[v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls

[v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls

[Paul Moore]

The stable patch merging tools failed to automatically merge the
io_uring/LSM CMD passthrough controls into the stable v5.19.y branch,
so I'm doing the backport manually and submitting them directly to
stable for the next v5.19.y release.  The backport is necessary due
to the reorg/decomposition of the io_uring code in io_uring/ during
the v5.19->v6.0 merge window.  Other than the differences in the
filenames under io_uring, the code changes are pretty much the same.

I've done some basic sanity testing this afternoon with these
patches and everything looks good to me.

If you would prefer to pull these directly from a git tree instead
of email, they are available via the LSM tree on the stable-5.19
branch, using the lsm-pr-20220906 tag.

  git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
        lsm-pr-20220906

---

Paul Moore (3):
      lsm,io_uring: add LSM hooks for the new uring_cmd file op
      selinux: implement the security_uring_cmd() LSM hook
      Smack: Provide read control for io_uring_cmd


 include/linux/lsm_hook_defs.h       |  1 +
 include/linux/lsm_hooks.h           |  3 +++
 include/linux/security.h            |  5 +++++
 io_uring/io_uring.c                 |  4 ++++
 security/security.c                 |  4 ++++
 security/selinux/hooks.c            | 24 ++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 +-
 security/smack/smack_lsm.c          | 32 +++++++++++++++++++++++++++++
 8 files changed, 74 insertions(+), 1 deletion(-)

[v5.19.y PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op

[Paul Moore]

Backport the following upstream commit into Linux v5.19.y:

    commit 2a5840124009f133bd09fd855963551fb2cefe22
    Author: Luis Chamberlain <mcgrof@kernel.org>
    Date:   Fri Jul 15 12:16:22 2022 -0700

    lsm,io_uring: add LSM hooks for the new uring_cmd file op

    io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
    add infrastructure for uring-cmd"), this extended the struct
    file_operations to allow a new command which each subsystem can use
    to enable command passthrough. Add an LSM specific for the command
    passthrough which enables LSMs to inspect the command details.

    This was discussed long ago without no clear pointer for something
    conclusive, so this enables LSMs to at least reject this new file
    operation.

    [0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/lsm_hook_defs.h |    1 +
 include/linux/lsm_hooks.h     |    3 +++
 include/linux/security.h      |    5 +++++
 io_uring/io_uring.c           |    4 ++++
 security/security.c           |    4 ++++
 5 files changed, 17 insertions(+)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index eafa1d2489fd..4e94755098f1 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
 #ifdef CONFIG_IO_URING
 LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
 LSM_HOOK(int, 0, uring_sqpoll, void)
+LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
 #endif /* CONFIG_IO_URING */
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 91c8146649f5..b681cfce6190 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1575,6 +1575,9 @@
  *      Check whether the current task is allowed to spawn a io_uring polling
  *      thread (IORING_SETUP_SQPOLL).
  *
+ * @uring_cmd:
+ *      Check whether the file_operations uring_cmd is allowed to run.
+ *
  */
 union security_list_options {
 	#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
diff --git a/include/linux/security.h b/include/linux/security.h
index 7fc4e9f49f54..3cc127bb5bfd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2051,6 +2051,7 @@ static inline int security_perf_event_write(struct perf_event *event)
 #ifdef CONFIG_SECURITY
 extern int security_uring_override_creds(const struct cred *new);
 extern int security_uring_sqpoll(void);
+extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
 #else
 static inline int security_uring_override_creds(const struct cred *new)
 {
@@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(void)
 {
 	return 0;
 }
+static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+	return 0;
+}
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_IO_URING */
 
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd155b7e1346..c5208dca18fa 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
 	if (!req->file->f_op->uring_cmd)
 		return -EOPNOTSUPP;
 
+	ret = security_uring_cmd(ioucmd);
+	if (ret)
+		return ret;
+
 	if (ctx->flags & IORING_SETUP_SQE128)
 		issue_flags |= IO_URING_F_SQE128;
 	if (ctx->flags & IORING_SETUP_CQE32)
diff --git a/security/security.c b/security/security.c
index 188b8f782220..8b62654ff3f9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void)
 {
 	return call_int_hook(uring_sqpoll, 0);
 }
+int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+	return call_int_hook(uring_cmd, 0, ioucmd);
+}
 #endif /* CONFIG_IO_URING */

[v5.19.y PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook

[Paul Moore]

Backport the following upstream commit into Linux v5.19.y:

    commit f4d653dcaa4e4056e1630423e6a8ece4869b544f
    Author: Paul Moore <paul@paul-moore.com>
    Date:   Wed Aug 10 15:55:36 2022 -0400

    selinux: implement the security_uring_cmd() LSM hook

    Add a SELinux access control for the iouring IORING_OP_URING_CMD
    command.  This includes the addition of a new permission in the
    existing "io_uring" object class: "cmd".  The subject of the new
    permission check is the domain of the process requesting access, the
    object is the open file which points to the device/file that is the
    target of the IORING_OP_URING_CMD operation.  A sample policy rule
    is shown below:

      allow <domain> <file>:io_uring { cmd };

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/selinux/hooks.c            |   24 ++++++++++++++++++++++++
 security/selinux/include/classmap.h |    2 +-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1bbd53321d13..e90dfa36f79a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
 #include <uapi/linux/mount.h>
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
+#include <linux/io_uring.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6990,6 +6991,28 @@ static int selinux_uring_sqpoll(void)
 	return avc_has_perm(&selinux_state, sid, sid,
 			    SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
 }
+
+/**
+ * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
+ * @ioucmd: the io_uring command structure
+ *
+ * Check to see if the current domain is allowed to execute an
+ * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
+ *
+ */
+static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+	struct file *file = ioucmd->file;
+	struct inode *inode = file_inode(file);
+	struct inode_security_struct *isec = selinux_inode(inode);
+	struct common_audit_data ad;
+
+	ad.type = LSM_AUDIT_DATA_FILE;
+	ad.u.file = file;
+
+	return avc_has_perm(&selinux_state, current_sid(), isec->sid,
+			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
+}
 #endif /* CONFIG_IO_URING */
 
 /*
@@ -7234,6 +7257,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 #ifdef CONFIG_IO_URING
 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
+	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
 #endif
 
 	/*
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ff757ae5f253..1c2f41ff4e55 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = {
 	{ "anon_inode",
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "io_uring",
-	  { "override_creds", "sqpoll", NULL } },
+	  { "override_creds", "sqpoll", "cmd", NULL } },
 	{ NULL }
   };
 

[v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd

[Paul Moore]

Backport the following upstream commit into Linux v5.19.y:

    commit dd9373402280cf4715fdc8fd5070f7d039e43511
    Author: Casey Schaufler <casey@schaufler-ca.com>
    Date:   Tue Aug 23 16:46:18 2022 -0700

    Smack: Provide read control for io_uring_cmd

    Limit io_uring "cmd" options to files for which the caller has
    Smack read access. There may be cases where the cmd option may
    be closer to a write access than a read, but there is no way
    to make that determination.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/smack/smack_lsm.c |   32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6207762dbdb1..b30e20f64471 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -42,6 +42,7 @@
 #include <linux/fs_context.h>
 #include <linux/fs_parser.h>
 #include <linux/watch_queue.h>
+#include <linux/io_uring.h>
 #include "smack.h"
 
 #define TRANS_TRUE	"TRUE"
@@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void)
 	return -EPERM;
 }
 
+/**
+ * smack_uring_cmd - check on file operations for io_uring
+ * @ioucmd: the command in question
+ *
+ * Make a best guess about whether a io_uring "command" should
+ * be allowed. Use the same logic used for determining if the
+ * file could be opened for read in the absence of better criteria.
+ */
+static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+	struct file *file = ioucmd->file;
+	struct smk_audit_info ad;
+	struct task_smack *tsp;
+	struct inode *inode;
+	int rc;
+
+	if (!file)
+		return -EINVAL;
+
+	tsp = smack_cred(file->f_cred);
+	inode = file_inode(file);
+
+	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+	smk_ad_setfield_u_fs_path(&ad, file->f_path);
+	rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
+	rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
+
+	return rc;
+}
+
 #endif /* CONFIG_IO_URING */
 
 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
@@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
 #ifdef CONFIG_IO_URING
 	LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
 	LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
+	LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
 #endif
 };
 

Re: [v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd

[Casey Schaufler]

On 9/6/2022 2:03 PM, Paul Moore wrote:
> Backport the following upstream commit into Linux v5.19.y:
>
>     commit dd9373402280cf4715fdc8fd5070f7d039e43511
>     Author: Casey Schaufler <casey@schaufler-ca.com>
>     Date:   Tue Aug 23 16:46:18 2022 -0700
>
>     Smack: Provide read control for io_uring_cmd
>
>     Limit io_uring "cmd" options to files for which the caller has
>     Smack read access. There may be cases where the cmd option may
>     be closer to a write access than a read, but there is no way
>     to make that determination.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  security/smack/smack_lsm.c |   32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 6207762dbdb1..b30e20f64471 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -42,6 +42,7 @@
>  #include <linux/fs_context.h>
>  #include <linux/fs_parser.h>
>  #include <linux/watch_queue.h>
> +#include <linux/io_uring.h>
>  #include "smack.h"
>  
>  #define TRANS_TRUE	"TRUE"
> @@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void)
>  	return -EPERM;
>  }
>  
> +/**
> + * smack_uring_cmd - check on file operations for io_uring
> + * @ioucmd: the command in question
> + *
> + * Make a best guess about whether a io_uring "command" should
> + * be allowed. Use the same logic used for determining if the
> + * file could be opened for read in the absence of better criteria.
> + */
> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
> +{
> +	struct file *file = ioucmd->file;
> +	struct smk_audit_info ad;
> +	struct task_smack *tsp;
> +	struct inode *inode;
> +	int rc;
> +
> +	if (!file)
> +		return -EINVAL;
> +
> +	tsp = smack_cred(file->f_cred);
> +	inode = file_inode(file);
> +
> +	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
> +	smk_ad_setfield_u_fs_path(&ad, file->f_path);
> +	rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
> +	rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
> +
> +	return rc;
> +}
> +
>  #endif /* CONFIG_IO_URING */
>  
>  struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> @@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
>  #ifdef CONFIG_IO_URING
>  	LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
>  	LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
> +	LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
>  #endif
>  };
>  
>

Re: [v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls

[Greg KH]

On Tue, Sep 06, 2022 at 05:03:36PM -0400, Paul Moore wrote:
> The stable patch merging tools failed to automatically merge the
> io_uring/LSM CMD passthrough controls into the stable v5.19.y branch,
> so I'm doing the backport manually and submitting them directly to
> stable for the next v5.19.y release.  The backport is necessary due
> to the reorg/decomposition of the io_uring code in io_uring/ during
> the v5.19->v6.0 merge window.  Other than the differences in the
> filenames under io_uring, the code changes are pretty much the same.
> 
> I've done some basic sanity testing this afternoon with these
> patches and everything looks good to me.
> 
> If you would prefer to pull these directly from a git tree instead
> of email, they are available via the LSM tree on the stable-5.19
> branch, using the lsm-pr-20220906 tag.
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
>         lsm-pr-20220906
> 

Now queued up, thanks.  Note, you dropped the original signed-off-by of
the original commits, which I had to add back by hand :(

greg k-h