lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHC9VhRUzr2XpfP5XJpXLxEhYoFvtee8OgEwvib1x7+H7B68Qg@mail.gmail.com>
Date: Wed, 26 Mar 2025 10:50:47 -0400
From: Paul Moore <paul@...l-moore.com>
To: cgzones@...glemail.com
Cc: Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, 
	Thiébaud Weksteen <tweek@...gle.com>, 
	Miklos Szeredi <mszeredi@...hat.com>, Bram Bonné <brambonne@...gle.com>, 
	"Kipp N. Davis" <kippndavis.work@....com>, Masahiro Yamada <masahiroy@...nel.org>, 
	Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>, Jens Axboe <axboe@...nel.dk>, 
	selinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] selinux: rename io_uring permission to match syscall

On Wed, Mar 26, 2025 at 6:38 AM Christian Göttsche
<cgoettsche@...tendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@...glemail.com>
>
> Commit c6ad9fdbd44b ("io_uring,lsm,selinux: add LSM hooks for
> io_uring_setup()") introduced the LSM hook `uring_allowed` and
> implemented it in SELinux via a new `io_uring` class permission
> `allowed`.  Rename the permission to `setup` since most permission verbs
> are named after the corresponding syscall ...

Some permissions are named after a syscall, but there are also a
number that are not.  I believe "allowed" is the right choice here as
it better reflects the intent of the permission.

As an aside, the original draft of this patch was sent to the lists
back in late December and the final revision was merged in early
February before going up to Linus a few days ago.  While I maintain
that "allowed" is the better choice, the proper time to raise your
concerns would have been during the past few months, not now.

> ... in this case
> io_uring_setup(2), and avoid confusing policy rules with an allow
> keyword and an allowed permission.
>
> Fixes: c6ad9fdbd44b ("io_uring,lsm,selinux: add LSM hooks for io_uring_setup()")
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> Note: this patch targets torvalds/master
> ---
>  security/selinux/hooks.c            | 2 +-
>  security/selinux/include/classmap.h | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 7150c953fec3..bcc66dea8bdc 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7188,7 +7188,7 @@ static int selinux_uring_allowed(void)
>  {
>         u32 sid = current_sid();
>
> -       return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
> +       return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__SETUP,
>                             NULL);
>  }
>  #endif /* CONFIG_IO_URING */
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 04a9b480885e..49fb584f2056 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -179,7 +179,7 @@ const struct security_class_mapping secclass_map[] = {
>         { "perf_event",
>           { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
>         { "anon_inode", { COMMON_FILE_PERMS, NULL } },
> -       { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } },
> +       { "io_uring", { "override_creds", "sqpoll", "cmd", "setup", NULL } },
>         { "user_namespace", { "create", NULL } },
>         /* last one */ { NULL, {} }
>  };
> --
> 2.49.0

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ