Am 09.01.20 um 22:31 schrieb Jens Axboe: > On 1/9/20 3:40 AM, Stefan Metzmacher wrote: >>>> I'm sorry, but I'm still unsure we're talking about the same thing >>>> (or maybe I'm missing some basics here). >>>> >>>> My understanding of the io_uring_enter() is that it will execute as much >>>> non-blocking calls as it can without switching to any other kernel thread. >>> >>> Correct, any SQE that we can do without switching, we will. >>> >>>> And my fear is that openat will use get_current_cred() instead of >>>> ctx->creds. >>> >>> OK, I think I follow your concern. So you'd like to setup the rings from >>> a _different_ user, and then later on use it for submission for SQEs that >>> a specific user. So sort of the same as our initial discussion, except >>> the mapping would be static. The difference being that you might setup >>> the ring from a different user than the user that would be submitting IO >>> on it? >> >> Our current (much simplified here) flow is this: >> >> # we start as root >> seteuid(0);setegid(0);setgroups()... >> ... >> # we become the user555 and >> # create our desired credential token >> seteuid(555); seteguid(555); setgroups()... >> # Start an openat2 on behalf of user555 >> openat2() >> # we unbecome the user again and run as root >> seteuid(0);setegid(0); setgroups()... >> ... >> # we become the user444 and >> # create our desired credential token >> seteuid(444); seteguid(444); setgroups()... >> # Start an openat2 on behalf of user444 >> openat2() >> # we unbecome the user again and run as root >> seteuid(0);setegid(0); setgroups()... >> ... >> # we become the user555 and >> # create our desired credential token >> seteuid(555); seteguid(555); setgroups()... >> # Start an openat2 on behalf of user555 >> openat2() >> # we unbecome the user again and run as root >> seteuid(0);setegid(0); setgroups()... >> >> It means we have to do about 7 syscalls in order >> to open a file on behalf of a user. >> (In reality we cache things and avoid set*id() >> calls most of the time, but I want to demonstrate the >> simplified design here) >> >> With io_uring I'd like to use a flow like this: >> >> # we start as root >> seteuid(0);setegid(0);setgroups()... >> ... >> # we become the user444 and >> # create our desired credential token >> seteuid(444); seteguid(444); setgroups()... >> # we snapshot the credentials to the new ring for user444 >> ring444 = io_uring_setup() >> # we unbecome the user again and run as root >> seteuid(0);setegid(0);setgroups()... >> ... >> # we become the user555 and >> # create our desired credential token >> seteuid(555); seteguid(555); setgroups()... >> # we snapshot the credentials to the new ring for user555 >> ring555 = io_uring_setup() >> # we unbecome the user again and run as root >> seteuid(0);setegid(0);setgroups()... >> ... >> # Start an openat2 on behalf of user555 >> io_uring_enter(ring555, OP_OPENAT2...) >> ... >> # Start an openat2 on behalf of user444 >> io_uring_enter(ring444, OP_OPENAT2...) >> ... >> # Start an openat2 on behalf of user555 >> io_uring_enter(ring555, OP_OPENAT2...) >> >> So instead of constantly doing 7 syscalls per open, >> we would be down to just at most one. And I would assume >> that io_uring_enter() would do the temporary credential switch >> for me also in the non-blocking case. > > OK, thanks for spelling the use case out, makes it easier to understand > what you need in terms of what we currently can't do. > >>> If so, then we do need something to support that, probably an >>> IORING_REGISTER_CREDS or similar. This would allow you to replace the >>> creds you currently have in ctx->creds with whatever new one. >> >> I don't want to change ctx->creds, but I want it to be used consistently. >> >> What I think is missing is something like this: >> >> diff --git a/fs/io_uring.c b/fs/io_uring.c >> index 32aee149f652..55dbb154915a 100644 >> --- a/fs/io_uring.c >> +++ b/fs/io_uring.c >> @@ -6359,10 +6359,27 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, >> fd, u32, to_submit, >> struct mm_struct *cur_mm; >> >> mutex_lock(&ctx->uring_lock); >> + if (current->mm != ctx->sqo_mm) { >> + // TODO: somthing like this... >> + restore_mm = current->mm; >> + use_mm(ctx->sqo_mm); >> + } >> /* already have mm, so io_submit_sqes() won't try to >> grab it */ >> cur_mm = ctx->sqo_mm; >> + if (current_cred() != ctx->creds) { >> + // TODO: somthing like this... >> + restore_cred = override_creds(ctx->creds); >> + } >> submitted = io_submit_sqes(ctx, to_submit, f.file, fd, >> &cur_mm, false); >> + if (restore_cred != NULL) { >> + revert_creds(restore_cred); >> + } >> + if (restore_mm != NULL) { >> + // TODO: something like this... >> + unuse_mm(ctx->sqo_mm); >> + use_mm(restore_mm); >> + } >> mutex_unlock(&ctx->uring_lock); >> >> if (submitted != to_submit) >> >> I'm not sure if current->mm is needed, I just added it for completeness >> and as hint that io_op_defs[req->opcode].needs_mm is there and a >> needs_creds could also be added (if it helps with performance) >> >> Is it possible to trigger a change of current->mm from userspace? >> >> An IORING_REGISTER_CREDS would only be useful if it's possible to >> register a set of credentials and then use per io_uring_sqe credentials. >> That would also be fine for me, but I'm not sure it's needed for now. > > I think it'd be a cleaner way of doing the same thing as your patch > does. It seems a little odd to do this by default (having the ring > change personalities depending on who's using it), but from an opt-in > point of view, I think it makes more sense. > > That would make the IORING_REGISTER_ call something like > IORING_REGISTER_ADOPT_OWNER or something like that, meaning that the > ring would just assume the identify of the task that's calling > io_uring_enter(). > > Note that this also has to be passed through to the io-wq handler, as > the mappings there are currently static as well. What's the next step here? I think the current state is a security problem! The inline execution either needs to change the creds temporary or io_uring_enter() needs a general check that the current creds match the creds of the ring and return -EPERM or something similar. Thanks! metze
Attachment:
signature.asc
Description: OpenPGP digital signature