Hi Jens, now that we have IORING_FEAT_CUR_PERSONALITY... How can we optimize the fileserver case now, in order to avoid the overhead of always calling 5 syscalls before io_uring_enter()?: /* gain root again */ setresuid(-1,0,-1); setresgid(-1,0,-1) /* impersonate the user with groups */ setgroups(num, grps); setresgid(-1,gid,-1); setresuid(-1,uid,-1); /* trigger the operation */ io_uring_enter(); I guess some kind of IORING_REGISTER_CREDS[_UPDATE] would be good, together with a IOSQE_FIXED_CREDS in order to specify credentials per operation. Or we make it much more generic and introduce a credsfd_create() syscall in order to get an fd for a credential handle, maybe together with another syscall to activate the credentials of the current thread (or let a write to the fd trigger the activation in order to avoid an additional syscall number). Having just an fd would allow IORING_REGISTER_CREDS[_UPDATE] to be just an array of int values instead of a more complex structure to define the credentials. What do you think? metze
Attachment:
signature.asc
Description: OpenPGP digital signature