On Thu, 20 Jan 2011 10:30:47 +0800 Shaohua Li [off-list ref] wrote:

quoted

I don't know if this is worth addressing.  Perhaps require that the
filp refers to the root of the fs?

I didn't see why this is needed, but I can limit the fip to the root of
the fs.

I don't think it matters much either.  The only problem I can see is if
we were to later try to extend the ioctl into a per-file thing.

quoted

Also, is this a privileged operation?  If not, then that might be a
problem - could it be used by unprivileged users to work out which
files have been opened recently or something like that?

it's harmless even a unprivileged user uses it. I don't think
unprivileged user can decode the data returned from the ioctl.

um.

Well, by doing a before-and-after thing I can use this ioctl to work
out what metadata blocks are used when someone reads
/my/super/secret-directory/foo.  Then I can write a program which sits
there waiting until someone else reads /my/super/secret-directory/foo. 
Then I can use that information to start WWIII or something.

I dunno, strange things happen.  Unless there's a good *need* to make
this available to unprivileged users then we should not do so.