I'm following up on this item mentioned by the CernVM-FS developers.
The concern with the current passthrough interface is that for small
files it may add more overhead than it eliminates.
My suggestion was to simply not use passthrough for small files, but
maybe this deserves a little more thought.
The current interface from the fuse server's point of view is:
backing_fd = open(backing_path, flags);
struct fuse_backing_map map = { .fd = backing_fd };
backing_id = ioctl(devfd, FUSE_DEV_IOC_BACKING_OPEN, &map);
struct fuse_open_out outarg;
outarg.open_flags |= FOPEN_PASSTHROUGH;
outarg.backing_id = backing_id;
[...]
ioctl(devfd, FUSE_DEV_IOC_BACKING_CLOSE, &backing_id);
The question is: can we somehow eliminate the ioctl syscalls. Amir's
original patch optimized away the FUSE_DEV_IOC_BACKING_CLOSE by
transferring the reference to the open file. IIRC this was dropped to
simplify the interface, but I don't see any issues with optionally
adding this back.
The FUSE_DEV_IOC_BACKING_OPEN could also be eliminated when using the
io_uring interface, since that doesn't have the issue that Jann
described (privileged process being tricked to send one of its file
descriptors to fuse with a write(2):
https://lore.kernel.org/all/CAG48ez17uXtjCTa7xpa=JWz3iBbNDQTKO2hvn6PAZtfW3kXgcA@xxxxxxxxxxxxxx/)
AFAICS it's not enough to restrict the backing fd to be an O_PATH or
O_RDONLY fd. That would likely limit the attack but it might still
allow the attacker to gain access to an otherwise inaccessible file
(e.g. file is readable but containing directory is not).
Thanks,
Miklos
