From: Ric Wheeler <ricwheeler@gmail.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: axboe@kernel.dk, Mike Snitzer <snitzer@redhat.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [Ping^3] Re: [PATCH] sg_io: allow UNMAP and WRITE SAME without CAP_SYS_RAWIO
Date: Thu, 06 Sep 2012 08:08:12 -0400 [thread overview]
Message-ID: <5048922C.20901@gmail.com> (raw)
In-Reply-To: <50488DAD.3030208@redhat.com>
On 09/06/2012 07:49 AM, Paolo Bonzini wrote:
> Il 06/09/2012 13:31, Ric Wheeler ha scritto:
>>>> Both of these commands are destructive. WRITE_SAME (if done without the
>>>> discard bits set) can also take a very long time to be destructive and
>>>> tie up the storage.
>>> FORMAT_UNIT has the same characteristics and yet it is allowed (btw, I
>>> don't think WRITE SAME slowness is limited to the case where a real
>>> write is requested; discarding can be just as slow).
>>>
>>> Also, the two new commands are anyway restricted to programs that have
>>> write access to the disk. If you have read-only access, you won't be
>>> able to issue any destructive command (there is one exception, START
>>> STOP UNIT is allowed even with read-only capability and is somewhat
>>> destructive).
>>>
>>> Honestly, the only reason why these two commands weren't included, is
>>> that the current whitelist is heavily tailored towards CD/DVD burning.
>> I assume that FORMAT_UNIT is for CD/DVD needs - not sure what a S-ATA
>> disk would do with that.
> According to the standard, the translation layer can write a
> user-provided pattern to every sector in the disk. It's an optional
> feature and libata doesn't do that, but it is still possible.
It is not possible today with our stack though, any patch that would change that
would also need to be vetted.
>
>> If it is destructive, we should probably think
>> about how to make it more secure and see how many applications we would
>> break.
> We have filesystem permissions to make it secure. They already do.
>
>>>> I think that restricting them to CAP_SYS_RAWIO seems reasonable - better
>>>> to vet and give the appropriate apps the needed capability than to
>>>> widely open up the safety check?
>>> CAP_SYS_RAWIO is so wide in its scope, that anything that requires it is
>>> insecure.
>> I don't see allowing anyone who can open the device to zero the data as
>> better though :)
> Note: anyone who can open it for writing! And they can just as well
> issue WRITE, it just takes a little more effort than with WRITE SAME. :)
> If you only have read access, you cannot issue WRITE or FORMAT UNIT,
> and with this patch you will not be able to issue WRITE SAME.
>
> I'm all for providing more versatile filters---which can be both
> stricter and looser depending on the configuration than the default.
> For example
> http://www.redhat.com/archives/libvir-list/2012-June/msg00505.html is a
> possible spec for BPF-based filtering of CDBs.
>
> However, the default whitelist (which is all we have for now) should
> provide a reasonable default for a user that already has been granted
> access to the device by the normal access control mechanisms. I believe
> WRITE SAME and UNMAP fit the definition of a reasonable default.
>
> Paolo
This just seems like an argument over whether or not capabilities make sense. In
general, anything as destructive as a single CDB that can kill all of your data
should be tightly controlled.
Pushing more code in the data path is not where we are going - we routinely need
to disable IO scheduling for example when driving IO to high speed/low latency
devices and are actively looking at how to tackle other performance bottlenecks
in the stack.
I don't see a strong reason that our existing scheme (root or CAP_SYS_RAWIO
access) prevents you from doing what you need to do.
Ric
next prev parent reply other threads:[~2012-09-06 12:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-20 16:30 [PATCH] sg_io: allow UNMAP and WRITE SAME without CAP_SYS_RAWIO Paolo Bonzini
2012-08-01 15:53 ` Paolo Bonzini
2012-08-28 11:04 ` Paolo Bonzini
2012-09-05 14:41 ` [Ping^3] " Paolo Bonzini
2012-09-05 20:18 ` Ric Wheeler
2012-09-06 6:31 ` Paolo Bonzini
2012-09-06 11:31 ` Ric Wheeler
2012-09-06 11:49 ` Paolo Bonzini
2012-09-06 12:08 ` Ric Wheeler [this message]
2012-09-06 12:36 ` Paolo Bonzini
2012-09-06 14:20 ` Lukáš Czerner
2012-09-11 16:59 ` Tejun Heo
2012-09-11 17:56 ` Paolo Bonzini
2012-09-11 18:29 ` Tejun Heo
2012-09-11 18:54 ` Paolo Bonzini
2012-09-11 19:13 ` Tejun Heo
2012-09-11 19:24 ` Paolo Bonzini
2012-09-11 20:01 ` Tejun Heo
2012-09-11 21:50 ` Paolo Bonzini
2012-09-11 22:02 ` Tejun Heo
2012-09-11 22:10 ` Paolo Bonzini
2012-09-11 22:13 ` Tejun Heo
2012-09-12 8:05 ` James Bottomley
2012-09-12 8:18 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5048922C.20901@gmail.com \
--to=ricwheeler@gmail.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=pbonzini@redhat.com \
--cc=snitzer@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).