From patchwork Tue Dec 12 13:17:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 13489260 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="RIDTSKQt" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60510118 for ; Tue, 12 Dec 2023 05:17:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1702387048; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Kbn/Pj7lGZv5FQhku3s01YJlXyJKSmX12DB6Cc5Zb3k=; b=RIDTSKQtyt/0vCclYSaCYcw+rEUtEude+BzAiqP0s/4apapYWvMr/0I+nDgOJ3AIWAo4eR wzP+fuNMGVXyaVqoFCLNx+uhIf9TWx1oK37dIpMjDVE1WCdXJo68OoibK6ccmEd52idWjw EXG7BhKfmo0jlqkZKANGIdCxyYUIW2k= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-267-r6trOJMmMXybz5kfVgFA4A-1; Tue, 12 Dec 2023 08:17:24 -0500 X-MC-Unique: r6trOJMmMXybz5kfVgFA4A-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ED34928EC102; Tue, 12 Dec 2023 13:17:22 +0000 (UTC) Received: from max-p1.redhat.com (unknown [10.39.208.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id C38C31121306; Tue, 12 Dec 2023 13:17:19 +0000 (UTC) From: Maxime Coquelin To: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com, casey@schaufler-ca.com Cc: Maxime Coquelin Subject: [PATCH v5 1/4] vduse: validate block features only with block devices Date: Tue, 12 Dec 2023 14:17:09 +0100 Message-ID: <20231212131712.1816324-2-maxime.coquelin@redhat.com> In-Reply-To: <20231212131712.1816324-1-maxime.coquelin@redhat.com> References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 This patch is preliminary work to enable network device type support to VDUSE. As VIRTIO_BLK_F_CONFIG_WCE shares the same value as VIRTIO_NET_F_HOST_TSO4, we need to restrict its check to Virtio-blk device type. Acked-by: Jason Wang Reviewed-by: Xie Yongji Signed-off-by: Maxime Coquelin --- drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index 0ddd4b8abecb..0486ff672408 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -1671,13 +1671,14 @@ static bool device_is_allowed(u32 device_id) return false; } -static bool features_is_valid(u64 features) +static bool features_is_valid(struct vduse_dev_config *config) { - if (!(features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) + if (!(config->features & (1ULL << VIRTIO_F_ACCESS_PLATFORM))) return false; /* Now we only support read-only configuration space */ - if (features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE)) + if ((config->device_id == VIRTIO_ID_BLOCK) && + (config->features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE))) return false; return true; @@ -1704,7 +1705,7 @@ static bool vduse_validate_config(struct vduse_dev_config *config) if (!device_is_allowed(config->device_id)) return false; - if (!features_is_valid(config->features)) + if (!features_is_valid(config)) return false; return true; From patchwork Tue Dec 12 13:17:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 13489261 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XC8k1Og1" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3232F134 for ; Tue, 12 Dec 2023 05:17:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1702387051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TaBsHxHFMnJzAJsTX2w35RpbTEwLYs4GFMNgU88u+kY=; b=XC8k1Og1/JdZUoj18iPxo7ZTo3LqOji3lY0GwhB3Nw/QLrSHPrYEBoNidnYdm3+Yx6F+ZC kSOQtXcAyaZtA/CNP6LL47H/r3Q3W3Rb/7BcqjXwXmjksI/edJGh3bAeeZ1dMe9XkQc8Y2 mzTda0a+GXBNP0C/JpTp20eZU3GgG/Q= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-443-l1dVKqVbNjSHXwliPbYvYA-1; Tue, 12 Dec 2023 08:17:27 -0500 X-MC-Unique: l1dVKqVbNjSHXwliPbYvYA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 79687868A21; Tue, 12 Dec 2023 13:17:26 +0000 (UTC) Received: from max-p1.redhat.com (unknown [10.39.208.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 445881121306; Tue, 12 Dec 2023 13:17:23 +0000 (UTC) From: Maxime Coquelin To: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com, casey@schaufler-ca.com Cc: Maxime Coquelin Subject: [PATCH v5 2/4] vduse: Temporarily disable control queue features Date: Tue, 12 Dec 2023 14:17:10 +0100 Message-ID: <20231212131712.1816324-3-maxime.coquelin@redhat.com> In-Reply-To: <20231212131712.1816324-1-maxime.coquelin@redhat.com> References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 Virtio-net driver control queue implementation is not safe when used with VDUSE. If the VDUSE application does not reply to control queue messages, it currently ends up hanging the kernel thread sending this command. Some work is on-going to make the control queue implementation robust with VDUSE. Until it is completed, let's disable control virtqueue and features that depend on it. Signed-off-by: Maxime Coquelin --- drivers/vdpa/vdpa_user/vduse_dev.c | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index 0486ff672408..fe4b5c8203fd 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include "iova_domain.h" @@ -46,6 +47,30 @@ #define IRQ_UNBOUND -1 +#define VDUSE_NET_VALID_FEATURES_MASK \ + (BIT_ULL(VIRTIO_NET_F_CSUM) | \ + BIT_ULL(VIRTIO_NET_F_GUEST_CSUM) | \ + BIT_ULL(VIRTIO_NET_F_MTU) | \ + BIT_ULL(VIRTIO_NET_F_MAC) | \ + BIT_ULL(VIRTIO_NET_F_GUEST_TSO4) | \ + BIT_ULL(VIRTIO_NET_F_GUEST_TSO6) | \ + BIT_ULL(VIRTIO_NET_F_GUEST_ECN) | \ + BIT_ULL(VIRTIO_NET_F_GUEST_UFO) | \ + BIT_ULL(VIRTIO_NET_F_HOST_TSO4) | \ + BIT_ULL(VIRTIO_NET_F_HOST_TSO6) | \ + BIT_ULL(VIRTIO_NET_F_HOST_ECN) | \ + BIT_ULL(VIRTIO_NET_F_HOST_UFO) | \ + BIT_ULL(VIRTIO_NET_F_MRG_RXBUF) | \ + BIT_ULL(VIRTIO_NET_F_STATUS) | \ + BIT_ULL(VIRTIO_NET_F_HOST_USO) | \ + BIT_ULL(VIRTIO_F_ANY_LAYOUT) | \ + BIT_ULL(VIRTIO_RING_F_INDIRECT_DESC) | \ + BIT_ULL(VIRTIO_RING_F_EVENT_IDX) | \ + BIT_ULL(VIRTIO_F_VERSION_1) | \ + BIT_ULL(VIRTIO_F_ACCESS_PLATFORM) | \ + BIT_ULL(VIRTIO_F_RING_PACKED) | \ + BIT_ULL(VIRTIO_F_IN_ORDER)) + struct vduse_virtqueue { u16 index; u16 num_max; @@ -1782,6 +1807,16 @@ static struct attribute *vduse_dev_attrs[] = { ATTRIBUTE_GROUPS(vduse_dev); +static void vduse_dev_features_filter(struct vduse_dev_config *config) +{ + /* + * Temporarily filter out virtio-net's control virtqueue and features + * that depend on it while CVQ is being made more robust for VDUSE. + */ + if (config->device_id == VIRTIO_ID_NET) + config->features &= VDUSE_NET_VALID_FEATURES_MASK; +} + static int vduse_create_dev(struct vduse_dev_config *config, void *config_buf, u64 api_version) { @@ -1797,6 +1832,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, if (!dev) goto err; + vduse_dev_features_filter(config); + dev->api_version = api_version; dev->device_features = config->features; dev->device_id = config->device_id; From patchwork Tue Dec 12 13:17:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 13489262 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Z3ZQkGPf" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7527C13A for ; Tue, 12 Dec 2023 05:17:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1702387053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o0LIMgKiGBHNSKD8IIuTa7bPbj2RQDP2uV1SsEiFHOg=; b=Z3ZQkGPfgfqfMnq2dFGvKt6njp5z1bmWJ2i0xYHdb+9852lAiHEdX/HjGMXSN0RpG1zn8O xqfCkop4ZIosEJbaQf7zXFCuxipI5g2HfPg/HsrdQEAaN9kNk8mXugksL+OeM2fZa5G7Cz KMiXpv9KWyPsoyCYct3ygmj5DZuG0I8= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-134-Grc6b-i-Ngq40wcOj_AIMg-1; Tue, 12 Dec 2023 08:17:30 -0500 X-MC-Unique: Grc6b-i-Ngq40wcOj_AIMg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E213D28EC10B; Tue, 12 Dec 2023 13:17:29 +0000 (UTC) Received: from max-p1.redhat.com (unknown [10.39.208.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id C3E4E1121306; Tue, 12 Dec 2023 13:17:26 +0000 (UTC) From: Maxime Coquelin To: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com, casey@schaufler-ca.com Cc: Maxime Coquelin Subject: [PATCH v5 3/4] vduse: enable Virtio-net device type Date: Tue, 12 Dec 2023 14:17:11 +0100 Message-ID: <20231212131712.1816324-4-maxime.coquelin@redhat.com> In-Reply-To: <20231212131712.1816324-1-maxime.coquelin@redhat.com> References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 This patch adds Virtio-net device type to the supported devices types. Initialization fails if the device does not support VIRTIO_F_VERSION_1 feature, in order to guarantee the configuration space is read-only. Acked-by: Jason Wang Reviewed-by: Xie Yongji Signed-off-by: Maxime Coquelin --- drivers/vdpa/vdpa_user/vduse_dev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index fe4b5c8203fd..fa62825be378 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -166,6 +166,7 @@ static struct workqueue_struct *vduse_irq_bound_wq; static u32 allowed_device_id[] = { VIRTIO_ID_BLOCK, + VIRTIO_ID_NET, }; static inline struct vduse_dev *vdpa_to_vduse(struct vdpa_device *vdpa) @@ -1706,6 +1707,10 @@ static bool features_is_valid(struct vduse_dev_config *config) (config->features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE))) return false; + if ((config->device_id == VIRTIO_ID_NET) && + !(config->features & (1ULL << VIRTIO_F_VERSION_1))) + return false; + return true; } @@ -2068,6 +2073,7 @@ static const struct vdpa_mgmtdev_ops vdpa_dev_mgmtdev_ops = { static struct virtio_device_id id_table[] = { { VIRTIO_ID_BLOCK, VIRTIO_DEV_ANY_ID }, + { VIRTIO_ID_NET, VIRTIO_DEV_ANY_ID }, { 0 }, }; From patchwork Tue Dec 12 13:17:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Coquelin X-Patchwork-Id: 13489263 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="e5H4Vu9M" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6903AD60 for ; Tue, 12 Dec 2023 05:17:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1702387059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+u1S2AY/jEGnaBOw0WBoMATED3t5u4RyQxPWcyrfwg=; b=e5H4Vu9MpT/2Jf/cpYIyJGtoraIKyt4tY86NPA//uj5XS0t3dlI3WvRx9IZHqTViys1Mlh YE7GxqzsFj+zfNvN5hWPdM/KOaMi4ZW6VHkuHPuqqWfzz5biq/X/Ocw3s8zks1pisQDtvL dWZU9qrmjcW3E7KHVM31CHllaMvtn1g= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-673-4GXjYFpzO-GvKEOSKHlLSA-1; Tue, 12 Dec 2023 08:17:34 -0500 X-MC-Unique: 4GXjYFpzO-GvKEOSKHlLSA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 576E984A298; Tue, 12 Dec 2023 13:17:33 +0000 (UTC) Received: from max-p1.redhat.com (unknown [10.39.208.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39C001121312; Tue, 12 Dec 2023 13:17:30 +0000 (UTC) From: Maxime Coquelin To: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com, casey@schaufler-ca.com Cc: Maxime Coquelin Subject: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type Date: Tue, 12 Dec 2023 14:17:12 +0100 Message-ID: <20231212131712.1816324-5-maxime.coquelin@redhat.com> In-Reply-To: <20231212131712.1816324-1-maxime.coquelin@redhat.com> References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 This patch introduces a LSM hook for devices creation, destruction (ioctl()) and opening (open()) operations, checking the application is allowed to perform these operations for the Virtio device type. Signed-off-by: Maxime Coquelin --- MAINTAINERS | 1 + drivers/vdpa/vdpa_user/vduse_dev.c | 13 ++++++++++++ include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 6 ++++++ include/linux/vduse.h | 14 +++++++++++++ security/security.c | 15 ++++++++++++++ security/selinux/hooks.c | 32 +++++++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 ++ 8 files changed, 85 insertions(+) create mode 100644 include/linux/vduse.h diff --git a/MAINTAINERS b/MAINTAINERS index a0fb0df07b43..4e83b14358d2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -23040,6 +23040,7 @@ F: drivers/net/virtio_net.c F: drivers/vdpa/ F: drivers/virtio/ F: include/linux/vdpa.h +F: include/linux/vduse.h F: include/linux/virtio*.h F: include/linux/vringh.h F: include/uapi/linux/virtio_*.h diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index fa62825be378..59ab7eb62e20 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -8,6 +8,7 @@ * */ +#include "linux/security.h" #include #include #include @@ -30,6 +31,7 @@ #include #include #include +#include #include "iova_domain.h" @@ -1442,6 +1444,10 @@ static int vduse_dev_open(struct inode *inode, struct file *file) if (dev->connected) goto unlock; + ret = -EPERM; + if (security_vduse_perm_check(VDUSE_PERM_OPEN, dev->device_id)) + goto unlock; + ret = 0; dev->connected = true; file->private_data = dev; @@ -1664,6 +1670,9 @@ static int vduse_destroy_dev(char *name) if (!dev) return -EINVAL; + if (security_vduse_perm_check(VDUSE_PERM_DESTROY, dev->device_id)) + return -EPERM; + mutex_lock(&dev->lock); if (dev->vdev || dev->connected) { mutex_unlock(&dev->lock); @@ -1828,6 +1837,10 @@ static int vduse_create_dev(struct vduse_dev_config *config, int ret; struct vduse_dev *dev; + ret = -EPERM; + if (security_vduse_perm_check(VDUSE_PERM_CREATE, config->device_id)) + goto err; + ret = -EEXIST; if (vduse_find_dev(config->name)) goto err; diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ff217a5ce552..3930ab2ae974 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -419,3 +419,5 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ + +LSM_HOOK(int, 0, vduse_perm_check, enum vduse_op_perm op_perm, u32 device_id) diff --git a/include/linux/security.h b/include/linux/security.h index 1d1df326c881..2a2054172394 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -32,6 +32,7 @@ #include #include #include +#include struct linux_binprm; struct cred; @@ -484,6 +485,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1395,6 +1397,10 @@ static inline int security_locked_down(enum lockdown_reason what) { return 0; } +static inline int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/include/linux/vduse.h b/include/linux/vduse.h new file mode 100644 index 000000000000..7a20dcc43997 --- /dev/null +++ b/include/linux/vduse.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_VDUSE_H +#define _LINUX_VDUSE_H + +/* + * The permission required for a VDUSE device operation. + */ +enum vduse_op_perm { + VDUSE_PERM_CREATE, + VDUSE_PERM_DESTROY, + VDUSE_PERM_OPEN, +}; + +#endif /* _LINUX_VDUSE_H */ diff --git a/security/security.c b/security/security.c index dcb3e7014f9b..150abf85f97d 100644 --- a/security/security.c +++ b/security/security.c @@ -5337,3 +5337,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) return call_int_hook(uring_cmd, 0, ioucmd); } #endif /* CONFIG_IO_URING */ + +/** + * security_vduse_perm_check() - Check if a VDUSE device type operation is allowed + * @op_perm: the operation type + * @device_id: the Virtio device ID + * + * Check whether the Virtio device creation is allowed + * + * Return: Returns 0 if permission is granted. + */ +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + return call_int_hook(vduse_perm_check, 0, op_perm, device_id); +} +EXPORT_SYMBOL(security_vduse_perm_check); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index feda711c6b7b..18845e4f682f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -21,6 +21,8 @@ * Copyright (C) 2016 Mellanox Technologies */ +#include "av_permissions.h" +#include "linux/vduse.h" #include #include #include @@ -92,6 +94,7 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" @@ -6950,6 +6953,34 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) } #endif /* CONFIG_IO_URING */ +static int selinux_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + u32 requested_op, requested_type, sid = current_sid(); + int ret; + + if (op_perm == VDUSE_PERM_CREATE) + requested_op = VDUSE__CREATE; + else if (op_perm == VDUSE__DESTROY) + requested_op = VDUSE__DESTROY; + else if (op_perm == VDUSE_PERM_OPEN) + requested_op = VDUSE__OPEN; + else + return -EINVAL; + + ret = avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_op, NULL); + if (ret) + return ret; + + if (device_id == VIRTIO_ID_NET) + requested_type = VDUSE__NET; + else if (device_id == VIRTIO_ID_BLOCK) + requested_type = VDUSE__BLOCK; + else + return -EINVAL; + + return avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_type, NULL); +} + /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, @@ -7243,6 +7274,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #ifdef CONFIG_PERF_EVENTS LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), #endif + LSM_HOOK_INIT(vduse_perm_check, selinux_vduse_perm_check), }; static __init int selinux_init(void) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index a3c380775d41..b0a358cbac1c 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -256,6 +256,8 @@ const struct security_class_mapping secclass_map[] = { { "override_creds", "sqpoll", "cmd", NULL } }, { "user_namespace", { "create", NULL } }, + { "vduse", + { "create", "destroy", "open", "net", "block", NULL} }, { NULL } };