Originally posted by doublez13
View Post
Announcement
Collapse
No announcement yet.
Linux 6.6 Will Make It Easy To Disable IO_uring System-Wide
Collapse
X
-
This is an interesting, if belated, first step. However, a sysctl knob does not fix the fact that when io_uring is compiled in, the attack surface is present, and all it takes to access it again, even if it's disabled by the system administrator, is a memory write primitive...
Given the track record for io_uring, and the likelihood of not becoming airtight any time soon (expansion of functionality means expansion of attack surface, which cancels security fixing and hardening work), the default value really should be 1, if not 2. Backwards compatibility concerns will probably prevent the default usage of these settings by most distros... as well as a backport of this patch to all maintained stable releases which contain the io_uring infrastructure. Compatibility and speed are usually ranked higher than security
- Likes 1
Comment
-
Ohh dammit!
So in the name of security, again, one of the best things happening to linux in the async io landscape is... being allowed to be disabled.
I bet that security minded (paranoia) distributions are going to disable this by default.
I hope normal distribution stay away from this new know. Aka, leave it enabled and as-is.
For those midgets that reply with "ohh but i like security" or "i better be safe so disable it please" or anything akin. You are entitled to your opinion, fine, use a distro that suits your views. Continue on.
- Likes 6
Comment
-
So an interesting and proven useful new kernel feature is now being proven to have bugs...
And someone now contributes code to turn off said feature system-wide...
Sounds like the original developers of the useful feature ought to lose not only karma points but soul points over this one. Where is a healer when you need one?
- Likes 2
Comment
-
Originally posted by debrouxl View PostCompatibility and speed are usually ranked higher than security
- Likes 1
Comment
-
Originally posted by debrouxl View PostThis is an interesting, if belated, first step. However, a sysctl knob does not fix the fact that when io_uring is compiled in, the attack surface is present, and all it takes to access it again, even if it's disabled by the system administrator, is a memory write primitive...
Given the track record for io_uring, and the likelihood of not becoming airtight any time soon (expansion of functionality means expansion of attack surface, which cancels security fixing and hardening work), the default value really should be 1, if not 2. Backwards compatibility concerns will probably prevent the default usage of these settings by most distros... as well as a backport of this patch to all maintained stable releases which contain the io_uring infrastructure.
Compatibility and speed are usually ranked higher than security
- Likes 5
Comment
-
Originally posted by debrouxl View PostThis is an interesting, if belated, first step. However, a sysctl knob does not fix the fact that when io_uring is compiled in, the attack surface is present, and all it takes to access it again, even if it's disabled by the system administrator,
Originally posted by debrouxl View PostGiven the track record for io_uring, and the likelihood of not becoming airtight any time soon
Originally posted by debrouxl View Postthe default value really should be 1, if not 2.
- Likes 9
Comment
-
Originally posted by coder View PostI'm getting the sense you're on some sort of jihad to get it expunged from the kernel sources, entirely. I think that's an overreaction. Give it a chance to settle in and see if they can shake out all of the vulnerabilities it hit. Either that, or you need to do a much better job of explaining why it's fundamentally insecure. None of this "guilt by extrapolation" crap.
You personally may be able to poo-poo what's going on, that's fine, but you're only one person and any business that requires a focus on system security via internal policy or regulation is very much concerned about the problems with io_uring and probably already avoiding it by whatever means they can deploy on their systems. The only thing I hope Google remembered to do for the sysctl knob patch is to make it a read-only entry on running kernels.
- Likes 1
Comment
-
Originally posted by stormcrow View PostYou personally may be able to poo-poo what's going on,
As for the idea of compiling it out and having a runtime switch to disable it, that's fair for people who don't feel they can tolerate the risk. The only thing I objected to was disabling it by default.
Originally posted by stormcrow View Postyou're only one person
- Likes 3
Comment
Comment