Received: by 2002:a05:6358:51dd:b0:131:369:b2a3 with SMTP id 29csp164995rwl;
        Wed, 9 Aug 2023 12:36:24 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH3YGwvzz+MFk28EQDfOyoaUAIHLt1g9JiOolkXkQfOKgFd3Qiks1ehumH9JjwEcaP7sxI6
X-Received: by 2002:a05:6a00:a94:b0:676:20f8:be41 with SMTP id b20-20020a056a000a9400b0067620f8be41mr213402pfl.16.1691609784282;
        Wed, 09 Aug 2023 12:36:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691609784; cv=none;
        d=google.com; s=arc-20160816;
        b=IGGOuVOaA5h0aiW3YZ1AOAQDBpWyfxe39h0VtxwfSjEsiPVn0/94QVXA87ga/aRnLJ
         N1Jtk1ck7e1ZDsGbsoXXICkLxAnVGcdayg2iTjPHo/89pjEao5HsKilLkeLu3CLIv/LT
         3vcIJ9o9tB1qZ7LXHKx+M3OW+pBOa5Q4iGHCUjoBajPRhl/N9nqR9K90LLaWpGIgCcti
         onfo14rVYIsYbIeA3sKo9xiyex51wdsO9h6LaQopkK8JCcy2sA9doP2Jp98a3lEXXQPu
         DBEmYoJhITmQfWIks0CVeJdSVxwo1qw4Be4jnNHYxOEn71aFJ8J8ynkf54XbULB1lw4t
         HxCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:date
         :references:in-reply-to:subject:cc:to:from:dkim-signature
         :dkim-signature;
        bh=jDo8u77rjiHYnBIYiW83NmXTq29Tjl9jGKLk7kPbjZQ=;
        fh=MwdqGkvgvLE19T1jzjlcdzV1GiOGfVDeaP6SQK8AVfE=;
        b=0IN2cWSEjQVPxZ7JC2dZ3YdxuD5+mLyQ9ltnGerJSd83Wa7zLXpUu7qYTEmQJ1Vy7C
         oBa88Vbe6EpW6FEoCRV4ir81c3xu8I5vD1upOduJtuthWe4rDzZuvHsAbhivVzRQ++1K
         ZVe65zg5ItbU+6h6tFZwFBV4801pbRGw3ckIHd0KXdp1s2eG1s75CxtcbWL8QQxuP1/y
         WUyzLcondy7lx+NFij8VwYeoR6rEM+XLEJfqzQiEf2KmKlGaRurHyzPaElguyS9EOTjk
         14hu8Q3qAjvY6mYAl2b0PzxqyyF2Ep7+lqsmYLWqX+2fCw9p959625S26NUWGCm92K3p
         c8wQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=xf9tgMF8;
       dkim=neutral (no key) header.i=@suse.de header.b=mxsYXXzN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id cn11-20020a056a00340b00b00661cd40bd67si9540359pfb.314.2023.08.09.12.36.12;
        Wed, 09 Aug 2023 12:36:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=xf9tgMF8;
       dkim=neutral (no key) header.i=@suse.de header.b=mxsYXXzN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232591AbjHISiV (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 9 Aug 2023 14:38:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33596 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232463AbjHISiU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Aug 2023 14:38:20 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 412F9210B;
        Wed,  9 Aug 2023 11:38:18 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 92F1C2185E;
        Wed,  9 Aug 2023 18:38:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1691606296; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=jDo8u77rjiHYnBIYiW83NmXTq29Tjl9jGKLk7kPbjZQ=;
        b=xf9tgMF8nXpimEkm8g/Lf9VRRPvcI1zZvOFRN/a5+emvvQ4hzU+/F32J1g2GBGmhaYsD+X
        Vh9m9mWtXdQ2+CHO4xPxvTYf7Gk4V1NHJ/9Pmkhd+iI9IqVtMaoKclPeeGNl0kVRTH6Zja
        GNGkAa09uvtrVPT0YKK15T8tY8QiL1k=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1691606296;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=jDo8u77rjiHYnBIYiW83NmXTq29Tjl9jGKLk7kPbjZQ=;
        b=mxsYXXzNLRBzqc7rhbkLSlR/ygKG94FWAQw7kSub1YtD4rCw+FQaNKJbp+DNzzm+eUrNn9
        inYaGbDt+J7egUDw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 55AC0133B5;
        Wed,  9 Aug 2023 18:38:16 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id eCYpDxjd02RWHQAAMHmgww
        (envelope-from <krisman@suse.de>); Wed, 09 Aug 2023 18:38:16 +0000
From:   Gabriel Krisman Bertazi <krisman@suse.de>
To:     Andres Freund <andres@anarazel.de>
Cc:     Jeff Moyer <jmoyer@redhat.com>,
        Matteo Rizzo <matteorizzo@google.com>,
        linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
        io-uring@vger.kernel.org, axboe@kernel.dk, asml.silence@gmail.com,
        corbet@lwn.net, akpm@linux-foundation.org, keescook@chromium.org,
        ribalda@chromium.org, rostedt@goodmis.org, jannh@google.com,
        chenhuacai@kernel.org, gpiccoli@igalia.com, ldufour@linux.ibm.com,
        evn@google.com, poprdi@google.com, jordyzomer@google.com
Subject: Re: [PATCH v3 1/1] io_uring: add a sysctl to disable io_uring
 system-wide
In-Reply-To: <20230809150945.abp755qafjhxbmx6@awork3.anarazel.de> (Andres
        Freund's message of "Wed, 9 Aug 2023 08:09:45 -0700")
References: <20230630151003.3622786-1-matteorizzo@google.com>
        <20230630151003.3622786-2-matteorizzo@google.com>
        <20230726174549.cg4jgx2d33fom4rb@awork3.anarazel.de>
        <x49fs5awiel.fsf@segfault.boston.devel.redhat.com>
        <20230809150945.abp755qafjhxbmx6@awork3.anarazel.de>
Date:   Wed, 09 Aug 2023 14:38:14 -0400
Message-ID: <87o7jg6oyx.fsf@suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
        SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Andres Freund <andres@anarazel.de> writes:

> Hi,
>
> Sorry for the delayed response, EINBOXOVERFLOW.
>
> On 2023-07-26 16:02:26 -0400, Jeff Moyer wrote:
>> Andres Freund <andres@anarazel.de> writes:
>> 
>> > Hi,
>> >
>> > On 2023-06-30 15:10:03 +0000, Matteo Rizzo wrote:
>> >> Introduce a new sysctl (io_uring_disabled) which can be either 0, 1,
>> >> or 2. When 0 (the default), all processes are allowed to create io_uring
>> >> instances, which is the current behavior. When 1, all calls to
>> >> io_uring_setup fail with -EPERM unless the calling process has
>> >> CAP_SYS_ADMIN. When 2, calls to io_uring_setup fail with -EPERM
>> >> regardless of privilege.
>> >
>> > Hm, is there a chance that instead of requiring CAP_SYS_ADMIN, a certain group
>> > could be required (similar to hugetlb_shm_group)? Requiring CAP_SYS_ADMIN
>> > could have the unintended consequence of io_uring requiring tasks being run
>> > with more privileges than needed... Or some other more granular way of
>> > granting the right to use io_uring?
>> 
>> That's fine with me, so long as there is still an option to completely
>> disable io_uring.
>
> Makes sense.
>
>
>> > ISTM that it'd be nice if e.g. a systemd service specification could allow
>> > some services to use io_uring, without allowing it for everyone, or requiring
>> > to run services effectively as root.
>> 
>> Do you have a proposal for how that would work?
>
> I think group based permissions would allow for it, even if perhaps not in the
> most beautiful manner. Systemd can configure additional groups for a service
> with SupplementaryGroups, so adding a "io_uring" group or such should
> work.

This is more complex/requires more configuration than just blocking
root/non-root. Also, might not be practical for non-systemd systems, I
suspect. Can we keep the other options in the sysctl io_uring_disabled
as well:

0 -> all allowed (default)
1 -> group based permission
2 -> root only
3 -> all blocked

-- 
Gabriel Krisman Bertazi