On Sun, Aug 28, 2022 at 04:09:11PM +0100, Richard W.M. Jones wrote:

...

quoted

+
+ublk driver doesn't handle any IO logic, and its function is well defined
+so far, and very limited userspace interfaces are needed, and each one is
+well defined too, then it is very likely to make ublk device one
+container-ware block device in future, as Stefan Hajnoczi suggested[3], by
+removing ADMIN privilege.

Is it advisable for non-root to be able create arbitrary /dev devices?
It sounds like a security nightmare because you're exposing
potentially any arbitrary, malicious filesystem to the kernel to
parse.

+1, such malicious daemons can also dynamically update/attack fs metadata
runtimely, I think most current fs corruption tests are for pre-built fs
images but not for runtime attack via daemon itself or network,
unprivileged daemon makes all local fses life harder.

Also for swap device use cases, malicious unprivileged daemons enlarge
the possibility of corrupting/attacking any anonymous memory (maybe
belong to privileged processes) on purpose regardless of other concerns.

Thanks,
Gao Xiang