From: Joel Granados <[email protected]>
To: Paul Moore <[email protected]>
Cc: <[email protected]>,
<[email protected]>, <[email protected]>,
Arnd Bergmann <[email protected]>,
Greg Kroah-Hartman <[email protected]>,
Luis Chamberlain <[email protected]>
Subject: Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook
Date: Thu, 1 Sep 2022 22:15:51 +0200 [thread overview]
Message-ID: <20220901201551.hmdrvthtin4gkdz3@localhost> (raw)
In-Reply-To: <166120327379.369593.4939320600435400704.stgit@olly>
[-- Attachment #1: Type: text/plain, Size: 7540 bytes --]
Hey Paul
I realize that you have already sent this upstream but I wanted to share
the Selinux part of the testing that we did to see if there is any
feedback.
With my tests I see that the selinux_uring_cmd hook is run and it
results in a "avc : denied" when I run it with selinux in permissive
mode with an unpriviledged user. I assume that this is the expected
behavior. Here is how I tested
*** With the patch:
* I ran the io_uring_passthrough.c test on a char device with an
unpriviledged user.
* I took care of changing the permissions of /dev/ng0n1 to 666 prior
to any testing.
* made sure that Selinux was in permissive mode.
* Made sure to have audit activated by passing "audit=1" to the kernel
* After noticing that some audit messages where getting lost I upped the
backlog limit to 256
* Prior to executing the test, I also placed a breakpoint inside
selinux_uring_cmd to make sure that it was executed.
* This is the output of the audit when I executed the test:
[ 136.615924] audit: type=1400 audit(1662043624.701:94): avc: denied { create } for pid=263 comm="io_uring_passth" anonclass=[io_uring] scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
[ 136.621036] audit: type=1300 audit(1662043624.701:94): arch=c000003e syscall=425 success=yes exit=3 a0=40 a1=7ffca29835a0 a2=7ffca29835a0 a3=561529be2300 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
[ 136.624812] audit: type=1327 audit(1662043624.701:94): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
[ 136.626074] audit: type=1400 audit(1662043624.702:95): avc: denied { map } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
[ 136.628012] audit: type=1400 audit(1662043624.702:95): avc: denied { read write } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
[ 136.629873] audit: type=1300 audit(1662043624.702:95): arch=c000003e syscall=9 success=yes exit=140179765297152 a0=0 a1=1380 a2=3 a3=8001 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
[ 136.632415] audit: type=1327 audit(1662043624.702:95): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
[ 136.633652] audit: type=1400 audit(1662043624.705:96): avc: denied { cmd } for pid=263 comm="io_uring_passth" path="/dev/ng0n1" dev="devtmpfs" ino=120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=io_uring permissive=1
[ 136.635384] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
[ 136.636863] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
* From the output on time 136.633652 I see that the access should have
been denied had selinux been enforcing.
* I also saw that the breakpoint hit.
*** Without the patch:
* I ran the io_uring_passthrough.c test on a char device with an
unpriviledged user.
* I took care of changing the permissions of /dev/ng0n1 to 666 prior
to any testing.
* made sure that Selinux was in permissive mode.
* Made sure to have audit activated by passing "audit=1" to the kernel
* After noticing that some audit messages where getting lost I upped the
backlog limit to 256
* There were no audit messages when I executed the test.
As with my smack tests I would really appreciate feecback on the
approach I took to testing and it's validity.
Thx in advance
Best
On Mon, Aug 22, 2022 at 05:21:13PM -0400, Paul Moore wrote:
> Add a SELinux access control for the iouring IORING_OP_URING_CMD
> command. This includes the addition of a new permission in the
> existing "io_uring" object class: "cmd". The subject of the new
> permission check is the domain of the process requesting access, the
> object is the open file which points to the device/file that is the
> target of the IORING_OP_URING_CMD operation. A sample policy rule
> is shown below:
>
> allow <domain> <file>:io_uring { cmd };
>
> Cc: [email protected]
> Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
> Signed-off-by: Paul Moore <[email protected]>
> ---
> security/selinux/hooks.c | 24 ++++++++++++++++++++++++
> security/selinux/include/classmap.h | 2 +-
> 2 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 79573504783b..03bca97c8b29 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -91,6 +91,7 @@
> #include <uapi/linux/mount.h>
> #include <linux/fsnotify.h>
> #include <linux/fanotify.h>
> +#include <linux/io_uring.h>
>
> #include "avc.h"
> #include "objsec.h"
> @@ -6987,6 +6988,28 @@ static int selinux_uring_sqpoll(void)
> return avc_has_perm(&selinux_state, sid, sid,
> SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
> }
> +
> +/**
> + * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
> + * @ioucmd: the io_uring command structure
> + *
> + * Check to see if the current domain is allowed to execute an
> + * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
> + *
> + */
> +static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
> +{
> + struct file *file = ioucmd->file;
> + struct inode *inode = file_inode(file);
> + struct inode_security_struct *isec = selinux_inode(inode);
> + struct common_audit_data ad;
> +
> + ad.type = LSM_AUDIT_DATA_FILE;
> + ad.u.file = file;
> +
> + return avc_has_perm(&selinux_state, current_sid(), isec->sid,
> + SECCLASS_IO_URING, IO_URING__CMD, &ad);
> +}
> #endif /* CONFIG_IO_URING */
>
> /*
> @@ -7231,6 +7254,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> #ifdef CONFIG_IO_URING
> LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
> LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
> + LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
> #endif
>
> /*
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index ff757ae5f253..1c2f41ff4e55 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = {
> { "anon_inode",
> { COMMON_FILE_PERMS, NULL } },
> { "io_uring",
> - { "override_creds", "sqpoll", NULL } },
> + { "override_creds", "sqpoll", "cmd", NULL } },
> { NULL }
> };
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2022-09-01 20:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 21:21 [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore
2022-08-22 21:21 ` [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op Paul Moore
2022-08-23 6:53 ` Greg Kroah-Hartman
2022-08-23 16:48 ` Paul Moore
2022-08-24 6:12 ` Greg Kroah-Hartman
2022-08-24 14:00 ` Paul Moore
2022-08-22 21:21 ` [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook Paul Moore
2022-08-23 6:52 ` Greg Kroah-Hartman
2022-08-23 16:49 ` Paul Moore
[not found] ` <CGME20220901201553eucas1p258ee1cba97c888aab172d31d9c06e922@eucas1p2.samsung.com>
2022-09-01 20:15 ` Joel Granados [this message]
2022-09-01 21:30 ` Paul Moore
2022-09-07 8:17 ` Joel Granados
2022-09-16 12:59 ` Joel Granados
2022-08-22 21:21 ` [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support Paul Moore
2022-08-22 22:36 ` Jens Axboe
2022-08-22 23:09 ` Paul Moore
2022-08-22 23:13 ` Jens Axboe
2022-08-22 23:19 ` Paul Moore
2022-08-22 23:25 ` Jens Axboe
2022-08-22 23:37 ` Paul Moore
2022-08-23 6:51 ` Greg Kroah-Hartman
2022-08-23 13:33 ` Jens Axboe
2022-08-23 17:02 ` Paul Moore
2022-08-23 6:52 ` Greg Kroah-Hartman
2022-08-23 17:02 ` Paul Moore
2022-08-24 6:10 ` Greg Kroah-Hartman
2022-08-24 14:06 ` Paul Moore
2022-08-26 16:27 ` [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220901201551.hmdrvthtin4gkdz3@localhost \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox