Right now we have to farm out permissions checking to the kernel with the default_permissions option. That works, but allows for... "permissions skew", where the kernel may use cached permissions to determine whether or not some operation is allowed. So we could see:

1. system A reads the inode for permissions (read-only transaction)
2. system B changes the permissions on the inode (read-write)
3. system A uses those permissions to perform an operation on the inode (read-write)

Now, is that the end of the world? No, I think local filesystems probably don't guarantee that can't happen. But their time bounds on it preventing it are probably muuuuch tighter than ours. In bad situations ours might be long enough to be human perceivable and weird.

It shouldn't really be any more expensive to do this. I believe I've added reads for the inode in all the places where permissions would need to be checked, even if we don't actually use the retrieved value (and it is used in almost all cases). So we're already paying the price; it's just a matter of implementing the permission checking function and calling it inside our transactions.

This is marked very hard because you've got to know the subtleties of POSIX permissions checking.