Re: [PATCHSET] FUSE: extend FUSE to support more operations

From: Miklos Szeredi
Date: Thu Nov 13 2008 - 06:20:31 EST

Next message: Arnaldo Carvalho de Melo: "Re: Unix sockets via TCP on localhost: is TCP slower?"
Previous message: Nicolas Ferre: "[PATCH] mmc: atmel-mci: move atmel-mci.h file to include/linux"
In reply to: Tejun Heo: "Re: [PATCHSET] FUSE: extend FUSE to support more operations"
Next in thread: Tejun Heo: "Re: [PATCHSET] FUSE: extend FUSE to support more operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Nov 2008, Tejun Heo wrote:
> Tejun Heo wrote:
> >> I still got qualms about this ioctl thing. One is the security
> >> aspect, but that could be dealt with. The other is that I really
> >> really don't want people to start implementing new custom ioctls for
> >> their filesystems, as I think that way lies madness. We could limit
> >> ioctls to CUSE and that would be fine with me. Or for non-CUSE users
> >> we could enforce the "standard" format where the type and length is
> >> encoded in the command number.
> >
> > For now, I'll limit ioctl to CUSE. Hmmm... Yeah, limiting ioctl to
> > well-formatted ones sounds like a good idea.
> >
> >> I don't have any problems with the iterative way you implemented
> >> ioctls. We just need some additional restrictions to the current
> >> implementation, I think.
>
> I've been thinking about this a bit more. What do you think about
> putting the following restrictions?
>
> 1. FUSE server can only support well-formed ioctls. At the kernel side,
> the interfaces remains the same for both FUSE and CUSE but libfuse only
> exports well-formed ioctl API.
>
> 2. ioctl can only be used by FUSE server running as root (would this be
> necessary? I'm not sure. To me it seems all the necessary protections
> are already there).

Not with '-oallow_other'. Consider the case that the caller invoked a
non well formed ioctl, but since there's no way to know this we
allowed the fuse server to tinker with the caller's address space
_as if_ the ioctl was well formed.

So we should always make sure that the server has enough privilege to
read/write the caller's memory, i.e. it can ptrace the caller.

At this point we could allow any ioctls, not just well formed ones.
But I don't want that for a different reason: if the possibility is
there people will find new "innovative" uses for it and just get
themselves into a big mess.

Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnaldo Carvalho de Melo: "Re: Unix sockets via TCP on localhost: is TCP slower?"
Previous message: Nicolas Ferre: "[PATCH] mmc: atmel-mci: move atmel-mci.h file to include/linux"
In reply to: Tejun Heo: "Re: [PATCHSET] FUSE: extend FUSE to support more operations"
Next in thread: Tejun Heo: "Re: [PATCHSET] FUSE: extend FUSE to support more operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]