From: Daurnimator <quae@daurnimator.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: Stefano Garzarella <sgarzare@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Kees Cook <keescook@chromium.org>, Aleksa Sarai <asarai@suse.de>,
Stefan Hajnoczi <stefanha@redhat.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Sargun Dhillon <sargun@sargun.me>, Jann Horn <jannh@google.com>,
io-uring <io-uring@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, Jeff Moyer <jmoyer@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH RFC v2 2/3] io_uring: add IOURING_REGISTER_RESTRICTIONS opcode
Date: Wed, 22 Jul 2020 12:35:15 +1000 [thread overview]
Message-ID: <CAEnbY+fCP-HS_rWfOF2rnUPos-eZRF1dL+m2Q8CZidi_W=a7xw@mail.gmail.com> (raw)
In-Reply-To: <15f7fcf5-c5bb-7752-fa9a-376c4c7fc147@kernel.dk>
On Wed, 22 Jul 2020 at 03:11, Jens Axboe <axboe@kernel.dk> wrote:
>
> On 7/21/20 4:40 AM, Stefano Garzarella wrote:
> > On Thu, Jul 16, 2020 at 03:26:51PM -0600, Jens Axboe wrote:
> >> On 7/16/20 6:48 AM, Stefano Garzarella wrote:
> >>> diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
> >>> index efc50bd0af34..0774d5382c65 100644
> >>> --- a/include/uapi/linux/io_uring.h
> >>> +++ b/include/uapi/linux/io_uring.h
> >>> @@ -265,6 +265,7 @@ enum {
> >>> IORING_REGISTER_PROBE,
> >>> IORING_REGISTER_PERSONALITY,
> >>> IORING_UNREGISTER_PERSONALITY,
> >>> + IORING_REGISTER_RESTRICTIONS,
> >>>
> >>> /* this goes last */
> >>> IORING_REGISTER_LAST
> >>> @@ -293,4 +294,30 @@ struct io_uring_probe {
> >>> struct io_uring_probe_op ops[0];
> >>> };
> >>>
> >>> +struct io_uring_restriction {
> >>> + __u16 opcode;
> >>> + union {
> >>> + __u8 register_op; /* IORING_RESTRICTION_REGISTER_OP */
> >>> + __u8 sqe_op; /* IORING_RESTRICTION_SQE_OP */
> >>> + };
> >>> + __u8 resv;
> >>> + __u32 resv2[3];
> >>> +};
> >>> +
> >>> +/*
> >>> + * io_uring_restriction->opcode values
> >>> + */
> >>> +enum {
> >>> + /* Allow an io_uring_register(2) opcode */
> >>> + IORING_RESTRICTION_REGISTER_OP,
> >>> +
> >>> + /* Allow an sqe opcode */
> >>> + IORING_RESTRICTION_SQE_OP,
> >>> +
> >>> + /* Only allow fixed files */
> >>> + IORING_RESTRICTION_FIXED_FILES_ONLY,
> >>> +
> >>> + IORING_RESTRICTION_LAST
> >>> +};
> >>> +
> >>
> >> Not sure I totally love this API. Maybe it'd be cleaner to have separate
> >> ops for this, instead of muxing it like this. One for registering op
> >> code restrictions, and one for disallowing other parts (like fixed
> >> files, etc).
> >>
> >> I think that would look a lot cleaner than the above.
> >>
> >
> > Talking with Stefan, an alternative, maybe more near to your suggestion,
> > would be to remove the 'struct io_uring_restriction' and add the
> > following register ops:
> >
> > /* Allow an sqe opcode */
> > IORING_REGISTER_RESTRICTION_SQE_OP
> >
> > /* Allow an io_uring_register(2) opcode */
> > IORING_REGISTER_RESTRICTION_REG_OP
> >
> > /* Register IORING_RESTRICTION_* */
> > IORING_REGISTER_RESTRICTION_OP
> >
> >
> > enum {
> > /* Only allow fixed files */
> > IORING_RESTRICTION_FIXED_FILES_ONLY,
> >
> > IORING_RESTRICTION_LAST
> > }
> >
> >
> > We can also enable restriction only when the rings started, to avoid to
> > register IORING_REGISTER_ENABLE_RINGS opcode. Once rings are started,
> > the restrictions cannot be changed or disabled.
>
> My concerns are largely:
>
> 1) An API that's straight forward to use
> 2) Something that'll work with future changes
>
> The "allow these opcodes" is straightforward, and ditto for the register
> opcodes. The fixed file I guess is the odd one out. So if we need to
> disallow things in the future, we'll need to add a new restriction
> sub-op. Should this perhaps be "these flags must be set", and that could
> easily be augmented with "these flags must not be set"?
>
> --
> Jens Axboe
>
This is starting to sound a lot like seccomp filtering.
Perhaps we should go straight to adding a BPF hook that fires when
reading off the submission queue?
next prev parent reply other threads:[~2020-07-22 11:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 12:48 [PATCH RFC v2 0/3] io_uring: add restrictions to support untrusted applications and guests Stefano Garzarella
2020-07-16 12:48 ` [PATCH RFC v2 1/3] io_uring: use an enumeration for io_uring_register(2) opcodes Stefano Garzarella
2020-07-16 20:16 ` Pavel Begunkov
2020-07-16 20:42 ` Jens Axboe
2020-07-16 20:47 ` Pavel Begunkov
2020-07-16 20:51 ` Jens Axboe
2020-07-16 21:20 ` Jens Axboe
2020-07-17 8:13 ` Stefano Garzarella
2020-07-16 12:48 ` [PATCH RFC v2 2/3] io_uring: add IOURING_REGISTER_RESTRICTIONS opcode Stefano Garzarella
2020-07-16 21:26 ` Jens Axboe
2020-07-17 8:55 ` Stefano Garzarella
2020-07-21 10:40 ` Stefano Garzarella
2020-07-21 17:11 ` Jens Axboe
2020-07-22 2:35 ` Daurnimator [this message]
2020-07-22 14:14 ` Stefano Garzarella
2020-07-22 14:29 ` Stefano Garzarella
2020-07-16 12:48 ` [PATCH RFC v2 3/3] io_uring: allow disabling rings during the creation Stefano Garzarella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEnbY+fCP-HS_rWfOF2rnUPos-eZRF1dL+m2Q8CZidi_W=a7xw@mail.gmail.com' \
--to=quae@daurnimator.com \
--cc=asarai@suse.de \
--cc=axboe@kernel.dk \
--cc=christian.brauner@ubuntu.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=jmoyer@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sargun@sargun.me \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).