@@ -7012,6 +7012,18 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
return avc_has_perm(&selinux_state, current_sid(), isec->sid,
SECCLASS_IO_URING, IO_URING__CMD, &ad);
}
+/**
+ * selinux_uring_setup - check to see if io_uring setup is allowed
+ *
+ * Check to see if the current task is allowed to execute io_uring_setup.
+ */
+static int selinux_uring_setup(void)
+{
+ int sid = current_sid();
+
+ return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING,
+ IO_URING__SETUP, NULL);
+}
#endif /* CONFIG_IO_URING */
/*
@@ -7258,6 +7270,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
+ LSM_HOOK_INIT(uring_setup, selinux_uring_setup),
#endif
/*
@@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = {
{ "anon_inode",
{ COMMON_FILE_PERMS, NULL } },
{ "io_uring",
- { "override_creds", "sqpoll", "cmd", NULL } },
+ { "override_creds", "sqpoll", "cmd", "setup", NULL } },
{ "user_namespace",
{ "create", NULL } },
{ NULL }
This patch implements a new io_uring permission that controls access to the io_uring_setup system call. The new permission, io_uring { setup }, is added to the existing io_uring class. This is important as it allows users to restrict their attack surface by limiting which subjects are allowed retrieve fds from the kernel that are necessary for the use of all other io_uring functionality. Signed-off-by: Gil Cukierman <cukie@google.com> --- security/selinux/hooks.c | 13 +++++++++++++ security/selinux/include/classmap.h | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-)