On 12/4/2023 11:35 PM, Jens Axboe wrote:
> On 12/4/23 10:53 AM, Keith Busch wrote:
>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
>> index 1d254f2c997de..4aa10b64f539e 100644
>> --- a/io_uring/io_uring.c
>> +++ b/io_uring/io_uring.c
>> @@ -3980,6 +3980,7 @@ static __cold int io_uring_create(unsigned entries, struct io_uring_params *p,
>> ctx->syscall_iopoll = 1;
>>
>> ctx->compat = in_compat_syscall();
>> + ctx->sys_admin = capable(CAP_SYS_ADMIN);
>> if (!ns_capable_noaudit(&init_user_ns, CAP_IPC_LOCK))
>> ctx->user = get_uid(current_user());
> Hmm, what happens if the app starts as eg root for initialization
> purposes and drops caps after? That would have previously have caused
> passthrough to fail, but now it will work.
Does it sound any better if this 'super ring' type of ability is asked
explicitly by a setup flag say IORING_SETUP_CAPABLE_ONCE.
It does not change the old behavior. It also implies that capable user
knows what it asked for, so no need to keep things in sync if the
process drops caps after ring setup is done.
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 4aa10b64f539..589e614144b6 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3981,6 +3981,8 @@ static __cold int io_uring_create(unsigned
entries, struct io_uring_params *p,
ctx->compat = in_compat_syscall();
+ if (ctx->flags & IORING_SETUP_CAPABLE_ONCE &&
capable(CAP_SYS_ADMIN))
+ ctx->sys_admin = 1;
if (!ns_capable_noaudit(&init_user_ns, CAP_IPC_LOCK))
ctx->user = get_uid(current_user());
