[v5.19.y PATCH 0/3] Backport the io_uring/LSM CMD passthrough controls

List overview All Threads
Download

newer

older

Re: Regarding Of My Late Father's...

[PATCH stable-4.19 0/4] USB:...

Paul Moore

6 Sep 2022 6 Sep '22

9:03 p.m.

The stable patch merging tools failed to automatically merge the io_uring/LSM CMD passthrough controls into the stable v5.19.y branch, so I'm doing the backport manually and submitting them directly to stable for the next v5.19.y release. The backport is necessary due to the reorg/decomposition of the io_uring code in io_uring/ during the v5.19->v6.0 merge window. Other than the differences in the filenames under io_uring, the code changes are pretty much the same.

I've done some basic sanity testing this afternoon with these patches and everything looks good to me.

If you would prefer to pull these directly from a git tree instead of email, they are available via the LSM tree on the stable-5.19 branch, using the lsm-pr-20220906 tag.

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git lsm-pr-20220906

---

Paul Moore (3): lsm,io_uring: add LSM hooks for the new uring_cmd file op selinux: implement the security_uring_cmd() LSM hook Smack: Provide read control for io_uring_cmd

Show replies by date

Paul Moore

6 Sep 6 Sep

9:03 p.m.

New subject: [v5.19.y PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op

Backport the following upstream commit into Linux v5.19.y:

commit 2a5840124009f133bd09fd855963551fb2cefe22 Author: Luis Chamberlain mcgrof@kernel.org Date: Fri Jul 15 12:16:22 2022 -0700

lsm,io_uring: add LSM hooks for the new uring_cmd file op

io-uring cmd support was added through ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd"), this extended the struct file_operations to allow a new command which each subsystem can use to enable command passthrough. Add an LSM specific for the command passthrough which enables LSMs to inspect the command details.

This was discussed long ago without no clear pointer for something conclusive, so this enables LSMs to at least reject this new file operation.

[0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca....

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index eafa1d2489fd..4e94755098f1 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #ifdef CONFIG_IO_URING LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) +LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 91c8146649f5..b681cfce6190 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1575,6 +1575,9 @@ * Check whether the current task is allowed to spawn a io_uring polling * thread (IORING_SETUP_SQPOLL). * + * @uring_cmd: + * Check whether the file_operations uring_cmd is allowed to run. + * */ union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); diff --git a/include/linux/security.h b/include/linux/security.h index 7fc4e9f49f54..3cc127bb5bfd 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2051,6 +2051,7 @@ static inline int security_perf_event_write(struct perf_event *event) #ifdef CONFIG_SECURITY extern int security_uring_override_creds(const struct cred *new); extern int security_uring_sqpoll(void); +extern int security_uring_cmd(struct io_uring_cmd *ioucmd); #else static inline int security_uring_override_creds(const struct cred *new) { @@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(void) { return 0; } +static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #endif /* CONFIG_IO_URING */

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index cd155b7e1346..c5208dca18fa 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags) if (!req->file->f_op->uring_cmd) return -EOPNOTSUPP;

+ ret = security_uring_cmd(ioucmd); + if (ret) + return ret; + if (ctx->flags & IORING_SETUP_SQE128) issue_flags |= IO_URING_F_SQE128; if (ctx->flags & IORING_SETUP_CQE32) diff --git a/security/security.c b/security/security.c index 188b8f782220..8b62654ff3f9 100644 --- a/security/security.c +++ b/security/security.c @@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void) { return call_int_hook(uring_sqpoll, 0); } +int security_uring_cmd(struct io_uring_cmd *ioucmd) +{ + return call_int_hook(uring_cmd, 0, ioucmd); +} #endif /* CONFIG_IO_URING */

Paul Moore

9:03 p.m.

New subject: [v5.19.y PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook

Backport the following upstream commit into Linux v5.19.y:

commit f4d653dcaa4e4056e1630423e6a8ece4869b544f Author: Paul Moore paul@paul-moore.com Date: Wed Aug 10 15:55:36 2022 -0400

selinux: implement the security_uring_cmd() LSM hook

Add a SELinux access control for the iouring IORING_OP_URING_CMD command. This includes the addition of a new permission in the existing "io_uring" object class: "cmd". The subject of the new permission check is the domain of the process requesting access, the object is the open file which points to the device/file that is the target of the IORING_OP_URING_CMD operation. A sample policy rule is shown below:

allow <domain> <file>:io_uring { cmd };

Signed-off-by: Paul Moore paul@paul-moore.com --- security/selinux/hooks.c | 24 ++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1bbd53321d13..e90dfa36f79a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -91,6 +91,7 @@ #include <uapi/linux/mount.h> #include <linux/fsnotify.h> #include <linux/fanotify.h> +#include <linux/io_uring.h>

#include "avc.h" #include "objsec.h" @@ -6990,6 +6991,28 @@ static int selinux_uring_sqpoll(void) return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); } + +/** + * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed + * @ioucmd: the io_uring command structure + * + * Check to see if the current domain is allowed to execute an + * IORING_OP_URING_CMD against the device/file specified in @ioucmd. + * + */ +static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) +{ + struct file *file = ioucmd->file; + struct inode *inode = file_inode(file); + struct inode_security_struct *isec = selinux_inode(inode); + struct common_audit_data ad; + + ad.type = LSM_AUDIT_DATA_FILE; + ad.u.file = file; + + return avc_has_perm(&selinux_state, current_sid(), isec->sid, + SECCLASS_IO_URING, IO_URING__CMD, &ad); +} #endif /* CONFIG_IO_URING */

/* @@ -7234,6 +7257,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IO_URING LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), + LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), #endif

/* diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index ff757ae5f253..1c2f41ff4e55 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = { { "anon_inode", { COMMON_FILE_PERMS, NULL } }, { "io_uring", - { "override_creds", "sqpoll", NULL } }, + { "override_creds", "sqpoll", "cmd", NULL } }, { NULL } };

Paul Moore

9:03 p.m.

New subject: [v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd

Backport the following upstream commit into Linux v5.19.y:

commit dd9373402280cf4715fdc8fd5070f7d039e43511 Author: Casey Schaufler casey@schaufler-ca.com Date: Tue Aug 23 16:46:18 2022 -0700

Smack: Provide read control for io_uring_cmd

Limit io_uring "cmd" options to files for which the caller has Smack read access. There may be cases where the cmd option may be closer to a write access than a read, but there is no way to make that determination.

Signed-off-by: Paul Moore paul@paul-moore.com --- security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6207762dbdb1..b30e20f64471 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -42,6 +42,7 @@ #include <linux/fs_context.h> #include <linux/fs_parser.h> #include <linux/watch_queue.h> +#include <linux/io_uring.h> #include "smack.h"

#define TRANS_TRUE "TRUE" @@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void) return -EPERM; }

+/** + * smack_uring_cmd - check on file operations for io_uring + * @ioucmd: the command in question + * + * Make a best guess about whether a io_uring "command" should + * be allowed. Use the same logic used for determining if the + * file could be opened for read in the absence of better criteria. + */ +static int smack_uring_cmd(struct io_uring_cmd *ioucmd) +{ + struct file *file = ioucmd->file; + struct smk_audit_info ad; + struct task_smack *tsp; + struct inode *inode; + int rc; + + if (!file) + return -EINVAL; + + tsp = smack_cred(file->f_cred); + inode = file_inode(file); + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); + smk_ad_setfield_u_fs_path(&ad, file->f_path); + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); + rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); + + return rc; +} + #endif /* CONFIG_IO_URING */

struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { @@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IO_URING LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), + LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), #endif };

Casey Schaufler

9:25 p.m.

New subject: [v5.19.y PATCH 3/3] Smack: Provide read control for io_uring_cmd

On 9/6/2022 2:03 PM, Paul Moore wrote:

...

Backport the following upstream commit into Linux v5.19.y:

commit dd9373402280cf4715fdc8fd5070f7d039e43511
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Tue Aug 23 16:46:18 2022 -0700

Smack: Provide read control for io_uring_cmd

Limit io_uring "cmd" options to files for which the caller has
Smack read access. There may be cases where the cmd option may
be closer to a write access than a read, but there is no way
to make that determination.

Signed-off-by: Paul Moore paul@paul-moore.com

Acked-by: Casey Schaufler casey@schaufler-ca.com

...

security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 6207762dbdb1..b30e20f64471 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -42,6 +42,7 @@ #include <linux/fs_context.h> #include <linux/fs_parser.h> #include <linux/watch_queue.h> +#include <linux/io_uring.h> #include "smack.h" #define TRANS_TRUE "TRUE" @@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void) return -EPERM; } +/**

smack_uring_cmd - check on file operations for io_uring

@ioucmd: the command in question

Make a best guess about whether a io_uring "command" should

be allowed. Use the same logic used for determining if the

file could be opened for read in the absence of better criteria.

*/

+static int smack_uring_cmd(struct io_uring_cmd *ioucmd) +{
struct file *file = ioucmd->file;

struct smk_audit_info ad;

struct task_smack *tsp;

struct inode *inode;

int rc;

if (!file)
return -EINVAL;
tsp = smack_cred(file->f_cred);

inode = file_inode(file);

smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);

smk_ad_setfield_u_fs_path(&ad, file->f_path);

rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);

rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);

return rc;
+}

#endif /* CONFIG_IO_URING */ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { @@ -4896,6 +4927,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IO_URING LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),

LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),

#endif };

Greg KH

11 Sep 11 Sep

11:36 a.m.

On Tue, Sep 06, 2022 at 05:03:36PM -0400, Paul Moore wrote:

...

The stable patch merging tools failed to automatically merge the io_uring/LSM CMD passthrough controls into the stable v5.19.y branch, so I'm doing the backport manually and submitting them directly to stable for the next v5.19.y release. The backport is necessary due to the reorg/decomposition of the io_uring code in io_uring/ during the v5.19->v6.0 merge window. Other than the differences in the filenames under io_uring, the code changes are pretty much the same.

I've done some basic sanity testing this afternoon with these patches and everything looks good to me.

If you would prefer to pull these directly from a git tree instead of email, they are available via the LSM tree on the stable-5.19 branch, using the lsm-pr-20220906 tag.

git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git lsm-pr-20220906

Now queued up, thanks. Note, you dropped the original signed-off-by of the original commits, which I had to add back by hand :(

greg k-h

850

days inactive

855

days old

linux-stable-mirror@lists.linaro.org

5 comments

participants

tags (0)

participants (3)

Casey Schaufler
Greg KH
Paul Moore