All of lore.kernel.org
 help / color / mirror / Atom feed
From: Gabriel Krisman Bertazi <krisman@suse.de>
To: Andres Freund <andres@anarazel.de>
Cc: Jeff Moyer <jmoyer@redhat.com>,
	Matteo Rizzo <matteorizzo@google.com>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	io-uring@vger.kernel.org, axboe@kernel.dk,
	asml.silence@gmail.com, corbet@lwn.net,
	akpm@linux-foundation.org, keescook@chromium.org,
	ribalda@chromium.org, rostedt@goodmis.org, jannh@google.com,
	chenhuacai@kernel.org, gpiccoli@igalia.com,
	ldufour@linux.ibm.com, evn@google.com, poprdi@google.com,
	jordyzomer@google.com
Subject: Re: [PATCH v3 1/1] io_uring: add a sysctl to disable io_uring system-wide
Date: Wed, 09 Aug 2023 14:38:14 -0400	[thread overview]
Message-ID: <87o7jg6oyx.fsf@suse.de> (raw)
In-Reply-To: <20230809150945.abp755qafjhxbmx6@awork3.anarazel.de> (Andres Freund's message of "Wed, 9 Aug 2023 08:09:45 -0700")

Andres Freund <andres@anarazel.de> writes:

> Hi,
>
> Sorry for the delayed response, EINBOXOVERFLOW.
>
> On 2023-07-26 16:02:26 -0400, Jeff Moyer wrote:
>> Andres Freund <andres@anarazel.de> writes:
>> 
>> > Hi,
>> >
>> > On 2023-06-30 15:10:03 +0000, Matteo Rizzo wrote:
>> >> Introduce a new sysctl (io_uring_disabled) which can be either 0, 1,
>> >> or 2. When 0 (the default), all processes are allowed to create io_uring
>> >> instances, which is the current behavior. When 1, all calls to
>> >> io_uring_setup fail with -EPERM unless the calling process has
>> >> CAP_SYS_ADMIN. When 2, calls to io_uring_setup fail with -EPERM
>> >> regardless of privilege.
>> >
>> > Hm, is there a chance that instead of requiring CAP_SYS_ADMIN, a certain group
>> > could be required (similar to hugetlb_shm_group)? Requiring CAP_SYS_ADMIN
>> > could have the unintended consequence of io_uring requiring tasks being run
>> > with more privileges than needed... Or some other more granular way of
>> > granting the right to use io_uring?
>> 
>> That's fine with me, so long as there is still an option to completely
>> disable io_uring.
>
> Makes sense.
>
>
>> > ISTM that it'd be nice if e.g. a systemd service specification could allow
>> > some services to use io_uring, without allowing it for everyone, or requiring
>> > to run services effectively as root.
>> 
>> Do you have a proposal for how that would work?
>
> I think group based permissions would allow for it, even if perhaps not in the
> most beautiful manner. Systemd can configure additional groups for a service
> with SupplementaryGroups, so adding a "io_uring" group or such should
> work.

This is more complex/requires more configuration than just blocking
root/non-root. Also, might not be practical for non-systemd systems, I
suspect. Can we keep the other options in the sysctl io_uring_disabled
as well:

0 -> all allowed (default)
1 -> group based permission
2 -> root only
3 -> all blocked

-- 
Gabriel Krisman Bertazi

  parent reply	other threads:[~2023-08-09 18:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-30 15:10 [PATCH v3 0/1] Add a sysctl to disable io_uring system-wide Matteo Rizzo
2023-06-30 15:10 ` [PATCH v3 1/1] io_uring: add " Matteo Rizzo
2023-06-30 15:15   ` Jann Horn
2023-07-26 17:45   ` Andres Freund
2023-07-26 20:02     ` Jeff Moyer
2023-08-09 15:09       ` Andres Freund
2023-08-09 16:45         ` Jens Axboe
2023-08-09 18:38         ` Gabriel Krisman Bertazi [this message]
2023-07-11 20:51 ` [PATCH v3 0/1] Add " Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87o7jg6oyx.fsf@suse.de \
    --to=krisman@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=andres@anarazel.de \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=chenhuacai@kernel.org \
    --cc=corbet@lwn.net \
    --cc=evn@google.com \
    --cc=gpiccoli@igalia.com \
    --cc=io-uring@vger.kernel.org \
    --cc=jannh@google.com \
    --cc=jmoyer@redhat.com \
    --cc=jordyzomer@google.com \
    --cc=keescook@chromium.org \
    --cc=ldufour@linux.ibm.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matteorizzo@google.com \
    --cc=poprdi@google.com \
    --cc=ribalda@chromium.org \
    --cc=rostedt@goodmis.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.