From: Gil Cukierman <cukie@google.com>
To: Jens Axboe <axboe@kernel.dk>,
Pavel Begunkov <asml.silence@gmail.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Cc: Gil Cukierman <cukie@google.com>,
kernel-team@android.com, linux-kernel@vger.kernel.org,
io-uring@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [PATCH v1 1/2] lsm,io_uring: add LSM hook for io_uring_setup
Date: Mon, 7 Nov 2022 15:57:52 -0500 [thread overview]
Message-ID: <20221107205754.2635439-2-cukie@google.com> (raw)
In-Reply-To: <20221107205754.2635439-1-cukie@google.com>
This patch allows LSMs to apply security policies that control
access to the io_uring_setup syscall. This is accomplished by
adding a new hook:
int security_uring_setup(void)
Check whether the current task is allowed to call io_uring_setup.
This hook, together with the existing hooks for sharing of file
descriptors and io_uring credentials, allow LSMs to expose
comprehensive controls on the usage of io_uring overall.
Signed-off-by: Gil Cukierman <cukie@google.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 5 +++++
io_uring/io_uring.c | 5 +++++
security/security.c | 4 ++++
5 files changed, 18 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index ec119da1d89b..ffbf29b32a48 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -409,4 +409,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void)
LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
+LSM_HOOK(int, 0, uring_setup, void)
#endif /* CONFIG_IO_URING */
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4ec80b96c22e..bc13a8e664c9 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1589,6 +1589,9 @@
* @uring_cmd:
* Check whether the file_operations uring_cmd is allowed to run.
*
+ * @uring_setup:
+ * Check whether the current task is allowed to call io_uring_setup.
+ *
*/
union security_list_options {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
diff --git a/include/linux/security.h b/include/linux/security.h
index ca1b7109c0db..0bba7dd85691 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2069,6 +2069,7 @@ static inline int security_perf_event_write(struct perf_event *event)
extern int security_uring_override_creds(const struct cred *new);
extern int security_uring_sqpoll(void);
extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
+extern int security_uring_setup(void);
#else
static inline int security_uring_override_creds(const struct cred *new)
{
@@ -2082,6 +2083,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
{
return 0;
}
+static inline int security_uring_setup(void)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_IO_URING */
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 6cc16e39b27f..1456c85648ed 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3574,6 +3574,11 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
{
struct io_uring_params p;
int i;
+ int ret;
+
+ ret = security_uring_setup();
+ if (ret)
+ return ret;
if (copy_from_user(&p, params, sizeof(p)))
return -EFAULT;
diff --git a/security/security.c b/security/security.c
index 79d82cb6e469..b1bc95df5a5d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2671,4 +2671,8 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
{
return call_int_hook(uring_cmd, 0, ioucmd);
}
+int security_uring_setup(void)
+{
+ return call_int_hook(uring_setup, 0);
+}
#endif /* CONFIG_IO_URING */
--
2.38.0.135.g90850a2211-goog
next prev parent reply other threads:[~2022-11-07 20:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-07 20:57 [PATCH v1 0/2] Add LSM access controls for io_uring_setup Gil Cukierman
2022-11-07 20:57 ` Gil Cukierman [this message]
2022-11-07 20:57 ` [PATCH v1 2/2] selinux: add support for the io_uring setup permission Gil Cukierman
2022-11-07 21:13 ` [PATCH v1 0/2] Add LSM access controls for io_uring_setup Paul Moore
2022-11-10 17:54 ` Jeffrey Vander Stoep
2022-11-10 21:04 ` Paul Moore
2022-11-14 14:31 ` Joel Granados
2022-11-15 5:39 ` Jeffrey Vander Stoep
2023-08-08 20:40 ` Dmytro Maluka
2023-08-09 0:31 ` Paul Moore
2023-08-09 11:21 ` Dmytro Maluka
2023-08-09 14:49 ` Paul Moore
2023-08-09 17:28 ` Dmytro Maluka
2023-08-10 9:08 ` Dmytro Maluka
2023-08-10 12:27 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221107205754.2635439-2-cukie@google.com \
--to=cukie@google.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=jmorris@namei.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.