[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1L0aEn-0006dh-BK@pomaz-ex.szeredi.hu>
Date: Thu, 13 Nov 2008 12:19:49 +0100
From: Miklos Szeredi <miklos@...redi.hu>
To: tj@...nel.org
CC: miklos@...redi.hu, fuse-devel@...ts.sourceforge.net,
greg@...ah.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCHSET] FUSE: extend FUSE to support more operations
On Thu, 13 Nov 2008, Tejun Heo wrote:
> Tejun Heo wrote:
> >> I still got qualms about this ioctl thing. One is the security
> >> aspect, but that could be dealt with. The other is that I really
> >> really don't want people to start implementing new custom ioctls for
> >> their filesystems, as I think that way lies madness. We could limit
> >> ioctls to CUSE and that would be fine with me. Or for non-CUSE users
> >> we could enforce the "standard" format where the type and length is
> >> encoded in the command number.
> >
> > For now, I'll limit ioctl to CUSE. Hmmm... Yeah, limiting ioctl to
> > well-formatted ones sounds like a good idea.
> >
> >> I don't have any problems with the iterative way you implemented
> >> ioctls. We just need some additional restrictions to the current
> >> implementation, I think.
>
> I've been thinking about this a bit more. What do you think about
> putting the following restrictions?
>
> 1. FUSE server can only support well-formed ioctls. At the kernel side,
> the interfaces remains the same for both FUSE and CUSE but libfuse only
> exports well-formed ioctl API.
>
> 2. ioctl can only be used by FUSE server running as root (would this be
> necessary? I'm not sure. To me it seems all the necessary protections
> are already there).
Not with '-oallow_other'. Consider the case that the caller invoked a
non well formed ioctl, but since there's no way to know this we
allowed the fuse server to tinker with the caller's address space
_as if_ the ioctl was well formed.
So we should always make sure that the server has enough privilege to
read/write the caller's memory, i.e. it can ptrace the caller.
At this point we could allow any ioctls, not just well formed ones.
But I don't want that for a different reason: if the possibility is
there people will find new "innovative" uses for it and just get
themselves into a big mess.
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists