| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <15f7fcf5-c5bb-7752-fa9a-376c4c7fc147@kernel.dk>
Date: Tue, 21 Jul 2020 11:11:17 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Stefano Garzarella <sgarzare@...hat.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Kees Cook <keescook@...omium.org>,
Aleksa Sarai <asarai@...e.de>,
Stefan Hajnoczi <stefanha@...hat.com>,
Christian Brauner <christian.brauner@...ntu.com>,
Sargun Dhillon <sargun@...gun.me>,
Jann Horn <jannh@...gle.com>, io-uring@...r.kernel.org,
linux-fsdevel@...r.kernel.org, Jeff Moyer <jmoyer@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC v2 2/3] io_uring: add IOURING_REGISTER_RESTRICTIONS
opcode
On 7/21/20 4:40 AM, Stefano Garzarella wrote:
> On Thu, Jul 16, 2020 at 03:26:51PM -0600, Jens Axboe wrote:
>> On 7/16/20 6:48 AM, Stefano Garzarella wrote:
>>> diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
>>> index efc50bd0af34..0774d5382c65 100644
>>> --- a/include/uapi/linux/io_uring.h
>>> +++ b/include/uapi/linux/io_uring.h
>>> @@ -265,6 +265,7 @@ enum {
>>> IORING_REGISTER_PROBE,
>>> IORING_REGISTER_PERSONALITY,
>>> IORING_UNREGISTER_PERSONALITY,
>>> + IORING_REGISTER_RESTRICTIONS,
>>>
>>> /* this goes last */
>>> IORING_REGISTER_LAST
>>> @@ -293,4 +294,30 @@ struct io_uring_probe {
>>> struct io_uring_probe_op ops[0];
>>> };
>>>
>>> +struct io_uring_restriction {
>>> + __u16 opcode;
>>> + union {
>>> + __u8 register_op; /* IORING_RESTRICTION_REGISTER_OP */
>>> + __u8 sqe_op; /* IORING_RESTRICTION_SQE_OP */
>>> + };
>>> + __u8 resv;
>>> + __u32 resv2[3];
>>> +};
>>> +
>>> +/*
>>> + * io_uring_restriction->opcode values
>>> + */
>>> +enum {
>>> + /* Allow an io_uring_register(2) opcode */
>>> + IORING_RESTRICTION_REGISTER_OP,
>>> +
>>> + /* Allow an sqe opcode */
>>> + IORING_RESTRICTION_SQE_OP,
>>> +
>>> + /* Only allow fixed files */
>>> + IORING_RESTRICTION_FIXED_FILES_ONLY,
>>> +
>>> + IORING_RESTRICTION_LAST
>>> +};
>>> +
>>
>> Not sure I totally love this API. Maybe it'd be cleaner to have separate
>> ops for this, instead of muxing it like this. One for registering op
>> code restrictions, and one for disallowing other parts (like fixed
>> files, etc).
>>
>> I think that would look a lot cleaner than the above.
>>
>
> Talking with Stefan, an alternative, maybe more near to your suggestion,
> would be to remove the 'struct io_uring_restriction' and add the
> following register ops:
>
> /* Allow an sqe opcode */
> IORING_REGISTER_RESTRICTION_SQE_OP
>
> /* Allow an io_uring_register(2) opcode */
> IORING_REGISTER_RESTRICTION_REG_OP
>
> /* Register IORING_RESTRICTION_* */
> IORING_REGISTER_RESTRICTION_OP
>
>
> enum {
> /* Only allow fixed files */
> IORING_RESTRICTION_FIXED_FILES_ONLY,
>
> IORING_RESTRICTION_LAST
> }
>
>
> We can also enable restriction only when the rings started, to avoid to
> register IORING_REGISTER_ENABLE_RINGS opcode. Once rings are started,
> the restrictions cannot be changed or disabled.
My concerns are largely:
1) An API that's straight forward to use
2) Something that'll work with future changes
The "allow these opcodes" is straightforward, and ditto for the register
opcodes. The fixed file I guess is the odd one out. So if we need to
disallow things in the future, we'll need to add a new restriction
sub-op. Should this perhaps be "these flags must be set", and that could
easily be augmented with "these flags must not be set"?
--
Jens Axboe
Powered by blists - more mailing lists