diff mbox series

[v5.19.y,3/3] Smack: Provide read control for io_uring_cmd

Message ID 166249823441.409408.621539815259290208.stgit@olly (mailing list archive)
State Handled Elsewhere
Delegated to: Paul Moore
Headers show
Series Backport the io_uring/LSM CMD passthrough controls | expand

Commit Message

Paul Moore Sept. 6, 2022, 9:03 p.m. UTC
Backport the following upstream commit into Linux v5.19.y:

    commit dd9373402280cf4715fdc8fd5070f7d039e43511
    Author: Casey Schaufler <casey@schaufler-ca.com>
    Date:   Tue Aug 23 16:46:18 2022 -0700

    Smack: Provide read control for io_uring_cmd

    Limit io_uring "cmd" options to files for which the caller has
    Smack read access. There may be cases where the cmd option may
    be closer to a write access than a read, but there is no way
    to make that determination.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/smack/smack_lsm.c |   32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

Comments

Casey Schaufler Sept. 6, 2022, 9:25 p.m. UTC | #1
On 9/6/2022 2:03 PM, Paul Moore wrote:
> Backport the following upstream commit into Linux v5.19.y:
>
>     commit dd9373402280cf4715fdc8fd5070f7d039e43511
>     Author: Casey Schaufler <casey@schaufler-ca.com>
>     Date:   Tue Aug 23 16:46:18 2022 -0700
>
>     Smack: Provide read control for io_uring_cmd
>
>     Limit io_uring "cmd" options to files for which the caller has
>     Smack read access. There may be cases where the cmd option may
>     be closer to a write access than a read, but there is no way
>     to make that determination.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>  security/smack/smack_lsm.c |   32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 6207762dbdb1..b30e20f64471 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -42,6 +42,7 @@
>  #include <linux/fs_context.h>
>  #include <linux/fs_parser.h>
>  #include <linux/watch_queue.h>
> +#include <linux/io_uring.h>
>  #include "smack.h"
>  
>  #define TRANS_TRUE	"TRUE"
> @@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void)
>  	return -EPERM;
>  }
>  
> +/**
> + * smack_uring_cmd - check on file operations for io_uring
> + * @ioucmd: the command in question
> + *
> + * Make a best guess about whether a io_uring "command" should
> + * be allowed. Use the same logic used for determining if the
> + * file could be opened for read in the absence of better criteria.
> + */
> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
> +{
> +	struct file *file = ioucmd->file;
> +	struct smk_audit_info ad;
> +	struct task_smack *tsp;
> +	struct inode *inode;
> +	int rc;
> +
> +	if (!file)
> +		return -EINVAL;
> +
> +	tsp = smack_cred(file->f_cred);
> +	inode = file_inode(file);
> +
> +	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
> +	smk_ad_setfield_u_fs_path(&ad, file->f_path);
> +	rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
> +	rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
> +
> +	return rc;
> +}
> +
>  #endif /* CONFIG_IO_URING */
>  
>  struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> @@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
>  #ifdef CONFIG_IO_URING
>  	LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
>  	LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
> +	LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
>  #endif
>  };
>  
>
diff mbox series

Patch

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6207762dbdb1..b30e20f64471 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -42,6 +42,7 @@ 
 #include <linux/fs_context.h>
 #include <linux/fs_parser.h>
 #include <linux/watch_queue.h>
+#include <linux/io_uring.h>
 #include "smack.h"
 
 #define TRANS_TRUE	"TRUE"
@@ -4739,6 +4740,36 @@  static int smack_uring_sqpoll(void)
 	return -EPERM;
 }
 
+/**
+ * smack_uring_cmd - check on file operations for io_uring
+ * @ioucmd: the command in question
+ *
+ * Make a best guess about whether a io_uring "command" should
+ * be allowed. Use the same logic used for determining if the
+ * file could be opened for read in the absence of better criteria.
+ */
+static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+	struct file *file = ioucmd->file;
+	struct smk_audit_info ad;
+	struct task_smack *tsp;
+	struct inode *inode;
+	int rc;
+
+	if (!file)
+		return -EINVAL;
+
+	tsp = smack_cred(file->f_cred);
+	inode = file_inode(file);
+
+	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+	smk_ad_setfield_u_fs_path(&ad, file->f_path);
+	rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
+	rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
+
+	return rc;
+}
+
 #endif /* CONFIG_IO_URING */
 
 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
@@ -4896,6 +4927,7 @@  static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
 #ifdef CONFIG_IO_URING
 	LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
 	LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
+	LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
 #endif
 };