lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon,  7 Nov 2022 15:57:53 -0500
From:   Gil Cukierman <cukie@...gle.com>
To:     Paul Moore <paul@...l-moore.com>,
        Stephen Smalley <stephen.smalley.work@...il.com>,
        Eric Paris <eparis@...isplace.org>
Cc:     Gil Cukierman <cukie@...gle.com>, kernel-team@...roid.com,
        selinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v1 2/2] selinux: add support for the io_uring setup permission

This patch implements a new io_uring permission that controls
access to the io_uring_setup system call. The new permission,
io_uring { setup }, is added to the existing io_uring class.
This is important as it allows users to restrict their attack
surface by limiting which subjects are allowed retrieve fds
from the kernel that are necessary for the use of all other
io_uring functionality.

Signed-off-by: Gil Cukierman <cukie@...gle.com>
---
 security/selinux/hooks.c            | 13 +++++++++++++
 security/selinux/include/classmap.h |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f553c370397e..d2becf833a07 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7012,6 +7012,18 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
 	return avc_has_perm(&selinux_state, current_sid(), isec->sid,
 			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
 }
+/**
+ * selinux_uring_setup - check to see if io_uring setup is allowed
+ *
+ * Check to see if the current task is allowed to execute io_uring_setup.
+ */
+static int selinux_uring_setup(void)
+{
+	int sid = current_sid();
+
+	return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING,
+			    IO_URING__SETUP, NULL);
+}
 #endif /* CONFIG_IO_URING */
 
 /*
@@ -7258,6 +7270,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
 	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
 	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
+	LSM_HOOK_INIT(uring_setup, selinux_uring_setup),
 #endif
 
 	/*
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d41..48da4e7f7d62 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = {
 	{ "anon_inode",
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "io_uring",
-	  { "override_creds", "sqpoll", "cmd", NULL } },
+	  { "override_creds", "sqpoll", "cmd", "setup", NULL } },
 	{ "user_namespace",
 	  { "create", NULL } },
 	{ NULL }
-- 
2.38.0.135.g90850a2211-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ