Re: [PATCH 0/3] SG_IO command filtering via sysfs

From: Theodore Y. Ts'o
Date: Sat Nov 10 2018 - 14:05:30 EST

Next message: Giovanni Gherdovich: "Re: [RFC/RFT][PATCH v5] cpuidle: New timer events oriented governor for tickless systems"
Previous message: Willy Tarreau: "Re: Official Linux system wrapper library?"
In reply to: Paolo Bonzini: "[PATCH 1/3] block: add back queue-private command filter"
Next in thread: Paolo Bonzini: "Re: [PATCH 0/3] SG_IO command filtering via sysfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wonder if a better way of adding SG_IO command filtering is via
eBPF? We are currently carrying a inside Google a patch which allows
a specific of SCSI commands to non-root processes --- if the process
belonged to a particular Unix group id.

It's pretty specific to our use case, in terms of the specific SCSI
commands we want to allow through. I can imagine people wanting
different filters based on the type of the SCSI device, or a HDD's
WWID, not just a group id. For example, this might be useful for
people wanting to do crazy things with containers --- maybe you'd
want to allow container root to send a SANITIZE ERASE command to one
of its exclusively assigned disks, but not to other HDD's.

So having something that's more general than a flat file in sysfs
might be preferable to resurrecting an interface which we would then
after to support forever, even if we come up with a more general
interface.

- Ted

Next message: Giovanni Gherdovich: "Re: [RFC/RFT][PATCH v5] cpuidle: New timer events oriented governor for tickless systems"
Previous message: Willy Tarreau: "Re: Official Linux system wrapper library?"
In reply to: Paolo Bonzini: "[PATCH 1/3] block: add back queue-private command filter"
Next in thread: Paolo Bonzini: "Re: [PATCH 0/3] SG_IO command filtering via sysfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]