On Sat, Feb 29, 2020 at 1:14 AM Omar Sandoval <osandov@xxxxxxxxxxx> wrote: > > From: Omar Sandoval <osandov@xxxxxx> > > The upcoming RWF_ENCODED operation introduces some security concerns: > > 1. Compressed writes will pass arbitrary data to decompression > algorithms in the kernel. > 2. Compressed reads can leak truncated/hole punched data. > > Therefore, we need to require privilege for RWF_ENCODED. It's not > possible to do the permissions checks at the time of the read or write > because, e.g., io_uring submits IO from a worker thread. So, add an open > flag which requires CAP_SYS_ADMIN. It can also be set and cleared with > fcntl(). The flag is not cleared in any way on fork or exec; it should > probably be used with O_CLOEXEC in most cases. > So let's be more proactive and disallow setting O_ALLOW_ENCODED without O_CLOEXEC, shall we? > Note that the usual issue that unknown open flags are ignored doesn't > really matter for O_ALLOW_ENCODED; if the kernel doesn't support > O_ALLOW_ENCODED, then it doesn't support RWF_ENCODED, either. > And for that matter, setting O_ALLOW_ENCODED without O_CLOEXEC won't do any harm with old kernels - even better, it can serve as a fast test for kernel RWF_ENCODED support using only the openat() syscall. Thanks, Amir.
