ret;
+ struct inode *inode;
if (unlikely(!out->f_op || !out->f_op->splice_write))
return -EINVAL;
@@ -898,6 +899,10 @@ static long do_splice_from(struct pipe_i
if (unlikely(!(out->f_mode & FMODE_WRITE)))
return -EBADF;
+ inode = out->f_dentry->d_inode;
+ if (IS_APPEND(inode))
+ return -EINVAL;
+
ret = rw_verify_area(WRITE, out, ppos, len);
if (unlikely(ret < 0))
return ret;
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
