From: Jens Axboe <axboe@kernel.dk>
To: Pavel Begunkov <asml.silence@gmail.com>,
Stefan Metzmacher <metze@samba.org>
Cc: io-uring <io-uring@vger.kernel.org>,
Linux API Mailing List <linux-api@vger.kernel.org>
Subject: Re: IORING_REGISTER_CREDS[_UPDATE]() and credfd_create()?
Date: Tue, 28 Jan 2020 13:19:21 -0700 [thread overview]
Message-ID: <82b20ec2-ceaa-93f1-4cce-889a933f2c7a@kernel.dk> (raw)
In-Reply-To: <15ca72fd-5750-db7c-2404-2dd4d53dd196@gmail.com>
On 1/28/20 1:16 PM, Pavel Begunkov wrote:
> On 28/01/2020 22:42, Jens Axboe wrote:
>> On 1/28/20 11:04 AM, Jens Axboe wrote:
>>> On 1/28/20 10:19 AM, Jens Axboe wrote:
>>>> On 1/28/20 9:19 AM, Jens Axboe wrote:
>>>>> On 1/28/20 9:17 AM, Stefan Metzmacher wrote:
>>>> OK, so here are two patches for testing:
>>>>
>>>> https://git.kernel.dk/cgit/linux-block/log/?h=for-5.6/io_uring-vfs-creds
>>>>
>>>> #1 adds support for registering the personality of the invoking task,
>>>> and #2 adds support for IORING_OP_USE_CREDS. Right now it's limited to
>>>> just having one link, it doesn't support a chain of them.
>>>>
>>>> I'll try and write a test case for this just to see if it actually works,
>>>> so far it's totally untested.
>>>>
>>>> Adding Pavel to the CC.
>>>
>>> Minor tweak to ensuring we do the right thing for async offload as well,
>>> and it tests fine for me. Test case is:
>>>
>>> - Run as root
>>> - Register personality for root
>>> - create root only file
>>> - check we can IORING_OP_OPENAT the file
>>> - switch to user id test
>>> - check we cannot IORING_OP_OPENAT the file
>>> - check that we can open the file with IORING_OP_USE_CREDS linked
>>
>> I didn't like it becoming a bit too complicated, both in terms of
>> implementation and use. And the fact that we'd have to jump through
>> hoops to make this work for a full chain.
>>
>> So I punted and just added sqe->personality and IOSQE_PERSONALITY.
>> This makes it way easier to use. Same branch:
>>
>> https://git.kernel.dk/cgit/linux-block/log/?h=for-5.6/io_uring-vfs-creds
>>
>> I'd feel much better with this variant for 5.6.
>>
>
> To be honest, sounds pretty dangerous. Especially since somebody started talking
> about stealing fds from a process, it could lead to a nasty loophole somehow.
> E.g. root registers its credentials, passes io_uring it to non-privileged
> children, and then some process steals the uring fd (though, it would need
> priviledged mode for code-injection or else). Could we Cc here someone really
> keen on security?
Link? If you can steal fds, then surely you've already lost any sense of
security in the first place? Besides, if root registered the ring, the root
credentials are already IN the ring. I don't see how this adds any extra
holes.
> Stefan, could you please explain, how this 5 syscalls pattern from the first
> email came in the first place? Just want to understand the case.
I think if you go back a bit in the archive, Stefan has a fuller explanation
of how samba does the credentials dance.
--
Jens Axboe
next prev parent reply other threads:[~2020-01-28 20:19 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 10:18 IORING_REGISTER_CREDS[_UPDATE]() and credfd_create()? Stefan Metzmacher
2020-01-28 16:10 ` Jens Axboe
2020-01-28 16:17 ` Stefan Metzmacher
2020-01-28 16:19 ` Jens Axboe
2020-01-28 17:19 ` Jens Axboe
2020-01-28 18:04 ` Jens Axboe
2020-01-28 19:42 ` Jens Axboe
2020-01-28 20:16 ` Pavel Begunkov
2020-01-28 20:19 ` Jens Axboe [this message]
2020-01-28 20:50 ` Pavel Begunkov
2020-01-28 20:56 ` Jens Axboe
2020-01-28 21:25 ` Christian Brauner
2020-01-28 22:38 ` Pavel Begunkov
2020-01-28 23:36 ` Pavel Begunkov
2020-01-28 23:40 ` Jens Axboe
2020-01-28 23:51 ` Jens Axboe
2020-01-29 0:10 ` Pavel Begunkov
2020-01-29 0:15 ` Jens Axboe
2020-01-29 0:18 ` Jens Axboe
2020-01-29 0:20 ` Jens Axboe
2020-01-29 0:21 ` Pavel Begunkov
2020-01-29 0:24 ` Jens Axboe
2020-01-29 0:54 ` Jens Axboe
2020-01-29 10:17 ` Pavel Begunkov
2020-01-29 13:11 ` Stefan Metzmacher
2020-01-29 13:41 ` Pavel Begunkov
2020-01-29 13:56 ` Stefan Metzmacher
2020-01-29 14:23 ` Pavel Begunkov
2020-01-29 14:27 ` Stefan Metzmacher
2020-01-29 14:34 ` Pavel Begunkov
2020-01-29 17:34 ` Jens Axboe
2020-01-29 17:42 ` Jens Axboe
2020-01-29 20:09 ` Stefan Metzmacher
2020-01-29 20:48 ` Jens Axboe
2020-01-29 17:46 ` Pavel Begunkov
2020-01-29 14:59 ` Jann Horn
2020-01-29 17:34 ` Jens Axboe
2020-01-30 1:08 ` Jens Axboe
2020-01-30 2:20 ` Jens Axboe
2020-01-30 3:18 ` Jens Axboe
2020-01-30 6:53 ` Stefan Metzmacher
2020-01-30 10:11 ` Jann Horn
2020-01-30 10:26 ` Christian Brauner
2020-01-30 14:11 ` Jens Axboe
2020-01-30 14:47 ` Stefan Metzmacher
2020-01-30 15:34 ` Jens Axboe
2020-01-30 15:13 ` Christian Brauner
2020-01-30 15:29 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82b20ec2-ceaa-93f1-4cce-889a933f2c7a@kernel.dk \
--to=axboe@kernel.dk \
--cc=asml.silence@gmail.com \
--cc=io-uring@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=metze@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).