public inbox for [email protected]
 help / color / mirror / Atom feed
From: Joel Granados <[email protected]>
To: Casey Schaufler <[email protected]>
Cc: Kanchan Joshi <[email protected]>,
	Paul Moore <[email protected]>, Jens Axboe <[email protected]>,
	Ankit Kumar <[email protected]>, <[email protected]>
Subject: Re: [PATCH] Smack: Provide read control for io_uring_cmd
Date: Wed, 31 Aug 2022 09:15:01 +0200	[thread overview]
Message-ID: <20220831071501.xdj7njudv5ovrl64@localhost> (raw)
In-Reply-To: <[email protected]>

[-- Attachment #1: Type: text/plain, Size: 8404 bytes --]

On Tue, Aug 30, 2022 at 07:16:55AM -0700, Casey Schaufler wrote:
> On 8/30/2022 6:08 AM, Joel Granados wrote:
> > Hey Casey
> >
> > I have tested this patch and I see the smack_uring_cmd prevents access
> > to file when smack labels are different. They way I got there was a bit
> > convoluted and I'll describe it here so ppl can judge how valid the test
> > is.
> >
> > Tested-by: Joel Granados <[email protected]>
> 
> Thank you.
np

> 
> >
> > I started by reproducing what Kanchan had done by changing the smack
> > label from "_" to "Snap". Then I ran the io_uring passthrough test
> > included in liburing with an unprivileged user and saw that the
> > smack_uring_cmd function was NOT executed because smack prevented an open on
> > the device file ("/dev/ng0n1" on my box).
> >
> > So here I got a bit sneaky and changed the label after the open to the
> > device was done. This is how I did it:
> > 1. In the io_uring_passthrough.c tests I stopped execution after the
> >    device was open and before the actual IO.
> > 2. While on hold I changed the label of the device from "_" to "Snap".
> >    At this point the device had a "Snap" label and the executable had a
> >    "_" label.
> > 3. Previous to execution I had placed a printk inside the
> >    smack_uring_cmd function. And I also made sure to printk whenever
> >    security_uring_command returned because of a security violation.
> > 4. I continued execution and saw that both smack_uiring_cmd and
> >    io_uring_cmd returned error. Which is what I expected.
> >
> > I'm still a bit unsure of my setup so if anyone has comments or a way to
> > make it better, I would really appreciate feedback.
> 
> This is a perfectly rational approach to the test. Another approach
> would be to add a Smack access rule:
> 
> 	echo "_ Snap r" > /sys/fs/smackfs/load2
> 
> and label the device before the test begins. Step 2 changes from labeling
> the device to removing the access rule:
> 
> 	echo "_ Snap -" > /sys/fs/smackfs/load2
> 
> and you will get the same result. I wouldn't change your test, but I
> would probably add another that does it using the rule change.

Followed your proposal and I could see that it went passed the "file
open: permission denied" error. However it did not execute
smack_uring_cmd as smack prevented execution of an ioctl call [1]. This
is probably because the test that I'm using from liburing does a lot of
things to set things up besides just opening the device.
I tried several strings on /sys/fs/smackfs/load2 but had no
luck at actually arriving to the smack_uring_cmd function.

Here is what I tried:
1. echo "_ Snap r-x---" > /sys/fs/smackfs/load2
   which prevented access but not in smack_uring_cmd

2. echo "_ Snap -wx---" > /sys/fs/smackfs/load2
   This of course prevented me from opening the /dev/ng0n1

3. echo "_ Snap rw----" > /sys/fs/smackfs/load2
   This went through the smack_uring_cmd and allowed the interaction.

[1] : Here is the traceback of where smack prevents execution of the
      ioctl call:

#0  smk_tskacc (tsp=0xffff888107a27300, obj_known=0xffff888105dda540, mode=mode@entry=2, a=a@entry=0xffffc90000c3be80)
    at ../security/smack/smack_access.c:258
#1  0xffffffff8143fbb0 in smk_curacc (obj_known=<optimized out>, mode=mode@entry=2, a=a@entry=0xffffc90000c3be80) at ../security/smack/smack_access.c:278
#2  0xffffffff8143b4e4 in smack_file_ioctl (file=<optimized out>, cmd=3225964097, arg=<optimized out>) at ../security/smack/smack_lsm.c:1539
#3  0xffffffff81411c3f in security_file_ioctl (file=file@entry=0xffff8881038c8b00, cmd=cmd@entry=3225964097, arg=arg@entry=140728408424048)
    at ../security/security.c:1552
#4  0xffffffff8126ca3e in __do_sys_ioctl (arg=140728408424048, cmd=3225964097, fd=3) at ../fs/ioctl.c:864
#5  __se_sys_ioctl (arg=140728408424048, cmd=3225964097, fd=3) at ../fs/ioctl.c:856
#6  __x64_sys_ioctl (regs=<optimized out>) at ../fs/ioctl.c:856
#7  0xffffffff81da0978 in do_syscall_x64 (nr=<optimized out>, regs=0xffffc90000c3bf58) at ../arch/x86/entry/common.c:50
#8  do_syscall_64 (regs=0xffffc90000c3bf58, nr=<optimized out>) at ../arch/x86/entry/common.c:80
#9  0xffffffff81e0009b in entry_SYSCALL_64 () at ../arch/x86/entry/entry_64.S:120
#10 0x00007f9c22ae9000 in ?? ()
#11 0x0000000000000000 in ?? ()


> 
> > Best
> >
> > Joel
> >
> > On Mon, Aug 29, 2022 at 09:20:09AM -0700, Casey Schaufler wrote:
> >> On 8/27/2022 8:59 AM, Kanchan Joshi wrote:
> >>> On Tue, Aug 23, 2022 at 04:46:18PM -0700, Casey Schaufler wrote:
> >>>> Limit io_uring "cmd" options to files for which the caller has
> >>>> Smack read access. There may be cases where the cmd option may
> >>>> be closer to a write access than a read, but there is no way
> >>>> to make that determination.
> >>>>
> >>>> Signed-off-by: Casey Schaufler <[email protected]>
> >>>> -- 
> >>>> security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
> >>>> 1 file changed, 32 insertions(+)
> >>>>
> >>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> >>>> index 001831458fa2..bffccdc494cb 100644
> >>>> --- a/security/smack/smack_lsm.c
> >>>> +++ b/security/smack/smack_lsm.c
> >>>> @@ -42,6 +42,7 @@
> >>>> #include <linux/fs_context.h>
> >>>> #include <linux/fs_parser.h>
> >>>> #include <linux/watch_queue.h>
> >>>> +#include <linux/io_uring.h>
> >>>> #include "smack.h"
> >>>>
> >>>> #define TRANS_TRUE    "TRUE"
> >>>> @@ -4732,6 +4733,36 @@ static int smack_uring_sqpoll(void)
> >>>>     return -EPERM;
> >>>> }
> >>>>
> >>>> +/**
> >>>> + * smack_uring_cmd - check on file operations for io_uring
> >>>> + * @ioucmd: the command in question
> >>>> + *
> >>>> + * Make a best guess about whether a io_uring "command" should
> >>>> + * be allowed. Use the same logic used for determining if the
> >>>> + * file could be opened for read in the absence of better criteria.
> >>>> + */
> >>>> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
> >>>> +{
> >>>> +    struct file *file = ioucmd->file;
> >>>> +    struct smk_audit_info ad;
> >>>> +    struct task_smack *tsp;
> >>>> +    struct inode *inode;
> >>>> +    int rc;
> >>>> +
> >>>> +    if (!file)
> >>>> +        return -EINVAL;
> >>>> +
> >>>> +    tsp = smack_cred(file->f_cred);
> >>>> +    inode = file_inode(file);
> >>>> +
> >>>> +    smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
> >>>> +    smk_ad_setfield_u_fs_path(&ad, file->f_path);
> >>>> +    rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
> >>>> +    rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
> >>>> +
> >>>> +    return rc;
> >>>> +}
> >>>> +
> >>>> #endif /* CONFIG_IO_URING */
> >>>>
> >>>> struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> >>>> @@ -4889,6 +4920,7 @@ static struct security_hook_list smack_hooks[]
> >>>> __lsm_ro_after_init = {
> >>>> #ifdef CONFIG_IO_URING
> >>>>     LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
> >>>>     LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
> >>>> +    LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
> >>>> #endif
> >>> Tried this on nvme device (/dev/ng0n1).
> >>> Took a while to come out of noob setup-related issues but I see that
> >>> smack is listed (in /sys/kernel/security/lsm), smackfs is present, and
> >>> the hook (smack_uring_cmd) gets triggered fine on doing I/O on
> >>> /dev/ng0n1.
> >>>
> >>> I/O goes fine, which seems aligned with the label on /dev/ng0n1 (which
> >>> is set to floor).
> >>>
> >>> $ chsmack -L /dev/ng0n1
> >>> /dev/ng0n1 access="_"
> >> Setting the Smack on the object that the cmd operates on to
> >> something other than "_" would be the correct test. If that
> >> is /dev/ng0n1 you could use
> >>
> >> 	# chsmack -a Snap /dev/ng0n1
> >>
> >> The unprivileged user won't be able to read /dev/ng0n1 so you
> >> won't get as far as testing the cmd interface. I don't know
> >> io_uring and nvme well enough to know what other objects may
> >> be involved. Noob here, too.
> >>
> >>> I ran fio (/usr/bin/fio), which also has the same label.
> >>> Hope you expect the same outcome.
> >>>
> >>> Do you run something else to see that things are fine e.g. for
> >>> /dev/null, which also has the same label "_".
> >>> If yes, I can try the same on nvme side.
> >>>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

      reply	other threads:[~2022-08-31  7:19 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20220719135821epcas5p1b071b0162cc3e1eb803ca687989f106d@epcas5p1.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 0/5] Add basic test for nvme uring passthrough commands Ankit Kumar
     [not found]   ` <CGME20220719135832epcas5p31bb7df7c931aba12454b6f16c966a7c8@epcas5p3.samsung.com>
2022-07-19 13:52     ` [PATCH liburing 1/5] configure: check for nvme uring command support Ankit Kumar
     [not found]   ` <CGME20220719135834epcas5p2f63a49277322756394f19e23a1c4e4ce@epcas5p2.samsung.com>
2022-07-19 13:52     ` [PATCH liburing 2/5] io_uring.h: sync sqe entry with 5.20 io_uring Ankit Kumar
     [not found]   ` <CGME20220719135835epcas5p2284cbb16a28c4290d3a886449bc7a6d8@epcas5p2.samsung.com>
2022-07-19 13:52     ` [PATCH liburing 3/5] nvme: add nvme opcodes, structures and helper functions Ankit Kumar
     [not found]   ` <CGME20220719135836epcas5p3f28b20cab964ced538d5a7fdfe367bb4@epcas5p3.samsung.com>
2022-07-19 13:52     ` [PATCH liburing 4/5] test: add io_uring passthrough test Ankit Kumar
     [not found]   ` <CGME20220719135837epcas5p1eb4beb20bdfbdaaa7409d7b1f6355909@epcas5p1.samsung.com>
2022-07-19 13:52     ` [PATCH liburing 5/5] test/io_uring_passthrough: add test case for poll IO Ankit Kumar
2022-08-12  0:43   ` [PATCH liburing 0/5] Add basic test for nvme uring passthrough commands Casey Schaufler
2022-08-12  1:51     ` Jens Axboe
2022-08-12 15:33       ` Paul Moore
2022-08-12 16:03         ` Casey Schaufler
2022-08-13 11:35           ` Kanchan Joshi
2022-08-23 23:46         ` [PATCH] Smack: Provide read control for io_uring_cmd Casey Schaufler
2022-08-24  0:05           ` Paul Moore
2022-08-24  0:07             ` Jens Axboe
2022-08-26 15:15               ` Paul Moore
2022-08-26 16:53                 ` Casey Schaufler
2022-08-26 18:59                   ` Paul Moore
2022-08-26 19:04                     ` Casey Schaufler
2022-08-26 19:10                       ` Paul Moore
2022-08-26 19:31                         ` Casey Schaufler
2022-08-27 15:59           ` Kanchan Joshi
2022-08-29 16:20             ` Casey Schaufler
2022-08-30 13:08               ` Joel Granados
2022-08-30 14:16                 ` Casey Schaufler
2022-08-31  7:15                   ` Joel Granados [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220831071501.xdj7njudv5ovrl64@localhost \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox