On Sun, Aug 28, 2022 at 04:09:11PM +0100, Richard W.M. Jones wrote: ... > > + > > +ublk driver doesn't handle any IO logic, and its function is well defined > > +so far, and very limited userspace interfaces are needed, and each one is > > +well defined too, then it is very likely to make ublk device one > > +container-ware block device in future, as Stefan Hajnoczi suggested[3], by > > +removing ADMIN privilege. > > Is it advisable for non-root to be able create arbitrary /dev devices? > It sounds like a security nightmare because you're exposing > potentially any arbitrary, malicious filesystem to the kernel to > parse. +1, such malicious daemons can also dynamically update/attack fs metadata runtimely, I think most current fs corruption tests are for pre-built fs images but not for runtime attack via daemon itself or network, unprivileged daemon makes all local fses life harder. Also for swap device use cases, malicious unprivileged daemons enlarge the possibility of corrupting/attacking any anonymous memory (maybe belong to privileged processes) on purpose regardless of other concerns. Thanks, Gao Xiang
