lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4ad606c2-c7d1-4463-a2f1-4fd0c63c6e9b@schaufler-ca.com>
Date: Thu, 19 Dec 2024 13:34:14 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>,
 linux-security-module@...r.kernel.org, io-uring@...r.kernel.org
Cc: Paul Moore <paul@...l-moore.com>, Jens Axboe <axboe@...nel.dk>,
 James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>,
 Pavel Begunkov <asml.silence@...il.com>,
 Stephen Smalley <stephen.smalley.work@...il.com>,
 Ondrej Mosnacek <omosnace@...hat.com>, Thiébaud Weksteen
 <tweek@...gle.com>, Masahiro Yamada <masahiroy@...nel.org>,
 Bram Bonné <brambonne@...gle.com>,
 linux-kernel@...r.kernel.org, selinux@...r.kernel.org,
 Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH] lsm,io_uring: add LSM hooks for io_uring_setup()

On 12/19/2024 12:41 PM, Hamza Mahfooz wrote:
> It is desirable to allow LSM to configure accessibility to io_uring.

Why is it desirable to allow LSM to configure accessibility to io_uring?

>  So,
> add an LSM for io_uring_allowed() to guard access to io_uring.
>
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: Jens Axboe <axboe@...nel.dk>
> Signed-off-by: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>
> ---
>  include/linux/lsm_hook_defs.h       |  1 +
>  include/linux/security.h            |  5 +++++
>  io_uring/io_uring.c                 | 21 ++++++++++++++-------
>  security/security.c                 | 12 ++++++++++++
>  security/selinux/hooks.c            | 14 ++++++++++++++
>  security/selinux/include/classmap.h |  2 +-
>  6 files changed, 47 insertions(+), 8 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index eb2937599cb0..ee45229418dd 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -456,6 +456,7 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
>  LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
>  LSM_HOOK(int, 0, uring_sqpoll, void)
>  LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
> +LSM_HOOK(int, 0, uring_allowed, void)
>  #endif /* CONFIG_IO_URING */
>  
>  LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index cbdba435b798..0a5e897289e8 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -2351,6 +2351,7 @@ static inline int security_perf_event_write(struct perf_event *event)
>  extern int security_uring_override_creds(const struct cred *new);
>  extern int security_uring_sqpoll(void);
>  extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
> +extern int security_uring_allowed(void);
>  #else
>  static inline int security_uring_override_creds(const struct cred *new)
>  {
> @@ -2364,6 +2365,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
>  {
>  	return 0;
>  }
> +extern int security_uring_allowed(void)
> +{
> +	return 0;
> +}
>  #endif /* CONFIG_SECURITY */
>  #endif /* CONFIG_IO_URING */
>  
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 06ff41484e29..0922bb0724c0 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -3806,29 +3806,36 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
>  	return io_uring_create(entries, &p, params);
>  }
>  
> -static inline bool io_uring_allowed(void)
> +static inline int io_uring_allowed(void)
>  {
>  	int disabled = READ_ONCE(sysctl_io_uring_disabled);
>  	kgid_t io_uring_group;
>  
>  	if (disabled == 2)
> -		return false;
> +		return -EPERM;
>  
>  	if (disabled == 0 || capable(CAP_SYS_ADMIN))
> -		return true;
> +		goto allowed_lsm;
>  
>  	io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group);
>  	if (!gid_valid(io_uring_group))
> -		return false;
> +		return -EPERM;
> +
> +	if (!in_group_p(io_uring_group))
> +		return -EPERM;
>  
> -	return in_group_p(io_uring_group);
> +allowed_lsm:
> +	return security_uring_allowed();
>  }
>  
>  SYSCALL_DEFINE2(io_uring_setup, u32, entries,
>  		struct io_uring_params __user *, params)
>  {
> -	if (!io_uring_allowed())
> -		return -EPERM;
> +	int ret;
> +
> +	ret = io_uring_allowed();
> +	if (ret)
> +		return ret;
>  
>  	return io_uring_setup(entries, params);
>  }
> diff --git a/security/security.c b/security/security.c
> index 09664e09fec9..e4d532e4ead4 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5996,6 +5996,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
>  {
>  	return call_int_hook(uring_cmd, ioucmd);
>  }
> +
> +/**
> + * security_uring_allowed() - Check if io_uring_setup() is allowed
> + *
> + * Check whether the current task is allowed to call io_uring_setup().
> + *
> + * Return: Returns 0 if permission is granted.
> + */
> +int security_uring_allowed(void)
> +{
> +	return call_int_hook(uring_allowed);
> +}
>  #endif /* CONFIG_IO_URING */
>  
>  /**
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 366c87a40bd1..b4e298c51c16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7117,6 +7117,19 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
>  	return avc_has_perm(current_sid(), isec->sid,
>  			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
>  }
> +
> +/**
> + * selinux_uring_allowed - check if io_uring_setup() can be called
> + *
> + * Check to see if the current task is allowed to call io_uring_setup().
> + */
> +static int selinux_uring_allowed(void)
> +{
> +	u32 sid = current_sid();
> +
> +	return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
> +			    NULL);
> +}
>  #endif /* CONFIG_IO_URING */
>  
>  static const struct lsm_id selinux_lsmid = {
> @@ -7370,6 +7383,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
>  	LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
>  	LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
> +	LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
>  #endif
>  
>  	/*
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 2bc20135324a..5ae222f7e543 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = {
>  	{ "perf_event",
>  	  { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
>  	{ "anon_inode", { COMMON_FILE_PERMS, NULL } },
> -	{ "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
> +	{ "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } },
>  	{ "user_namespace", { "create", NULL } },
>  	{ NULL }
>  };

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ