hngopher.com

       [HN Gopher] Auditing Io_uring
       ___________________________________________________________________
        
       Auditing Io_uring
        
       Author : lukastyrychtr
       Score  : 65 points
       Date   : 2021-06-03 14:56 UTC (8 hours ago)
        
 (HTM) web link (lwn.net)
 (TXT) w3m dump (lwn.net)
        
       | kingvash wrote:
       | > The kernel community has surprisingly few rules regarding the
       | addition of new features like io_uring. ... there is nobody with
       | a checklist making sure that all of the relevant boxes have been
       | marked before a new subsystem can be merged.
       | 
       | This is such a stark difference from the big tech company I work
       | at where there are checklists from the security, privacy,
       | performance, and maintenance teams that have to be satisfied
       | before features can be launched.
        
         | [deleted]
        
       | vp8989 wrote:
       | This reminds me of things like SOX, HIPAA where for any set of
       | compliance/audit requirements there is a layer of people in the
       | middle who always suggest to add all kinds of un-necessary things
       | "just in case" it might be required. These suggestions are based
       | on their interpretation or pre-empting of the compliance process
       | rather than anything that is actually explicitly required.
       | 
       | Why can't the auditors explicitly state what needs to be
       | auditable about io_uring? Instead of guessing and debating.
        
       | xiphias2 wrote:
       | If io_uring wouldn't be such a success story, security
       | researchers wouldn't need to worry about it so much. So I guess
       | the order of things happening is not that big of a problem.
        
         | wyldfire wrote:
         | I don't know if I agree. An attacker may be able to craft a
         | call to io_uring_{setup,enter,etc} even if no call exists in
         | the program under attack. And if io_uring is poorly designed it
         | could result in a privilege escalation or other bad things.
         | 
         | I suppose if it were a completely uninteresting feature it
         | wouldn't end up enabled in most distros' kernel configs.
        
       | [deleted]
        
       | otterley wrote:
       | This seems like one of those things that should be possible to
       | enable by recompiling the kernel, but disabled by default.
       | Tradeoffs are abundant in software features vs. performance, and
       | this isn't really much different. The security-minded user can
       | decide to take the performance hit if they really need to enable
       | auditing. The key is to clearly document how to enable it and to
       | set expectations regarding the performance impact.
        
       | mperham wrote:
       | The subsystem maintainer who merged io_uring dropped the ball.
       | Part of merging any major feature is considering orthogonal
       | concerns like security, logging, etc.
        
         | [deleted]
        
       ___________________________________________________________________
       (page generated 2021-06-03 23:01 UTC)