From: Paul Moore <paul@paul-moore.com>
To: stable@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>,
Luis Chamberlain <mcgrof@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
selinux@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [v5.19.y PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op
Date: Tue, 06 Sep 2022 17:03:42 -0400 [thread overview]
Message-ID: <166249822248.409408.10261922549346984289.stgit@olly> (raw)
In-Reply-To: <166249766105.409408.12118839467847524983.stgit@olly>
Backport the following upstream commit into Linux v5.19.y:
commit 2a5840124009f133bd09fd855963551fb2cefe22
Author: Luis Chamberlain <mcgrof@kernel.org>
Date: Fri Jul 15 12:16:22 2022 -0700
lsm,io_uring: add LSM hooks for the new uring_cmd file op
io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
add infrastructure for uring-cmd"), this extended the struct
file_operations to allow a new command which each subsystem can use
to enable command passthrough. Add an LSM specific for the command
passthrough which enables LSMs to inspect the command details.
This was discussed long ago without no clear pointer for something
conclusive, so this enables LSMs to at least reject this new file
operation.
[0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 5 +++++
io_uring/io_uring.c | 4 ++++
security/security.c | 4 ++++
5 files changed, 17 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index eafa1d2489fd..4e94755098f1 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
#ifdef CONFIG_IO_URING
LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void)
+LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 91c8146649f5..b681cfce6190 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1575,6 +1575,9 @@
* Check whether the current task is allowed to spawn a io_uring polling
* thread (IORING_SETUP_SQPOLL).
*
+ * @uring_cmd:
+ * Check whether the file_operations uring_cmd is allowed to run.
+ *
*/
union security_list_options {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
diff --git a/include/linux/security.h b/include/linux/security.h
index 7fc4e9f49f54..3cc127bb5bfd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2051,6 +2051,7 @@ static inline int security_perf_event_write(struct perf_event *event)
#ifdef CONFIG_SECURITY
extern int security_uring_override_creds(const struct cred *new);
extern int security_uring_sqpoll(void);
+extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
#else
static inline int security_uring_override_creds(const struct cred *new)
{
@@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(void)
{
return 0;
}
+static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_IO_URING */
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd155b7e1346..c5208dca18fa 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
if (!req->file->f_op->uring_cmd)
return -EOPNOTSUPP;
+ ret = security_uring_cmd(ioucmd);
+ if (ret)
+ return ret;
+
if (ctx->flags & IORING_SETUP_SQE128)
issue_flags |= IO_URING_F_SQE128;
if (ctx->flags & IORING_SETUP_CQE32)
diff --git a/security/security.c b/security/security.c
index 188b8f782220..8b62654ff3f9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void)
{
return call_int_hook(uring_sqpoll, 0);
}
+int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+ return call_int_hook(uring_cmd, 0, ioucmd);
+}
#endif /* CONFIG_IO_URING */
next prev parent reply other threads:[~2022-09-06 21:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 21:03 [v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls Paul Moore
2022-09-06 21:03 ` Paul Moore [this message]
2022-09-06 21:03 ` [v5.19.y PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook Paul Moore
2022-09-06 21:03 ` [v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd Paul Moore
2022-09-06 21:25 ` Casey Schaufler
2022-09-11 11:36 ` [v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=166249822248.409408.10261922549346984289.stgit@olly \
--to=paul@paul-moore.com \
--cc=axboe@kernel.dk \
--cc=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox