From patchwork Tue Sep 6 21:03:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12968201 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52C5DC54EE9 for ; Tue, 6 Sep 2022 21:03:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230054AbiIFVDs (ORCPT ); Tue, 6 Sep 2022 17:03:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230049AbiIFVDp (ORCPT ); Tue, 6 Sep 2022 17:03:45 -0400 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 522EF8A7F6 for ; Tue, 6 Sep 2022 14:03:44 -0700 (PDT) Received: by mail-qt1-x82b.google.com with SMTP id l5so9054584qtv.4 for ; Tue, 06 Sep 2022 14:03:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:from:to:cc:subject :date; bh=6MX65zgqfAKJcqzX9VApOUmwZEqdlbEKFsyJ0TCOG60=; b=HsuhH5IoR0RN1paQiFiauDrlrsexQjSB1OEw5OVPUTYNhsIiNcJGnzinpIdSqqRCQz GMN5AOIiPVnA/9TwwDUMudBu6FSjlSiER9Ykg+z0FJyJUu3iYfetpx9rI9EThWw9qGxu AA/GXQllChELlUWK3JbrxwyFPDg8ilHu36oW/Lx94N1ICUI+JFVqK3DOkGc9NpaZO2ab O46h/YojIx+3JNp365u7Ga4wnPyqMwQYh2Mfki2XrNj1CENfgN8Rn2r4czdpd4GOEpkh ctzSogd8RaeM8aBdyMqBBMILOfflbQKG2YVlSMdaxzPROVUZ/QFDdbI3ZXFeQARLtNxQ KUcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:x-gm-message-state :from:to:cc:subject:date; bh=6MX65zgqfAKJcqzX9VApOUmwZEqdlbEKFsyJ0TCOG60=; b=idYbEV9OxfN60myrBWxxcF0xBsE9kbU7c58KvOTfOJQCzBLW2ehwI8+zTTK82ly8WC BoMqJTDFRBW4qZvXbY4XjbioPJ2RfxK/W9oVJWNiZmErqrZaj/x1H2wit5haq91urRHY TF2IvmTi5kpUre83FCdJRHqav7mZIB3LdHxfxsptfG/B4FD91APEC6cltciifMeBHBO2 O8HhODnQp25VxI6O2aBikzth85R8v25LuQOIbxDuIKMzhbUIVhMvzD6gLVcihMvqRdhd y0JKi0pi4nslEisdNJsZeja6o8PDTOOFrg0OjUjxQs1iRFzjAUXR0JCG0PPnkGwOscMs IIvg== X-Gm-Message-State: ACgBeo121NetvumWuFVv2Mqu+9Vyg1oXJ0T7GCwr0fFstnDxl9o8smU3 qPXXkMuxMr+EkKjZirIz3PYn X-Google-Smtp-Source: AA6agR7jFp3i7Ot9zXuFRrmJ6/orjtTiDUwxI8Nqw4e2ahjv0IoLatAnDx239V5TxnR2ZWrLMYDLMQ== X-Received: by 2002:ac8:5d49:0:b0:344:7275:dd61 with SMTP id g9-20020ac85d49000000b003447275dd61mr489446qtx.48.1662498223359; Tue, 06 Sep 2022 14:03:43 -0700 (PDT) Received: from localhost (pool-108-26-161-203.bstnma.fios.verizon.net. [108.26.161.203]) by smtp.gmail.com with ESMTPSA id t32-20020a05622a182000b0033aac3da27dsm10595301qtc.19.2022.09.06.14.03.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Sep 2022 14:03:42 -0700 (PDT) Subject: [v5.19.y PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op From: Paul Moore To: stable@vger.kernel.org Cc: Jens Axboe , Luis Chamberlain , Casey Schaufler , selinux@vger.kernel.org, linux-security-module@vger.kernel.org Date: Tue, 06 Sep 2022 17:03:42 -0400 Message-ID: <166249822248.409408.10261922549346984289.stgit@olly> In-Reply-To: <166249766105.409408.12118839467847524983.stgit@olly> References: <166249766105.409408.12118839467847524983.stgit@olly> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Backport the following upstream commit into Linux v5.19.y: commit 2a5840124009f133bd09fd855963551fb2cefe22 Author: Luis Chamberlain Date: Fri Jul 15 12:16:22 2022 -0700 lsm,io_uring: add LSM hooks for the new uring_cmd file op io-uring cmd support was added through ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd"), this extended the struct file_operations to allow a new command which each subsystem can use to enable command passthrough. Add an LSM specific for the command passthrough which enables LSMs to inspect the command details. This was discussed long ago without no clear pointer for something conclusive, so this enables LSMs to at least reject this new file operation. [0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com Signed-off-by: Paul Moore --- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 3 +++ include/linux/security.h | 5 +++++ io_uring/io_uring.c | 4 ++++ security/security.c | 4 ++++ 5 files changed, 17 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index eafa1d2489fd..4e94755098f1 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #ifdef CONFIG_IO_URING LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) +LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 91c8146649f5..b681cfce6190 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1575,6 +1575,9 @@ * Check whether the current task is allowed to spawn a io_uring polling * thread (IORING_SETUP_SQPOLL). * + * @uring_cmd: + * Check whether the file_operations uring_cmd is allowed to run. + * */ union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); diff --git a/include/linux/security.h b/include/linux/security.h index 7fc4e9f49f54..3cc127bb5bfd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2051,6 +2051,7 @@ static inline int security_perf_event_write(struct perf_event *event) #ifdef CONFIG_SECURITY extern int security_uring_override_creds(const struct cred *new); extern int security_uring_sqpoll(void); +extern int security_uring_cmd(struct io_uring_cmd *ioucmd); #else static inline int security_uring_override_creds(const struct cred *new) { @@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(void) { return 0; } +static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #endif /* CONFIG_IO_URING */ diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index cd155b7e1346..c5208dca18fa 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) if (!req->file->f_op->uring_cmd) return -EOPNOTSUPP; + ret = security_uring_cmd(ioucmd); + if (ret) + return ret; + if (ctx->flags & IORING_SETUP_SQE128) issue_flags |= IO_URING_F_SQE128; if (ctx->flags & IORING_SETUP_CQE32) diff --git a/security/security.c b/security/security.c index 188b8f782220..8b62654ff3f9 100644 --- a/security/security.c +++ b/security/security.c @@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void) { return call_int_hook(uring_sqpoll, 0); } +int security_uring_cmd(struct io_uring_cmd *ioucmd) +{ + return call_int_hook(uring_cmd, 0, ioucmd); +} #endif /* CONFIG_IO_URING */ From patchwork Tue Sep 6 21:03:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12968202 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CCC6ECAAA1 for ; Tue, 6 Sep 2022 21:03:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229604AbiIFVD5 (ORCPT ); Tue, 6 Sep 2022 17:03:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbiIFVDv (ORCPT ); Tue, 6 Sep 2022 17:03:51 -0400 Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EF6FA9262 for ; Tue, 6 Sep 2022 14:03:50 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id a10so9124225qkl.13 for ; Tue, 06 Sep 2022 14:03:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:from:to:cc:subject :date; bh=zxQ66m5smH23GnuOECwAiTPpsELUaznzezl4/ifu74Q=; b=M7VpfvSjm/xhgtLPB8T/3TywX/TwQtxWaF7Df56ET1MNqn08IrKYVhDDqikYYU4bZk ZyLlphwIrvabKTQi11OzmuwkiYXfi+3BzNXsxlWkPIIw9jKrdh6ioFpPyIF7BnvQZG7P 15kKquPxU9JOp9n5QUqaFpvvL5qjJudyCm/sdMq4m+1ru/NEQCNcaegVzAHMptkOpA20 U1qH6BMcrVOZfNqnV7ZAQtD0+TxhsWwg7bsu6JWGPurtECJVv3T8FAXMGkqRPhgAOYy+ 0WedvN9NsbMgU6U6YLnuSftryooyL9ghpvmM9Gf0kTBe27DTa++/WNPcSivcP9ikj4yd hv3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:x-gm-message-state :from:to:cc:subject:date; bh=zxQ66m5smH23GnuOECwAiTPpsELUaznzezl4/ifu74Q=; b=G4V4QswEKYNMvDGdG3LaWEZ98oLHOpd1wY3enbzDqf44TRCKioFuP8mm5SJeimenyr vXpNqYgIDG6Dl7ybrpU8N8CZvdn36QcPZW6y9SkX/DZgUi7VlmeFWzKraxwjljWYT1Nr JeJtrKegDef1+7rn4dkd00bu/LooYsrSDue3LhIR+Z6ZNrgXyq/idrwe0tD84qHcYaKX Py7K3cWgSzQLKOTbrA8OQKQfrtg9wYzs/HOoA+j0hAcgE7+M8B/kOZltaBwbs2oqtt72 tOGbSIxgxx0V9UmxXt9SQnLRRZV6LH13ywdug/h0i6i7Tqg96pdT8JlKXutAyh0w2WAy To5Q== X-Gm-Message-State: ACgBeo2hBd5azQ3eUxkV8VbsVZkdVljkEvXxEtEmHKN++9mCJsRgV5dW lDeXcfjYoMIJqdllRHWhIbA2 X-Google-Smtp-Source: AA6agR7SkQibN9yqKoWTbVD1M3dgQcyRamfkXa6npPHkPIwXqfb7VFKVYavZTtR0SJ4LPkIJjS2bjg== X-Received: by 2002:a05:620a:1018:b0:6bc:638d:cf54 with SMTP id z24-20020a05620a101800b006bc638dcf54mr428624qkj.161.1662498229300; Tue, 06 Sep 2022 14:03:49 -0700 (PDT) Received: from localhost (pool-108-26-161-203.bstnma.fios.verizon.net. [108.26.161.203]) by smtp.gmail.com with ESMTPSA id x24-20020ac87a98000000b003431446588fsm10351464qtr.5.2022.09.06.14.03.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Sep 2022 14:03:48 -0700 (PDT) Subject: [v5.19.y PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook From: Paul Moore To: stable@vger.kernel.org Cc: Jens Axboe , Luis Chamberlain , Casey Schaufler , selinux@vger.kernel.org, linux-security-module@vger.kernel.org Date: Tue, 06 Sep 2022 17:03:48 -0400 Message-ID: <166249822847.409408.9982274436178494091.stgit@olly> In-Reply-To: <166249766105.409408.12118839467847524983.stgit@olly> References: <166249766105.409408.12118839467847524983.stgit@olly> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Backport the following upstream commit into Linux v5.19.y: commit f4d653dcaa4e4056e1630423e6a8ece4869b544f Author: Paul Moore Date: Wed Aug 10 15:55:36 2022 -0400 selinux: implement the security_uring_cmd() LSM hook Add a SELinux access control for the iouring IORING_OP_URING_CMD command. This includes the addition of a new permission in the existing "io_uring" object class: "cmd". The subject of the new permission check is the domain of the process requesting access, the object is the open file which points to the device/file that is the target of the IORING_OP_URING_CMD operation. A sample policy rule is shown below: allow :io_uring { cmd }; Signed-off-by: Paul Moore --- security/selinux/hooks.c | 24 ++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1bbd53321d13..e90dfa36f79a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -91,6 +91,7 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" @@ -6990,6 +6991,28 @@ static int selinux_uring_sqpoll(void) return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); } + +/** + * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed + * @ioucmd: the io_uring command structure + * + * Check to see if the current domain is allowed to execute an + * IORING_OP_URING_CMD against the device/file specified in @ioucmd. + * + */ +static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) +{ + struct file *file = ioucmd->file; + struct inode *inode = file_inode(file); + struct inode_security_struct *isec = selinux_inode(inode); + struct common_audit_data ad; + + ad.type = LSM_AUDIT_DATA_FILE; + ad.u.file = file; + + return avc_has_perm(&selinux_state, current_sid(), isec->sid, + SECCLASS_IO_URING, IO_URING__CMD, &ad); +} #endif /* CONFIG_IO_URING */ /* @@ -7234,6 +7257,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IO_URING LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), + LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), #endif /* diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index ff757ae5f253..1c2f41ff4e55 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = { { "anon_inode", { COMMON_FILE_PERMS, NULL } }, { "io_uring", - { "override_creds", "sqpoll", NULL } }, + { "override_creds", "sqpoll", "cmd", NULL } }, { NULL } }; From patchwork Tue Sep 6 21:03:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 12968203 X-Patchwork-Delegate: paul@paul-moore.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC4C6C6FA89 for ; Tue, 6 Sep 2022 21:04:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229772AbiIFVD6 (ORCPT ); Tue, 6 Sep 2022 17:03:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230060AbiIFVD5 (ORCPT ); Tue, 6 Sep 2022 17:03:57 -0400 Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49196A2A99 for ; Tue, 6 Sep 2022 14:03:56 -0700 (PDT) Received: by mail-qv1-xf2b.google.com with SMTP id d1so9307063qvs.0 for ; Tue, 06 Sep 2022 14:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:from:to:cc:subject :date; bh=JT+gOz3fKl6MC7AjldhQFB7VwdWbFk28JfZ/z8wOF6U=; b=c5EwKL8SupN4TigtQt+6UDHFb1iZ77+Gbldz45t7EpCqyqQYOocUIwvBrx/04yJXlE +6/TqgT/JyHs9dZk/mhv2UmmHdrY2LqnCwX2mL/G6S9siyytASYDb0vVGvQHTWza7Suc xmb3G7rqJOqBmdD4jZNUA7H9grirly+SF2PEyvchO6S4j6GDR90dkJeF/GdauoVLJBk3 85F/DYhXbaB14qY6o0LtqIl0gz54WQr8mzp4PelJB21mQQjC54XeNDqmgfnRkZiUJXIf ql6ZwWiQo9hu15mUU45/gEVNb2eyWIrIQFMTd2HaLFec84rkJxqVu+pj7wh7gbH846n8 4aBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:x-gm-message-state :from:to:cc:subject:date; bh=JT+gOz3fKl6MC7AjldhQFB7VwdWbFk28JfZ/z8wOF6U=; b=LYcCG7G1Flh4mwHT1T5AnLBPloZbTDQpoDLRFcqyhmQ3X+W2jh4Q8yjPnlcOWjUjYJ 3cMpaFeKceSEOdRivtbKZ361x/VR3k2LQmPB5iOhEtQZ+LazAOeEApCXeL0GcKn8FULs HQ2jGst6R2VhWNJvmWN+Uk/sMxHBT6v+upmA8vgEcQAgbIslZdo6ODJj4T0AonjFqS9o QVj9qMAChno4anNDxI0FLd6ACdLSq0OzZ3X/nTV2AlTQ8b9c4eT6xV7PeZSquzq/KLrw DcP9pCetukEsSFmd5RN3YrnQZxaH60e+6vdM61TCujn1JVm77DOaj4H3nNcXK+OW30zU /a0g== X-Gm-Message-State: ACgBeo1uhKsnzU6b+P+7N0TTxeNZo2JMi6Q0EoCru/GAJJOByEzi3vfz udpDwVqh7cop38s9+VTGrAaY X-Google-Smtp-Source: AA6agR5NX2KOzSimlyRxEms1kdM1D1nBQoMlTRJaBhRuDGN2/Po4caz+hTKm3muhATsUyr3NcCQ1pA== X-Received: by 2002:a0c:9a48:0:b0:4aa:9d5e:2557 with SMTP id q8-20020a0c9a48000000b004aa9d5e2557mr432141qvd.104.1662498235252; Tue, 06 Sep 2022 14:03:55 -0700 (PDT) Received: from localhost (pool-108-26-161-203.bstnma.fios.verizon.net. [108.26.161.203]) by smtp.gmail.com with ESMTPSA id h5-20020a05620a284500b006bc192d277csm12207592qkp.10.2022.09.06.14.03.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Sep 2022 14:03:54 -0700 (PDT) Subject: [v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd From: Paul Moore To: stable@vger.kernel.org Cc: Jens Axboe , Luis Chamberlain , Casey Schaufler , selinux@vger.kernel.org, linux-security-module@vger.kernel.org Date: Tue, 06 Sep 2022 17:03:54 -0400 Message-ID: <166249823441.409408.621539815259290208.stgit@olly> In-Reply-To: <166249766105.409408.12118839467847524983.stgit@olly> References: <166249766105.409408.12118839467847524983.stgit@olly> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Backport the following upstream commit into Linux v5.19.y: commit dd9373402280cf4715fdc8fd5070f7d039e43511 Author: Casey Schaufler Date: Tue Aug 23 16:46:18 2022 -0700 Smack: Provide read control for io_uring_cmd Limit io_uring "cmd" options to files for which the caller has Smack read access. There may be cases where the cmd option may be closer to a write access than a read, but there is no way to make that determination. Signed-off-by: Paul Moore Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6207762dbdb1..b30e20f64471 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -42,6 +42,7 @@ #include #include #include +#include #include "smack.h" #define TRANS_TRUE "TRUE" @@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void) return -EPERM; } +/** + * smack_uring_cmd - check on file operations for io_uring + * @ioucmd: the command in question + * + * Make a best guess about whether a io_uring "command" should + * be allowed. Use the same logic used for determining if the + * file could be opened for read in the absence of better criteria. + */ +static int smack_uring_cmd(struct io_uring_cmd *ioucmd) +{ + struct file *file = ioucmd->file; + struct smk_audit_info ad; + struct task_smack *tsp; + struct inode *inode; + int rc; + + if (!file) + return -EINVAL; + + tsp = smack_cred(file->f_cred); + inode = file_inode(file); + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); + smk_ad_setfield_u_fs_path(&ad, file->f_path); + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); + rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); + + return rc; +} + #endif /* CONFIG_IO_URING */ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { @@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IO_URING LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), + LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), #endif };