On Fri 16 Nov 2018 04:03:12 PM CET, Alberto Garcia wrote: >> top (T) -> intermediate (I) -> base (B) >> >> Now you commit from top to base. Clearly you don't want the backing >> chain between top and base to change. So say you unshare the GRAPH_MOD >> permission (implying that whenever a parent doesn't care, it just shares >> it). But as said above, if someone just drops the backing link from I >> to B, the permission system won't catch that. > > Yes it will, because the block job (either mirror or commit depending on > the case) is the parent of all three nodes (BlockJob.nodes is where the > list is stored) and does not alow GRAPH_MOD in any of them[*]. So > dropping that backing link fails (I also have a test case for that).
I forgot to add the footnote [*] in my previous e-mail: The mirror block job (in particular when in "commit-active" mode, but also in other cases) creates a "mirror_top" node and then blocks the target and all intermediate nodes by calling block_job_add_bdrv() in each one of them: mirror_top (M) -> top (T) -> intermediate (I) -> base (B) The problem is that those intermediate nodes start from top's backing_bs(), so top itself is not added to the block job's list of children and doesn't have its permissions restricted during the job's lifetime. This looks like a bug, I'll see if there's a way to reproduce and I'll prepare a patch. Berto
