From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
To: linux-kernel@vger.kernel.org
Cc: "Hamza Mahfooz" <hamzamahfooz@linux.microsoft.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jens Axboe" <axboe@kernel.dk>,
"Pavel Begunkov" <asml.silence@gmail.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"Bram Bonné" <brambonne@google.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Christian Göttsche" <cgzones@googlemail.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
linux-security-module@vger.kernel.org, io-uring@vger.kernel.org,
selinux@vger.kernel.org
Subject: [PATCH v3 2/2] lsm,io_uring: add LSM hooks for io_uring_setup()
Date: Mon, 27 Jan 2025 10:57:18 -0500 [thread overview]
Message-ID: <20250127155723.67711-2-hamzamahfooz@linux.microsoft.com> (raw)
In-Reply-To: <20250127155723.67711-1-hamzamahfooz@linux.microsoft.com>
It is desirable to allow LSM to configure accessibility to io_uring
because it is a coarse yet very simple way to restrict access to it. So,
add an LSM for io_uring_allowed() to guard access to io_uring.
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 5 +++++
io_uring/io_uring.c | 2 +-
security/security.c | 12 ++++++++++++
security/selinux/hooks.c | 14 ++++++++++++++
security/selinux/include/classmap.h | 2 +-
6 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index e2f1ce37c41e..9eb313bd0c93 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -455,6 +455,7 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void)
LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
+LSM_HOOK(int, 0, uring_allowed, void)
#endif /* CONFIG_IO_URING */
LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
diff --git a/include/linux/security.h b/include/linux/security.h
index 980b6c207cad..3e68f8468a22 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2362,6 +2362,7 @@ static inline int security_perf_event_write(struct perf_event *event)
extern int security_uring_override_creds(const struct cred *new);
extern int security_uring_sqpoll(void);
extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
+extern int security_uring_allowed(void);
#else
static inline int security_uring_override_creds(const struct cred *new)
{
@@ -2375,6 +2376,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
{
return 0;
}
+extern int security_uring_allowed(void)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_IO_URING */
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index c2d8bd4c2cfc..9df7b3b556ef 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3808,7 +3808,7 @@ static inline int io_uring_allowed(void)
return -EPERM;
allowed_lsm:
- return 0;
+ return security_uring_allowed();
}
SYSCALL_DEFINE2(io_uring_setup, u32, entries,
diff --git a/security/security.c b/security/security.c
index 143561ebc3e8..c9fae447327e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5999,6 +5999,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
{
return call_int_hook(uring_cmd, ioucmd);
}
+
+/**
+ * security_uring_allowed() - Check if io_uring_setup() is allowed
+ *
+ * Check whether the current task is allowed to call io_uring_setup().
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_uring_allowed(void)
+{
+ return call_int_hook(uring_allowed);
+}
#endif /* CONFIG_IO_URING */
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7b867dfec88b..fb37e87df226 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7137,6 +7137,19 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
return avc_has_perm(current_sid(), isec->sid,
SECCLASS_IO_URING, IO_URING__CMD, &ad);
}
+
+/**
+ * selinux_uring_allowed - check if io_uring_setup() can be called
+ *
+ * Check to see if the current task is allowed to call io_uring_setup().
+ */
+static int selinux_uring_allowed(void)
+{
+ u32 sid = current_sid();
+
+ return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
+ NULL);
+}
#endif /* CONFIG_IO_URING */
static const struct lsm_id selinux_lsmid = {
@@ -7390,6 +7403,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
+ LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
#endif
/*
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 03e82477dce9..8a8f3908aac8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = {
{ "perf_event",
{ "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
{ "anon_inode", { COMMON_FILE_PERMS, NULL } },
- { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
+ { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } },
{ "user_namespace", { "create", NULL } },
/* last one */ { NULL, {} }
};
--
2.47.1
next prev parent reply other threads:[~2025-01-27 15:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 15:57 [PATCH v3 1/2] io_uring: refactor io_uring_allowed() Hamza Mahfooz
2025-01-27 15:57 ` Hamza Mahfooz [this message]
2025-01-27 17:18 ` [PATCH v3 2/2] lsm,io_uring: add LSM hooks for io_uring_setup() Casey Schaufler
2025-01-27 21:23 ` Paul Moore
2025-01-28 0:23 ` Casey Schaufler
2025-01-28 22:35 ` Paul Moore
2025-01-29 0:02 ` Casey Schaufler
2025-01-30 17:15 ` Paul Moore
2025-02-07 21:42 ` Paul Moore
2025-02-07 21:53 ` Hamza Mahfooz
2025-02-07 21:42 ` [PATCH v3 1/2] io_uring: refactor io_uring_allowed() Paul Moore
2025-02-07 21:54 ` Jens Axboe
2025-02-07 22:21 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250127155723.67711-2-hamzamahfooz@linux.microsoft.com \
--to=hamzamahfooz@linux.microsoft.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=brambonne@google.com \
--cc=cgzones@googlemail.com \
--cc=io-uring@vger.kernel.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tweek@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox