On Fri, Jul 19, 2013 at 12:13:21PM -0400, Dwight Engen wrote: > On Fri, 19 Jul 2013 16:02:21 +1000 > Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > > On Wed, Jul 17, 2013 at 11:47:46AM -0400, Dwight Engen wrote: > > > Signed-off-by: Dwight Engen <dwight.engen@xxxxxxxxxx> > > > > What's the reason for this patch? > > Its trying to ensure we only allow the XFS_IOC_FREE_EOFBLOCKS > caller to affect the indoes they should be able to. > http://oss.sgi.com/archives/xfs/2013-06/msg00955.html has a bit more > background. This isn't really related to user namespaces per-se, so I > guess it should be a separate patch, but since I modified the > eofblocks structure I was trying to fix this as well. background needs to be in the commit message. > > > > --- > > > fs/xfs/xfs_fs.h | 1 + > > > fs/xfs/xfs_icache.c | 4 ++++ > > > fs/xfs/xfs_ioctl.c | 2 ++ > > > 3 files changed, 7 insertions(+) > > > > > > diff --git a/fs/xfs/xfs_fs.h b/fs/xfs/xfs_fs.h > > > index 7eb4a5e..aee4b12 100644 > > > --- a/fs/xfs/xfs_fs.h > > > +++ b/fs/xfs/xfs_fs.h > > > @@ -361,6 +361,7 @@ struct xfs_fs_eofblocks { > > > #define XFS_EOF_FLAGS_GID (1 << 2) /* filter by gid > > > */ #define XFS_EOF_FLAGS_PRID (1 << 3) /* filter by > > > project id */ #define XFS_EOF_FLAGS_MINFILESIZE (1 << 4) /* > > > filter by min file size */ +#define XFS_EOF_FLAGS_PERM_CHECK > > > (1 << 5) /* check can write inode */ #define > > > XFS_EOF_FLAGS_VALID \ (XFS_EOF_FLAGS_SYNC | \ > > > XFS_EOF_FLAGS_UID | \ > > > diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c > > > index d873ab9e..728283a 100644 > > > --- a/fs/xfs/xfs_icache.c > > > +++ b/fs/xfs/xfs_icache.c > > > @@ -1247,6 +1247,10 @@ xfs_inode_free_eofblocks( > > > if (!xfs_inode_match_id(ip, eofb)) > > > return 0; > > > > > > + if (eofb->eof_flags & XFS_EOF_FLAGS_PERM_CHECK && > > > + inode_permission(VFS_I(ip), MAY_WRITE)) > > > + return 0; > > > > This assumes we are walking fully instantiated VFS inodes. That's > > not necessarily true - we may be walking inodes that have already > > been dropped from the VFS and are waiting for background reclaim to > > clean them up. I suspect that this doesn't need to be done - we > > normally stop background modification processes like this when we > > convert the filesystem to read-only. I suspect the eof-blocks scan > > code is missing that, and so it can potentially run on a RO > > filesystem. That needs fixing similar to the way we stop and start > > the periodic log work... > > So if there isn't a good way to check per-inode, maybe for now we > should just restrict the ioctl caller to be capable(CAP_SYS_ADMIN)? What, exactly, are you trying to check here? > > Also, gcc should throw warnings on that code (strange, it didn't > > here on gcc-4.7) as it needs more parenthesis. i.e > > I don't think it needs them (& is higher precedence than &&), but I can > add them for clarity if you like. I know what the precedence is, but code that looks like: (a & b && c & d && b & d && ..) needs time to verify that it is correct. Indeed, when I see the above, I think "was it supposed to be": (a && b && c && d && b & d && ..) Parenthesis remove any ambiguity in intention here - they clearly separate intended logic from typos. Same goes for | vs ||.... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs
