| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Feb 2007 12:49:16 +0530 From: Suparna Bhattacharya <suparna@...ibm.com> To: Trond Myklebust <trond.myklebust@....uio.no> Cc: Zach Brown <zach.brown@...cle.com>, Andi Kleen <ak@...e.de>, linux-kernel@...r.kernel.org, linux-aio@...ck.org, Benjamin LaHaise <bcrl@...ck.org>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH 4 of 4] Introduce aio system call submission and completion system calls On Thu, Feb 01, 2007 at 11:50:06AM -0800, Trond Myklebust wrote: > On Thu, 2007-02-01 at 16:43 +0530, Suparna Bhattacharya wrote: > > Wooo ...hold on ... I think this is swinging out of perspective :) > > > > I have said some of this before, but let me try again. > > > > As you already discovered when going down the fibril path, there are > > two kinds of accesses to current-> state, (1) common state > > for a given call chain (e.g. journal info etc), and (2) for > > various validations against the caller's process (uid, ulimit etc). > > > > (1) is not an issue when it comes to execution in background threads > > (the VFS already uses background writeback for example). > > > > As for (2), such checks need to happen upfront at the time of IO submission, > > so again are not an issue. > > Wrong! These checks can and do occur well after the time of I/O > submission in the case of remote filesystems with asynchronous writeback > support. > > Consider, for instance, the cases where the server reboots and loses all > state. Then there is the case of failover and/or migration events, where > the entire filesystem gets moved from one server to another, and again > you may have to recover state, etc... > > > I don't see any other reason why IO paths should be assuming that they are > > running in the original caller's context, midway through doing the IO. If > > that were the case background writeouts and readaheads could be fragile as > > well (or ptrace). The reason it isn't is because of this conceptual division of > > responsibility. > > The problem with this is that the security context is getting > progressively more heavy as we add more and more features. In addition > to the original uid/gid/fsuid/fsgid/groups, we now have stuff like > keyrings to carry around. Then there is all the context needed to > support selinux,... Isn't that kind of information supposed to be captured in nfs_open_context ? Which is associated with the open file instance ... I know this has been a traditional issue with network filesystems, and I haven't kept up with the latest code and decisions in that respect, but how would you do background writeback if there is an assumption of running in the context of the original submitter ? Regards Suparna > In the end, you end up recreating most of struct task_struct... > > Cheers > Trond > > -- > To unsubscribe, send a message with 'unsubscribe linux-aio' in > the body to majordomo@...ck.org. For more info on Linux AIO, > see: http://www.kvack.org/aio/ > Don't email: <a href=mailto:"aart@...ck.org">aart@...ck.org</a> -- Suparna Bhattacharya (suparna@...ibm.com) Linux Technology Center IBM Software Lab, India - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists