| Message ID | 20241219204143.74736-1-hamzamahfooz@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | lsm,io_uring: add LSM hooks for io_uring_setup() | expand |
On 12/19/24 1:41 PM, Hamza Mahfooz wrote: > diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c > index 06ff41484e29..0922bb0724c0 100644 > --- a/io_uring/io_uring.c > +++ b/io_uring/io_uring.c > @@ -3806,29 +3806,36 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params) > return io_uring_create(entries, &p, params); > } > > -static inline bool io_uring_allowed(void) > +static inline int io_uring_allowed(void) > { > int disabled = READ_ONCE(sysctl_io_uring_disabled); > kgid_t io_uring_group; > > if (disabled == 2) > - return false; > + return -EPERM; > > if (disabled == 0 || capable(CAP_SYS_ADMIN)) > - return true; > + goto allowed_lsm; > > io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group); > if (!gid_valid(io_uring_group)) > - return false; > + return -EPERM; > + > + if (!in_group_p(io_uring_group)) > + return -EPERM; > > - return in_group_p(io_uring_group); > +allowed_lsm: > + return security_uring_allowed(); > } > > SYSCALL_DEFINE2(io_uring_setup, u32, entries, > struct io_uring_params __user *, params) > { > - if (!io_uring_allowed()) > - return -EPERM; > + int ret; > + > + ret = io_uring_allowed(); > + if (ret) > + return ret; > > return io_uring_setup(entries, params); > } Please do a prep patch that makes io_uring_allowed() return the actual error rather than true/false, then the rest of your patch can stand alone.
On 12/19/2024 12:41 PM, Hamza Mahfooz wrote: > It is desirable to allow LSM to configure accessibility to io_uring. Why is it desirable to allow LSM to configure accessibility to io_uring? > So, > add an LSM for io_uring_allowed() to guard access to io_uring. > > Cc: Paul Moore <paul@paul-moore.com> > Cc: Jens Axboe <axboe@kernel.dk> > Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> > --- > include/linux/lsm_hook_defs.h | 1 + > include/linux/security.h | 5 +++++ > io_uring/io_uring.c | 21 ++++++++++++++------- > security/security.c | 12 ++++++++++++ > security/selinux/hooks.c | 14 ++++++++++++++ > security/selinux/include/classmap.h | 2 +- > 6 files changed, 47 insertions(+), 8 deletions(-) > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index eb2937599cb0..ee45229418dd 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -456,6 +456,7 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) > LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) > LSM_HOOK(int, 0, uring_sqpoll, void) > LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) > +LSM_HOOK(int, 0, uring_allowed, void) > #endif /* CONFIG_IO_URING */ > > LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void) > diff --git a/include/linux/security.h b/include/linux/security.h > index cbdba435b798..0a5e897289e8 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -2351,6 +2351,7 @@ static inline int security_perf_event_write(struct perf_event *event) > extern int security_uring_override_creds(const struct cred *new); > extern int security_uring_sqpoll(void); > extern int security_uring_cmd(struct io_uring_cmd *ioucmd); > +extern int security_uring_allowed(void); > #else > static inline int security_uring_override_creds(const struct cred *new) > { > @@ -2364,6 +2365,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) > { > return 0; > } > +extern int security_uring_allowed(void) > +{ > + return 0; > +} > #endif /* CONFIG_SECURITY */ > #endif /* CONFIG_IO_URING */ > > diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c > index 06ff41484e29..0922bb0724c0 100644 > --- a/io_uring/io_uring.c > +++ b/io_uring/io_uring.c > @@ -3806,29 +3806,36 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params) > return io_uring_create(entries, &p, params); > } > > -static inline bool io_uring_allowed(void) > +static inline int io_uring_allowed(void) > { > int disabled = READ_ONCE(sysctl_io_uring_disabled); > kgid_t io_uring_group; > > if (disabled == 2) > - return false; > + return -EPERM; > > if (disabled == 0 || capable(CAP_SYS_ADMIN)) > - return true; > + goto allowed_lsm; > > io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group); > if (!gid_valid(io_uring_group)) > - return false; > + return -EPERM; > + > + if (!in_group_p(io_uring_group)) > + return -EPERM; > > - return in_group_p(io_uring_group); > +allowed_lsm: > + return security_uring_allowed(); > } > > SYSCALL_DEFINE2(io_uring_setup, u32, entries, > struct io_uring_params __user *, params) > { > - if (!io_uring_allowed()) > - return -EPERM; > + int ret; > + > + ret = io_uring_allowed(); > + if (ret) > + return ret; > > return io_uring_setup(entries, params); > } > diff --git a/security/security.c b/security/security.c > index 09664e09fec9..e4d532e4ead4 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -5996,6 +5996,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) > { > return call_int_hook(uring_cmd, ioucmd); > } > + > +/** > + * security_uring_allowed() - Check if io_uring_setup() is allowed > + * > + * Check whether the current task is allowed to call io_uring_setup(). > + * > + * Return: Returns 0 if permission is granted. > + */ > +int security_uring_allowed(void) > +{ > + return call_int_hook(uring_allowed); > +} > #endif /* CONFIG_IO_URING */ > > /** > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 366c87a40bd1..b4e298c51c16 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -7117,6 +7117,19 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) > return avc_has_perm(current_sid(), isec->sid, > SECCLASS_IO_URING, IO_URING__CMD, &ad); > } > + > +/** > + * selinux_uring_allowed - check if io_uring_setup() can be called > + * > + * Check to see if the current task is allowed to call io_uring_setup(). > + */ > +static int selinux_uring_allowed(void) > +{ > + u32 sid = current_sid(); > + > + return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, > + NULL); > +} > #endif /* CONFIG_IO_URING */ > > static const struct lsm_id selinux_lsmid = { > @@ -7370,6 +7383,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), > LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), > LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), > + LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), > #endif > > /* > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > index 2bc20135324a..5ae222f7e543 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = { > { "perf_event", > { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, > { "anon_inode", { COMMON_FILE_PERMS, NULL } }, > - { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } }, > + { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } }, > { "user_namespace", { "create", NULL } }, > { NULL } > };
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index eb2937599cb0..ee45229418dd 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -456,6 +456,7 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) +LSM_HOOK(int, 0, uring_allowed, void) #endif /* CONFIG_IO_URING */ LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void) diff --git a/include/linux/security.h b/include/linux/security.h index cbdba435b798..0a5e897289e8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2351,6 +2351,7 @@ static inline int security_perf_event_write(struct perf_event *event) extern int security_uring_override_creds(const struct cred *new); extern int security_uring_sqpoll(void); extern int security_uring_cmd(struct io_uring_cmd *ioucmd); +extern int security_uring_allowed(void); #else static inline int security_uring_override_creds(const struct cred *new) { @@ -2364,6 +2365,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) { return 0; } +extern int security_uring_allowed(void) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #endif /* CONFIG_IO_URING */ diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 06ff41484e29..0922bb0724c0 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -3806,29 +3806,36 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params) return io_uring_create(entries, &p, params); } -static inline bool io_uring_allowed(void) +static inline int io_uring_allowed(void) { int disabled = READ_ONCE(sysctl_io_uring_disabled); kgid_t io_uring_group; if (disabled == 2) - return false; + return -EPERM; if (disabled == 0 || capable(CAP_SYS_ADMIN)) - return true; + goto allowed_lsm; io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group); if (!gid_valid(io_uring_group)) - return false; + return -EPERM; + + if (!in_group_p(io_uring_group)) + return -EPERM; - return in_group_p(io_uring_group); +allowed_lsm: + return security_uring_allowed(); } SYSCALL_DEFINE2(io_uring_setup, u32, entries, struct io_uring_params __user *, params) { - if (!io_uring_allowed()) - return -EPERM; + int ret; + + ret = io_uring_allowed(); + if (ret) + return ret; return io_uring_setup(entries, params); } diff --git a/security/security.c b/security/security.c index 09664e09fec9..e4d532e4ead4 100644 --- a/security/security.c +++ b/security/security.c @@ -5996,6 +5996,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) { return call_int_hook(uring_cmd, ioucmd); } + +/** + * security_uring_allowed() - Check if io_uring_setup() is allowed + * + * Check whether the current task is allowed to call io_uring_setup(). + * + * Return: Returns 0 if permission is granted. + */ +int security_uring_allowed(void) +{ + return call_int_hook(uring_allowed); +} #endif /* CONFIG_IO_URING */ /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 366c87a40bd1..b4e298c51c16 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7117,6 +7117,19 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) return avc_has_perm(current_sid(), isec->sid, SECCLASS_IO_URING, IO_URING__CMD, &ad); } + +/** + * selinux_uring_allowed - check if io_uring_setup() can be called + * + * Check to see if the current task is allowed to call io_uring_setup(). + */ +static int selinux_uring_allowed(void) +{ + u32 sid = current_sid(); + + return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, + NULL); +} #endif /* CONFIG_IO_URING */ static const struct lsm_id selinux_lsmid = { @@ -7370,6 +7383,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), + LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), #endif /* diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 2bc20135324a..5ae222f7e543 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = { { "perf_event", { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, { "anon_inode", { COMMON_FILE_PERMS, NULL } }, - { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } }, + { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } }, { "user_namespace", { "create", NULL } }, { NULL } };
It is desirable to allow LSM to configure accessibility to io_uring. So, add an LSM for io_uring_allowed() to guard access to io_uring. Cc: Paul Moore <paul@paul-moore.com> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> --- include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 5 +++++ io_uring/io_uring.c | 21 ++++++++++++++------- security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 14 ++++++++++++++ security/selinux/include/classmap.h | 2 +- 6 files changed, 47 insertions(+), 8 deletions(-)