On 8/30/18 10:05 PM, Dave Chinner wrote: > On Thu, Aug 30, 2018 at 08:34:02PM -0500, Eric Sandeen wrote: ... >> We /could/ FIBMAP a reflinked file >> exactly as well as we can FIBMAP a non-reflinked file, but we choose >> not to. This choice creates unnecessary problems for existing apps. > > Yes, we /could/. But we don't, because because of the typical use > case of FIBMAP which is to map files so that IO (read and/or write) > can be done directly to the block device without going through the > filesystem. For normal files this is /relatively/ safe if the > correct precautions are taken. For a shared extent, writing is > *never* safe. > > We don't know what users of FIBMAP are going to do with the block > map they get, but we *know* there are apps that use it to write > direct to block devices and we *know* that this will cause _silent_ > data corruption and/or exposure of privileged information (shared > data can have different owners at different permission levels) when > it occurs. It'd be way better for my blood pressure if people would stop making poor arguments about orthogonal issues. If you can directly read the block device hosting the files, file permissions of shared blocks are completely beside the point. And app writers can make bad/dangerous decisions no matter what mapping mechanisms we provide. (If an app writer knows enough to look at FIEMAP flags to check for shared blocks before writing, they'd know enough to use it instead of FIBMAP in the first place.) But I'm not even aware of any apps that actually /do/ use FI[BE]MAP mapping information to write, in any case. While grub2 does directly write file blocks in one case, it doesn't even /use/ FIBMAP! So it will happily continue doing so, even for reflinked files, despite our best efforts to break the interface for safe users. The "typical use case" is to map a file for a bootloader to /read/ at boot, and our arbitrary restriction has broken systems in the real world, and burned a lot of institutional effort getting to the bottom of the problem and working around it. I know it's our job to be pedantic, secure, and correct, but speculating about what misbehaving privileged apps /could/ do and then plugging a small fraction of the possible misuse vectors while breaking actual, safe, real-world usecases just isn't a compelling story. -Eric
