public inbox for [email protected]
 help / color / mirror / Atom feed
From: Jens Axboe <[email protected]>
To: Casey Schaufler <[email protected]>,
	Paul Moore <[email protected]>,
	Luis Chamberlain <[email protected]>
Cc: [email protected], [email protected],
	[email protected], [email protected],
	[email protected], [email protected],
	[email protected]
Subject: Re: [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op
Date: Fri, 15 Jul 2022 17:05:23 -0600	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>

On 7/15/22 5:03 PM, Casey Schaufler wrote:
> On 7/15/2022 1:50 PM, Casey Schaufler wrote:
>> On 7/15/2022 11:46 AM, Paul Moore wrote:
>>> On Thu, Jul 14, 2022 at 9:00 PM Luis Chamberlain <[email protected]> wrote:
>>>> On Wed, Jul 13, 2022 at 11:00:42PM -0400, Paul Moore wrote:
>>>>> On Wed, Jul 13, 2022 at 8:05 PM Luis Chamberlain <[email protected]> wrote:
>>>>>> io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
>>>>>> add infrastructure for uring-cmd"), this extended the struct
>>>>>> file_operations to allow a new command which each subsystem can use
>>>>>> to enable command passthrough. Add an LSM specific for the command
>>>>>> passthrough which enables LSMs to inspect the command details.
>>>>>>
>>>>>> This was discussed long ago without no clear pointer for something
>>>>>> conclusive, so this enables LSMs to at least reject this new file
>>>>>> operation.
>>>>>>
>>>>>> [0] https://lkml.kernel.org/r/[email protected]
>>>>> [NOTE: I now see that the IORING_OP_URING_CMD has made it into the
>>>>> v5.19-rcX releases, I'm going to be honest and say that I'm
>>>>> disappointed you didn't post the related LSM additions
>>>> It does not mean I didn't ask for them too.
>>>>
>>>>> until
>>>>> v5.19-rc6, especially given our earlier discussions.]
>>>> And hence since I don't see it either, it's on us now.
>>> It looks like I owe you an apology, Luis.  While my frustration over
>>> io_uring remains, along with my disappointment that the io_uring
>>> developers continue to avoid discussing access controls with the LSM
>>> community, you are not the author of the IORING_OP_URING_CMD.   You
>>> are simply trying to do the right thing by adding the necessary LSM
>>> controls and in my confusion I likely caused you a bit of frustration;
>>> I'm sorry for that.
>>>
>>>> As important as I think LSMs are, I cannot convince everyone
>>>> to take them as serious as I do.
>>> Yes, I think a lot of us are familiar with that feeling unfortunately :/
>>>
>>>>> While the earlier discussion may not have offered a detailed approach
>>>>> on how to solve this, I think it was rather conclusive in that the
>>>>> approach used then (and reproduced here) did not provide enough
>>>>> context to the LSMs to be able to make a decision.
>>>> Right...
>>>>
>>>>> There were similar
>>>>> concerns when it came to auditing the command passthrough.  It appears
>>>>> that most of my concerns in the original thread still apply to this
>>>>> patch.
>>>>>
>>>>> Given the LSM hook in this patch, it is very difficult (impossible?)
>>>>> to determine the requested operation as these command opcodes are
>>>>> device/subsystem specific.  The unfortunate result is that the LSMs
>>>>> are likely going to either allow all, or none, of the commands for a
>>>>> given device/subsystem, and I think we can all agree that is not a
>>>>> good idea.
>>>>>
>>>>> That is the critical bit of feedback on this patch, but there is more
>>>>> feedback inline below.
>>>> Given a clear solution is not easily tangible at this point
>>>> I was hoping perhaps at least the abilility to enable LSMs to
>>>> reject uring-cmd would be better than nothing at this point.
>>> Without any cooperation from the io_uring developers, that is likely
>>> what we will have to do.  I know there was a lot of talk about this
>>> functionality not being like another ioctl(), but from a LSM
>>> perspective I think that is how we will need to treat it.
>>>
>>>>>> Signed-off-by: Luis Chamberlain <[email protected]>
>>>>>> ---
>>>>>>  include/linux/lsm_hook_defs.h | 1 +
>>>>>>  include/linux/lsm_hooks.h     | 3 +++
>>>>>>  include/linux/security.h      | 5 +++++
>>>>>>  io_uring/uring_cmd.c          | 5 +++++
>>>>>>  security/security.c           | 4 ++++
>>>>>>  5 files changed, 18 insertions(+)
>>>>> ...
>>>>>
>>>>>> diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
>>>>>> index 0a421ed51e7e..5e666aa7edb8 100644
>>>>>> --- a/io_uring/uring_cmd.c
>>>>>> +++ b/io_uring/uring_cmd.c
>>>>>> @@ -3,6 +3,7 @@
>>>>>>  #include <linux/errno.h>
>>>>>>  #include <linux/file.h>
>>>>>>  #include <linux/io_uring.h>
>>>>>> +#include <linux/security.h>
>>>>>>
>>>>>>  #include <uapi/linux/io_uring.h>
>>>>>>
>>>>>> @@ -82,6 +83,10 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
>>>>>>         struct file *file = req->file;
>>>>>>         int ret;
>>>>>>
>>>>>> +       ret = security_uring_cmd(ioucmd);
>>>>>> +       if (ret)
>>>>>> +               return ret;
>>>>>> +
>>>>>>         if (!req->file->f_op->uring_cmd)
>>>>>>                 return -EOPNOTSUPP;
>>>>>>
>>>>> In order to be consistent with most of the other LSM hooks, the
>>>>> 'req->file->f_op->uring_cmd' check should come before the LSM hook
>>>>> call.
>>>> Sure.
>>>>
>>>>> The general approach used in most places is to first validate
>>>>> the request and do any DAC based access checks before calling into the
>>>>> LSM.
>>>> OK.
>>>>
>>>> Let me know how you'd like to proceed given our current status.
>>> Well, we're at -rc6 right now which means IORING_OP_URING_CMD is
>>> happening and it's unlikely the LSM folks are going to be able to
>>> influence the design/implementation much at this point so we have to
>>> do the best we can.  Given the existing constraints, I think your
>>> patch is reasonable (although please do shift the hook call site down
>>> a bit as discussed above), we just need to develop the LSM
>>> implementations to go along with it.
>>>
>>> Luis, can you respin and resend the patch with the requested changes?
>>>
>>> Casey, it looks like Smack and SELinux are the only LSMs to implement
>>> io_uring access controls.  Given the hook that Luis developed in this
>>> patch, could you draft a patch for Smack to add the necessary checks?
>> Yes. I don't think it will be anything more sophisticated than the
>> existing "Brutalist" Smack support. It will also be tested to the
>> limited extent my resources and understanding of io_uring allow.
>>
>> I am seriously concerned that without better integration between
>> LSM and io_uring development I'm going to end up in the same place
>> that led to Al Viro's comment regarding the Smack fcntl hooks:
>>
>> 	"I think I have an adequate flame, but it won't fit
>> 	the maillist size limit..."
>>
>> That came about because my understanding of fnctl() was incomplete.
>> I know a lot more about fnctl than I do about io_uring. I would
>> really like io_uring to work well in a Smack environment. It saddens
>> me that there isn't any reciporicol interest. But enough whinging.
>> On to the patch.
> 
> There isn't (as of this writing) a file io_uring/uring_cmd.c in
> Linus' tree. What tree does this patch apply to?

It's the for-5.20 tree. See my reply to the v2 of the patch, including
suggestions on how to stage it.

-- 
Jens Axboe


  reply	other threads:[~2022-07-15 23:05 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-14  0:05 [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op Luis Chamberlain
2022-07-14  0:38 ` Casey Schaufler
2022-07-15  0:54   ` Luis Chamberlain
2022-07-15  1:25     ` Casey Schaufler
2022-07-14  3:00 ` Paul Moore
2022-07-15  1:00   ` Luis Chamberlain
2022-07-15 18:46     ` Paul Moore
2022-07-15 19:02       ` Luis Chamberlain
2022-07-15 19:51         ` Paul Moore
2022-07-15 19:07       ` Jens Axboe
2022-07-15 19:50         ` Paul Moore
2022-07-15 20:00           ` Jens Axboe
2022-07-15 21:16             ` Casey Schaufler
2022-07-15 21:32               ` Jens Axboe
2022-07-15 21:37             ` Luis Chamberlain
2022-07-15 21:47               ` Jens Axboe
2022-07-15 20:50       ` Casey Schaufler
2022-07-15 23:03         ` Casey Schaufler
2022-07-15 23:05           ` Jens Axboe [this message]
2022-07-15 23:14             ` Casey Schaufler
2022-07-15 23:18               ` Jens Axboe
2022-07-15 23:31                 ` Casey Schaufler
2022-07-15 23:34                   ` Jens Axboe
2022-07-16  3:20       ` Kanchan Joshi
2022-07-18 14:55         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox