[PATCH v1 2/2] selinux: add support for the io_uring setup permission

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Gil Cukierman <cukie@google.com>
To: Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	Eric Paris <eparis@parisplace.org>
Cc: Gil Cukierman <cukie@google.com>,
	kernel-team@android.com, selinux@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH v1 2/2] selinux: add support for the io_uring setup permission
Date: Mon,  7 Nov 2022 15:57:53 -0500	[thread overview]
Message-ID: <20221107205754.2635439-3-cukie@google.com> (raw)
In-Reply-To: <20221107205754.2635439-1-cukie@google.com>

This patch implements a new io_uring permission that controls
access to the io_uring_setup system call. The new permission,
io_uring { setup }, is added to the existing io_uring class.
This is important as it allows users to restrict their attack
surface by limiting which subjects are allowed retrieve fds
from the kernel that are necessary for the use of all other
io_uring functionality.

Signed-off-by: Gil Cukierman <cukie@google.com>
---
 security/selinux/hooks.c            | 13 +++++++++++++
 security/selinux/include/classmap.h |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f553c370397e..d2becf833a07 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7012,6 +7012,18 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
 	return avc_has_perm(&selinux_state, current_sid(), isec->sid,
 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
 }
+/**
+ * selinux_uring_setup - check to see if io_uring setup is allowed
+ *
+ * Check to see if the current task is allowed to execute io_uring_setup.
+ */
+static int selinux_uring_setup(void)
+{
+	int sid = current_sid();
+
+	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING,
+			    IO_URING__SETUP, NULL);
+}
 #endif /* CONFIG_IO_URING */
 
 /*
@@ -7258,6 +7270,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
+	LSM_HOOK_INIT(uring_setup, selinux_uring_setup),
 #endif
 
 	/*
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d41..48da4e7f7d62 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = {
 	{ "anon_inode",
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "io_uring",
-	  { "override_creds", "sqpoll", "cmd", NULL } },
+	  { "override_creds", "sqpoll", "cmd", "setup", NULL } },
 	{ "user_namespace",
 	  { "create", NULL } },
 	{ NULL }
-- 
2.38.0.135.g90850a2211-goog

next prev parent reply	other threads:[~2022-11-07 20:58 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-07 20:57 [PATCH v1 0/2] Add LSM access controls for io_uring_setup Gil Cukierman
2022-11-07 20:57 ` [PATCH v1 1/2] lsm,io_uring: add LSM hook " Gil Cukierman
2022-11-07 20:57 ` Gil Cukierman [this message]
2022-11-07 21:13 ` [PATCH v1 0/2] Add LSM access controls " Paul Moore
2022-11-10 17:54   ` Jeffrey Vander Stoep
2022-11-10 21:04     ` Paul Moore
2022-11-14 14:31       ` Joel Granados
2022-11-15  5:39         ` Jeffrey Vander Stoep
2023-08-08 20:40       ` Dmytro Maluka
2023-08-09  0:31         ` Paul Moore
2023-08-09 11:21           ` Dmytro Maluka
2023-08-09 14:49             ` Paul Moore
2023-08-09 17:28               ` Dmytro Maluka
2023-08-10  9:08                 ` Dmytro Maluka
2023-08-10 12:27                   ` Stephen Smalley

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f553c370397 dfblob:d2becf833a0 dfblob:a3c380775d4
dfblob:48da4e7f7d6 )
 OR (
bs:"[PATCH v1 2/2] selinux: add support for the io_uring setup permission" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221107205754.2635439-3-cukie@google.com \
    --to=cukie@google.com \
    --cc=eparis@parisplace.org \
    --cc=kernel-team@android.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox