Cook: Security things in Linux v5.6
Cook: Security things in Linux v5.6
[Kernel] Posted Sep 3, 2020 14:20 UTC (Thu) by corbet
Kees Cook catches
up with the security-relevant changes in the 5.6 kernel release.
"With my 'attack surface reduction' hat on, I remain personally
suspicious of the io_uring() family of APIs, but I can’t deny their utility
for certain kinds of workloads. Being able to pipeline reads and writes
without the overhead of actually making syscalls is pretty great for
performance. Jens Axboe has added the IORING_OP_OPENAT command so that
existing io_urings can open files to be added on the fly to the mapping of
available read/write targets of a given io_uring. While LSMs are still
happily able to intercept these actions, I remain wary of the growing
'syscall multiplexer' that io_uring is becoming.
"