From: Bryam Vargas <hexlabsecurity@proton.me>
To: "Günther Noack" <gnoack@google.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
linux-security-module@vger.kernel.org
Subject: Re: Landlock: LANDLOCK_ACCESS_FS_IOCTL_DEV bypass via io_uring IORING_OP_URING_CMD
Date: Thu, 18 Jun 2026 20:11:27 +0000 [thread overview]
Message-ID: <20260618201122.219963-1-hexlabsecurity@proton.me> (raw)
In-Reply-To: <ajPhlNSgUcmBoFcM@google.com>
Günther,
Thanks, and #65 looks right.
On the approach: it's a Landlock-only change either way, both hooks already
exist, so no io_uring core churn.
Coarse (block ring creation) can hang off security_uring_allowed(), the existing
io_uring_setup() gate. That matches the creation-control direction Mickaël raised
-- the socket-creation work he said would suit io_uring too -- and it's a fine
default, since most sandboxes don't need io_uring. One caveat: it overlaps
kernel.io_uring_disabled and a seccomp filter on io_uring_setup, so the
Landlock-specific win is mainly composing it in a ruleset.
Fine-grained (gate device uring_cmd) is the only one that closes the asymmetry I
reported. It uses security_uring_cmd() -- the hook SELinux and Smack already have
and we don't -- and needs no new right: gate device files on the existing
IOCTL_DEV, mirroring hook_file_ioctl_common(). All-or-nothing per device, since
cmd_op is a private number space.
So I'd go coarse-first as you suggest, and keep the uring_cmd gate as the granular
step; it's little code and reuses an existing right. Happy to prototype either
once you and Mickaël settle on the shape; I'll hold until then.
Bryam
prev parent reply other threads:[~2026-06-18 20:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 20:16 Landlock: LANDLOCK_ACCESS_FS_IOCTL_DEV bypass via io_uring IORING_OP_URING_CMD Bryam Vargas
2026-06-16 20:36 ` Jens Axboe
2026-06-17 2:25 ` Bryam Vargas
2026-06-17 2:44 ` Jens Axboe
2026-06-17 14:16 ` Mickaël Salaün
2026-06-17 14:56 ` Jens Axboe
2026-06-17 15:31 ` Günther Noack
2026-06-17 9:47 ` Günther Noack
2026-06-17 23:02 ` Bryam Vargas
2026-06-18 12:16 ` Günther Noack
2026-06-18 20:11 ` Bryam Vargas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618201122.219963-1-hexlabsecurity@proton.me \
--to=hexlabsecurity@proton.me \
--cc=gnoack@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.