On Mon, Aug 24, 2020 at 02:28:39PM -0400, Josef Bacik wrote: > On 8/21/20 3:38 AM, Omar Sandoval wrote: > > From: Omar Sandoval <osandov@xxxxxx> > > > > The upcoming RWF_ENCODED operation introduces some security concerns: > > > > 1. Compressed writes will pass arbitrary data to decompression > > algorithms in the kernel. > > 2. Compressed reads can leak truncated/hole punched data. > > > > Therefore, we need to require privilege for RWF_ENCODED. It's not > > possible to do the permissions checks at the time of the read or write > > because, e.g., io_uring submits IO from a worker thread. So, add an open > > flag which requires CAP_SYS_ADMIN. It can also be set and cleared with > > fcntl(). The flag is not cleared in any way on fork or exec; it should > > probably be used with O_CLOEXEC in most cases. > > > > Note that the usual issue that unknown open flags are ignored doesn't > > really matter for O_ALLOW_ENCODED; if the kernel doesn't support > > O_ALLOW_ENCODED, then it doesn't support RWF_ENCODED, either. > > It seemed like you agreed to require O_CLOEXEC to be set when using > O_ALLOW_ENCODED in your last go around, what happened to that? I know I'd > feel better if we had that requirement, and if we aren't I'd like to know > why we can't. Thanks, > > Josef Yup I was still on the fence about it since it's a bit of an awkward requirement, but I'm convinced now that we might as well be safe and require it.
