On 8/21/20 3:38 AM, Omar Sandoval wrote:
From: Omar Sandoval <osandov@xxxxxx>
The upcoming RWF_ENCODED operation introduces some security concerns:
1. Compressed writes will pass arbitrary data to decompression
algorithms in the kernel.
2. Compressed reads can leak truncated/hole punched data.
Therefore, we need to require privilege for RWF_ENCODED. It's not
possible to do the permissions checks at the time of the read or write
because, e.g., io_uring submits IO from a worker thread. So, add an open
flag which requires CAP_SYS_ADMIN. It can also be set and cleared with
fcntl(). The flag is not cleared in any way on fork or exec; it should
probably be used with O_CLOEXEC in most cases.
Note that the usual issue that unknown open flags are ignored doesn't
really matter for O_ALLOW_ENCODED; if the kernel doesn't support
O_ALLOW_ENCODED, then it doesn't support RWF_ENCODED, either.
It seemed like you agreed to require O_CLOEXEC to be set when using
O_ALLOW_ENCODED in your last go around, what happened to that? I know I'd feel
better if we had that requirement, and if we aren't I'd like to know why we
can't. Thanks,
Josef
