On Mon, Dec 04, 2023 at 01:40:58PM -0500, Jeff Moyer wrote: > I added a CC: linux-security-module@vger > Keith Busch <kbusch@xxxxxxxx> writes: > > From: Keith Busch <kbusch@xxxxxxxxxx> > > > > The uring_cmd operation is often used for privileged actions, so drivers > > subscribing to this interface check capable() for each command. The > > capable() function is not fast path friendly for many kernel configs, > > and this can really harm performance. Stash the capable sys admin > > attribute in the io_uring context and set a new issue_flag for the > > uring_cmd interface. > > I have a few questions. What privileged actions are performance > sensitive? I would hope that anything requiring privileges would not > be in a fast path (but clearly that's not the case). Protocol specifics that don't have a generic equivalent. For example, NVMe FDP is reachable only through the uring_cmd and ioctl interfaces, but you use it like normal reads and writes so has to be as fast as the generic interfaces. The same interfaces can be abused, so access needs to be restricted. > What performance benefits did you measure with this patch set in place > (and on what workloads)? Quite a bit. Here's a random read high-depth workload on a single device test: Before: 970k IOPs After: 1750k IOPs > What happens when a ring fd is passed to another process? > > Finally, as Jens mentioned, I would expect dropping priviliges to, you > know, drop privileges. I don't think a commit message is going to be > enough documentation for a change like this. Yeah, point taken.
