Hey Paul On Thu, Sep 01, 2022 at 05:30:38PM -0400, Paul Moore wrote: > On Thu, Sep 1, 2022 at 4:15 PM Joel Granados wrote: > > Hey Paul > > > > I realize that you have already sent this upstream but I wanted to share > > the Selinux part of the testing that we did to see if there is any > > feedback. > > > > With my tests I see that the selinux_uring_cmd hook is run and it > > results in a "avc : denied" when I run it with selinux in permissive > > mode with an unpriviledged user. I assume that this is the expected > > behavior. Here is how I tested > > > > *** With the patch: > > * I ran the io_uring_passthrough.c test on a char device with an > > unpriviledged user. > > * I took care of changing the permissions of /dev/ng0n1 to 666 prior > > to any testing. > > * made sure that Selinux was in permissive mode. > > * Made sure to have audit activated by passing "audit=1" to the kernel > > * After noticing that some audit messages where getting lost I upped the > > backlog limit to 256 > > * Prior to executing the test, I also placed a breakpoint inside > > selinux_uring_cmd to make sure that it was executed. > > * This is the output of the audit when I executed the test: > > > > [ 136.615924] audit: type=1400 audit(1662043624.701:94): avc: denied { create } for pid=263 comm="io_uring_passth" anonclass=[io_uring] scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1 > > [ 136.621036] audit: type=1300 audit(1662043624.701:94): arch=c000003e syscall=425 success=yes exit=3 a0=40 a1=7ffca29835a0 a2=7ffca29835a0 a3=561529be2300 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null) > > [ 136.624812] audit: type=1327 audit(1662043624.701:94): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31 > > [ 136.626074] audit: type=1400 audit(1662043624.702:95): avc: denied { map } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1 > > [ 136.628012] audit: type=1400 audit(1662043624.702:95): avc: denied { read write } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1 > > [ 136.629873] audit: type=1300 audit(1662043624.702:95): arch=c000003e syscall=9 success=yes exit=140179765297152 a0=0 a1=1380 a2=3 a3=8001 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null) > > [ 136.632415] audit: type=1327 audit(1662043624.702:95): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31 > > [ 136.633652] audit: type=1400 audit(1662043624.705:96): avc: denied { cmd } for pid=263 comm="io_uring_passth" path="/dev/ng0n1" dev="devtmpfs" ino=120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=io_uring permissive=1 > > [ 136.635384] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null) > > [ 136.636863] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null) > > > > * From the output on time 136.633652 I see that the access should have > > been denied had selinux been enforcing. > > * I also saw that the breakpoint hit. > > > > *** Without the patch: > > * I ran the io_uring_passthrough.c test on a char device with an > > unpriviledged user. > > * I took care of changing the permissions of /dev/ng0n1 to 666 prior > > to any testing. > > * made sure that Selinux was in permissive mode. > > * Made sure to have audit activated by passing "audit=1" to the kernel > > * After noticing that some audit messages where getting lost I upped the > > backlog limit to 256 > > * There were no audit messages when I executed the test. > > > > As with my smack tests I would really appreciate feecback on the > > approach I took to testing and it's validity. > > Hi Joel, > > Thanks for the additional testing and verification! Work like this is > always welcome, regardless if the patch has already been merged > upstream. np > > As far as you test approach is concerned, I think you are on the right > track, I might suggest resolving the other SELinux/AVC denials you are > seeing with your test application to help reduce the noise in the > logs. Are you familiar with the selinux-testsuite (link below)? > > * https://protect2.fireeye.com/v1/url?k=6f356c96-0ebe79ac-6f34e7d9-74fe4860008a-01002a6e4c92bb3e&q=1&e=46f33488-9311-49fa-9747-da210f2d147d&u=https%3A%2F%2Fgithub.com%2FSELinuxProject%2Fselinux-testsuite Thx. Could not figure out how to remove the AVC from a quick look at the page, but I'll probably figures something out :). ATM, I'm doing a performance test on the io_uring_passtrhough path to see how much, if any, perf we loose. Thx again Best Joel > > -- > paul-moore.com