From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C775239184B for ; Tue, 16 Jun 2026 20:36:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781642169; cv=none; b=A8/orxkbdxbD8ylvbv1a4ve+PVVXkVCjWeL9xaHh3e+FQeSY2KjtqShrd02beMDqxUSEnqrY8pmKnBb/+KU6yUSPc0/dJ2HVDjEjCsVTIcnjTT8USSLwWwZ4NCh1GRzAdcgRPS54+/YLhuiWtlVoNihu4yq3G2KzdVbDVpSsU/s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781642169; c=relaxed/simple; bh=mxMKe0jgsxOJM/p9h7RtsXKKJZ4vpt/rgkLudw2LN4s=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=MhAuue1ybAdUb2l+K7IFMcTafKa67vljl1H+LlsMTVJtKk6SMJunrEr8q7iJwrwpjfaPvDtoSrg+e3/ntEd0kWH8p5/hWvSl7NNOpW3ZKMhNBllxCpoDq+sxYFmlZk0Fi/Zel1HjYsRb8CP5k9pL2RvCltNme1ec+nFRVRtEvAI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk; spf=pass smtp.mailfrom=kernel.dk; dkim=pass (2048-bit key) header.d=kernel-dk.20251104.gappssmtp.com header.i=@kernel-dk.20251104.gappssmtp.com header.b=nE539p1K; arc=none smtp.client-ip=209.85.210.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kernel.dk Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel-dk.20251104.gappssmtp.com header.i=@kernel-dk.20251104.gappssmtp.com header.b="nE539p1K" Received: by mail-ot1-f43.google.com with SMTP id 46e09a7af769-7e6dcc22cbcso4251344a34.1 for ; Tue, 16 Jun 2026 13:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20251104.gappssmtp.com; s=20251104; t=1781642166; x=1782246966; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=a2o1XTR7VeYkIhqu4UtENSoBuqpZfEyKyn3oza9yC94=; b=nE539p1KlGa15vI841yfbah1dtZVYsMGZS7l7VyiOhXxdDuGdyeaLXrJ+lsI9GgIzC hlN8xT7CDmPbxdA/hSHjsO1/rKq6mcNqDyrfSN9ZmYIcHrjBw7GbBVTJNWXb24JN3JkM fZbeLNHsNTvmWZRBOy8G4RtvskHoFDlO8onGcHWflTJbtbjj2ZlNt2hoMK60xMvTTGUf vG0549szZZKtEC8GVJS55dj8HqICEznt81kyxO9ao8QjVV7tpQedAU9/c7ysvjbgSB2x uPO6GJUsZiko8ofHKNlqI1JpUbGk7NL6TiT+JXoLst/0/bjdlF+WsmCWiVR4ZpDyMC5V s75Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781642166; x=1782246966; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a2o1XTR7VeYkIhqu4UtENSoBuqpZfEyKyn3oza9yC94=; b=CUf6CgVgr+Xwb/KRjz6nJxHZHX4GYz7WNrgamXHYswMybo3EN0f6EnaJvx1m/95+6N H6VJiIjbE0mh/6QDsDb95RHKSImiBWR1sPvN0eO9j/UBLD3Dw7nJvaSCyiuE50LKDtg/ 1jkgOE2PAIQQiEizuomIYLyw42Zm87RbbDY23motuCKEFeviBmbyuIHFFBGdi4RF/IWu PiFLkHpPZ52S5a8o8LnrRM1/NlibmHCoM6a8FXHzMdnPcIhruK2Qtj2CP2HVvAsWPxWL rOHUXjJQ6BDe4AzCaxWT2ai+0xCzmXwkTqtFZ9e/VwZVq2SE3CLo0Z1iAs/UxUjr7kuG tr1g== X-Forwarded-Encrypted: i=1; AFNElJ9FK1yp16qhFNapxRPouYjm1TFvbm8jPUA08ZuNYtLvvH/f1v0u8HT2pNaUVdOachMtLf7UETXAfGJ8Dqk=@vger.kernel.org X-Gm-Message-State: AOJu0YwKE/munWoLbUK13ODr/fg8Uw7+cMJXb/umqige2X1rsRRLsYbD NWpVnvMl36+Gb3ZzYHpICi30d6Ov7U6yWiQnTS6ZdB+oEVONC5gQS+wQkYeJ+nbuOL8= X-Gm-Gg: Acq92OHwgun5ELCe5kpClYhm3R1D4jZuDtgAdq5x113bCIPwBFKkyuTmfykQovjwp0h 6ot0HcBNuQi8iuuBq928N3Bgm4MCFkSCTsRnvSXYzE6U5gy8coLWmonEouzCvMCKCZ3oJZBl6dO I8pLGMEjRZ3JOv44Hx4MHO7M8kvbijEhIoDin0AVDlrH77h+VpFLbrzF7Y45zWNuKVeIz2OnV1z H55xVAdCedOYf6k+3xOfFVTlw7wdWogr6Lci/24/KigzbkrdY8DpsZ7+SQCHXNmWVFEBBVa4uZK hDUHe+iGEsG7Hi1cQTnW85oRA65ms0ZeEgAH+M7qCh4yZo+Co30u7o7upeTX/MBiNEfz0N1t2ym /eNgEIgjJIHORdOGvt8HYeGLT/ZT/NrzhWeAzbWT4zoqQMsi+N5juDAyaFTd92wnzboUIzE8SgB YplNF0Xxv528iLCRnvLTgeWSKx3YwpYZIbI56+qz5wiHVVWuLKKvTNOBjHBZXbEyDxau85AwiEM h30FhVcDg== X-Received: by 2002:a05:6830:3747:b0:7e6:fd45:9cbc with SMTP id 46e09a7af769-7e90b3b982dmr1104256a34.14.1781642166451; Tue, 16 Jun 2026 13:36:06 -0700 (PDT) Received: from [192.168.1.150] ([198.8.77.157]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7e79f6de65bsm7523821a34.19.2026.06.16.13.36.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Jun 2026 13:36:05 -0700 (PDT) Message-ID: Date: Tue, 16 Jun 2026 14:36:04 -0600 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Landlock: LANDLOCK_ACCESS_FS_IOCTL_DEV bypass via io_uring IORING_OP_URING_CMD To: Bryam Vargas , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8?= =?UTF-8?Q?n?= Cc: =?UTF-8?Q?G=C3=BCnther_Noack?= , Paul Moore , Keith Busch , Christoph Hellwig , Sagi Grimberg , linux-security-module@vger.kernel.org, io-uring@vger.kernel.org, linux-block@vger.kernel.org, linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org References: <20260616201633.275067-1-hexlabsecurity@proton.me> Content-Language: en-US From: Jens Axboe In-Reply-To: <20260616201633.275067-1-hexlabsecurity@proton.me> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 6/16/26 2:16 PM, Bryam Vargas wrote: > Hello Micka?l, and Landlock / io_uring folks, > > A task confined by a Landlock ruleset that grants READ_FILE/WRITE_FILE > on a block or NVMe character device but withholds > LANDLOCK_ACCESS_FS_IOCTL_DEV can still reach the device-command > surface through io_uring IORING_OP_URING_CMD with the IOCTL_DEV check > bypassed: the request enters the device-command handler (block > discard, or the NVMe char-device passthrough) where the equivalent > ioctl(2) is denied. The destructive completion and the NVMe-admin > surface follow from the code -- see Impact. I've said this before, but apparently it hasn't been received - this isn't an io_uring issue. If landlock is missing a hook, then that's on landlock and they should add it. Other security handlers already have that. Hence no need to broadcast this to a bunch of lists, it's strictly a landlock issue. -- Jens Axboe