[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y9qQ9i6rNvJWPbV+@itl-email>
Date: Wed, 1 Feb 2023 11:18:54 -0500
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: Christoph Hellwig <hch@...radead.org>
Cc: Jens Axboe <axboe@...nel.dk>,
Marek Marczykowski-Górecki
<marmarek@...isiblethingslab.com>, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/7] block: Support creating a struct file from a
block device
On Tue, Jan 31, 2023 at 11:45:55PM -0800, Christoph Hellwig wrote:
> On Tue, Jan 31, 2023 at 11:27:59AM -0500, Demi Marie Obenour wrote:
> > While it is easy to provide userspace with an FD to any struct file, it
> > is *not* easy to obtain a struct file for a given struct block_device.
> > I could have had device-mapper implement everything itself, but that
> > would have duplicated a large amount of code already in the block layer.
> > Instead, I decided to refactor the block layer to provide a function
> > that does exactly what was needed. The result was this patch. In the
> > future, I would like to add an ioctl for /dev/loop-control that creates
> > a loop device and returns a file descriptor to the loop device. I could
> > also see iSCSI supporting this, with the socket file descriptor being
> > passed in from userspace.
>
> And it is somewhat intentional that you can't. Block device inodes
> have interesting life times and are never directly exposed to userspace
> at all. They are internal, and only f_mapping of a file system inode
> delegates to them or I/O. Your patch now magically exposes them to
> userspace.
The intention is that the file descriptor is equvalent to what one would
get by first creating the device and then opening it. If it is not,
that is a bug in one of my patches.
> And it then bypasses all pathname and inode permission
> based access checks and auditing. So we can't just do it.
Accessing /dev/mapper/control is already enough to panic the kernel, so
presumably only fully trusted userspace can make the ioctl to begin
with. Furthermore, this only allows a userspace process to get a file
descriptor to the device-mapper device it itself created.
> > blkdev_do_open() does not solve any problem for me at this time.
> > Instead, it represents the code shared by blkdev_get_by_dev() and
> > blkdev_get_file(). I decided to export it because it could be of
> > independent use to others. In particular, it could potentially
> > simplify disk_scan_partitions() in block/genhd.c, pkt_new_dev() in
> > pktcdvd, backing_dev_store() in zram, and f2fs_scan_devices() in f2fs.
>
> All thse need to actually open the underlying device as they do I/O.
> Doing I/O without opening the device is a no-go.
blkdev_do_open() *does* open the device. If it doesn’t, that’s a bug.
In v2 I will add the same access control checks that blkdev_get_by_dev()
does. Is this sufficient?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists