Re: optimizing backing file setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 26, 2024 at 11:30 AM Miklos Szeredi <miklos@xxxxxxxxxx> wrote:
>
> I'm following up on this item mentioned by the CernVM-FS developers.
>
> The concern with the current passthrough interface is that for small
> files it may add more overhead than it eliminates.
>
> My suggestion was to simply not use passthrough for small files, but
> maybe this deserves a little more thought.
>
> The current interface from the fuse server's point of view is:
>
>   backing_fd = open(backing_path, flags);
>   struct fuse_backing_map map = { .fd = backing_fd };
>   backing_id  = ioctl(devfd, FUSE_DEV_IOC_BACKING_OPEN, &map);
>
>   struct fuse_open_out outarg;
>   outarg.open_flags |= FOPEN_PASSTHROUGH;
>   outarg.backing_id = backing_id;
> [...]
>   ioctl(devfd, FUSE_DEV_IOC_BACKING_CLOSE, &backing_id);
>
> The question is: can we somehow eliminate the ioctl syscalls.  Amir's
> original patch optimized away the FUSE_DEV_IOC_BACKING_CLOSE by
> transferring the reference to the open file.  IIRC this was dropped to
> simplify the interface, but I don't see any issues with optionally
> adding this back.

I think it can be workable.

>
> The FUSE_DEV_IOC_BACKING_OPEN could also be eliminated when using the
> io_uring interface, since that doesn't have the issue that Jann
> described (privileged process being tricked to send one of its file
> descriptors to fuse with a write(2):
> https://lore.kernel.org/all/CAG48ez17uXtjCTa7xpa=JWz3iBbNDQTKO2hvn6PAZtfW3kXgcA@xxxxxxxxxxxxxx/)
>
> AFAICS it's not enough to restrict the backing fd to be an O_PATH or
> O_RDONLY fd.  That would likely limit the attack but it might still
> allow the attacker to gain access to an otherwise inaccessible file
> (e.g. file is readable but containing directory is not).

Daniel took a different approach for averting the security issue
in the FUSE BPF patches.
The OPEN response itself was converted to use an ioctl instead of write:
https://lore.kernel.org/linux-fsdevel/20240329015351.624249-6-drosen@xxxxxxxxxx/
as well as the LOOKUP response.

Are there any negative performance or other implications in this approach?

Thanks,
Amir.
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux