On Mon, Jun 10, 2019 at 10:51:08PM -0400, Theodore Ts'o wrote:
> On Mon, Jun 10, 2019 at 06:16:12PM -0700, Darrick J. Wong wrote:
> > On Mon, Jun 10, 2019 at 08:26:06PM +0300, Amir Goldstein wrote:
> > > read(2) is allowed from a swapfile, so copy_file_range(2) should
> > > be allowed as well.
> > >
> > > Reported-by: Theodore Ts'o <tytso@xxxxxxx>
> > > Fixes: 96e6e8f4a68d ("vfs: add missing checks to copy_file_range")
> > > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
> > > ---
> > >
> > > Darrick,
> > >
> > > This fixes the generic/554 issue reported by Ted.
> >
> > Frankly I think we should go the other way -- non-root doesn't get to
> > copy from or read from swap files.
>
> The issue is that without this patch, *root* doesn't get to copy from
> swap files. Non-root shouldn't have access via Unix permissions. We
I'm not sure even root should have that privilege - it's a swap file,
and until you swapoff, it's owned by the kernel and we shouldn't let
backup programs copy your swapped out credit card numbers onto tape.
> could add a special case if we don't trust system administrators to be
> able to set the Unix permissions correctly, I suppose, but we don't do
> that for block devices when they are mounted....
...and administrators often mkfs over mounted filesystems because we let
them read and write block devices. Granted I tried to fix that once and
LVM totally stopped working...
--D
>
> - Ted
