On Thu, 13 Nov 2008, Tejun Heo wrote:

quoted text
> Tejun Heo wrote:

> >> I still got qualms about this ioctl thing.  One is the security

> >> aspect, but that could be dealt with.  The other is that I really

> >> really don't want people to start implementing new custom ioctls for

> >> their filesystems, as I think that way lies madness.  We could limit

> >> ioctls to CUSE and that would be fine with me.  Or for non-CUSE users

> >> we could enforce the "standard" format where the type and length is

> >> encoded in the command number.

> >

> > For now, I'll limit ioctl to CUSE.  Hmmm... Yeah, limiting ioctl to

> > well-formatted ones sounds like a good idea.

> >

> >> I don't have any problems with the iterative way you implemented

> >> ioctls.  We just need some additional restrictions to the current

> >> implementation, I think.

>

> I've been thinking about this a bit more.  What do you think about

> putting the following restrictions?

>

> 1. FUSE server can only support well-formed ioctls.  At the kernel side,

> the interfaces remains the same for both FUSE and CUSE but libfuse only

> exports well-formed ioctl API.

>

> 2. ioctl can only be used by FUSE server running as root (would this be

> necessary?  I'm not sure.  To me it seems all the necessary protections

> are already there).

Not with '-oallow_other'.  Consider the case that the caller invoked a

non well formed ioctl, but since there's no way to know this we

allowed the fuse server to tinker with the caller's address space

_as if_ the ioctl was well formed.
So we should always make sure that the server has enough privilege to

read/write the caller's memory, i.e. it can ptrace the caller.
At this point we could allow any ioctls, not just well formed ones.

But I don't want that for a different reason: if the possibility is

there people will find new "innovative" uses for it and just get

themselves into a big mess.
Miklos

--

unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

the body of a message to majordomo@vger.kernel.org

More majordomo info at  http://vger.kernel.org/majordomo-info.html

Please read the FAQ at  http://www.tux.org/lkml/