[PATCH 1/2] iouring: one capable call per iouring instance
Keith Busch
kbusch at kernel.org
Mon Dec 4 18:57:55 UTC 2023
On Mon, Dec 04, 2023 at 01:40:58PM -0500, Jeff Moyer wrote:
> I added a CC: linux-security-module at vger
> Keith Busch <kbusch at meta.com> writes:
> > From: Keith Busch <kbusch at kernel.org>
> >
> > The uring_cmd operation is often used for privileged actions, so drivers
> > subscribing to this interface check capable() for each command. The
> > capable() function is not fast path friendly for many kernel configs,
> > and this can really harm performance. Stash the capable sys admin
> > attribute in the io_uring context and set a new issue_flag for the
> > uring_cmd interface.
>
> I have a few questions. What privileged actions are performance
> sensitive? I would hope that anything requiring privileges would not
> be in a fast path (but clearly that's not the case).
Protocol specifics that don't have a generic equivalent. For example,
NVMe FDP is reachable only through the uring_cmd and ioctl interfaces,
but you use it like normal reads and writes so has to be as fast as the
generic interfaces.
The same interfaces can be abused, so access needs to be restricted.
> What performance benefits did you measure with this patch set in place
> (and on what workloads)?
Quite a bit. Here's a random read high-depth workload on a single
device test:
Before: 970k IOPs
After: 1750k IOPs
> What happens when a ring fd is passed to another process?
>
> Finally, as Jens mentioned, I would expect dropping priviliges to, you
> know, drop privileges. I don't think a commit message is going to be
> enough documentation for a change like this.
Yeah, point taken.
More information about the Linux-security-module-archive
mailing list