Re: IORING_OP_FIXED_FD_INSTALL and audit/LSM interactions

[Paul Moore <paul@paul-moore.com>]

On Fri, Jan 19, 2024 at 12:02 PM Jens Axboe <axboe@kernel.dk> wrote:
>
> On 1/19/24 9:33 AM, Paul Moore wrote:
> > Hello all,
> >
> > I just noticed the recent addition of IORING_OP_FIXED_FD_INSTALL and I
> > see that it is currently written to skip the io_uring auditing.
> > Assuming I'm understanding the patch correctly, and I'll admit that
> > I've only looked at it for a short time today, my gut feeling is that
> > we want to audit the FIXED_FD_INSTALL opcode as it could make a
> > previously io_uring-only fd generally accessible to userspace.
>
> We can certainly remove the audit skip, it was mostly done as we're
> calling into the security parts anyway later on. But it's not like doing
> the extra audit here would cause any concerns on the io_uring front.

Great.  Do you want to put a patch together for that, or should I?

> > I'm also trying to determine how worried we should be about
> > io_install_fixed_fd() potentially happening with the current task's
> > credentials overridden by the io_uring's personality.  Given that this
> > io_uring operation inserts a fd into the current process, I believe
> > that we should be checking to see if the current task's credentials,
> > and not the io_uring's credentials/personality, are allowed to receive
> > the fd in receive_fd()/security_file_receive().  I don't see an
> > obvious way to filter/block credential overrides on a per-opcode
> > basis, but if we don't want to add a mask for io_kiocb::flags in
> > io_issue_defs (or something similar), perhaps we can forcibly mask out
> > REQ_F_CREDS in io_install_fixed_fd_prep()?  I'm very interested to
> > hear what others think about this.
> >
> > Of course if I'm reading the commit or misunderstanding the
> > IORING_OP_FIXED_FD_INSTALL operation, corrections are welcome :)
>
> I think if there are concerns for that, the easiest solution would be to
> just fail IORING_OP_FIXED_INSTALL if REQ_F_CREDS is set. I don't really
> see a good way to have the security side know about the old creds, as
> the task itself is running with the assigned creds.

The more I've been thinking about it, yes, I believe there are
concerns around FIXED_FD_INSTALL and io_uring personalities for LSMs.
Assuming an io_uring with stored credentials for task A, yet
accessible via task B, task B could submit an IORING_OP_OPENAT command
to open a file using task A's creds and then FIXED_FD_INSTALL that fd
into its own (task B's) file descriptor table without a problem as the
installer's creds (the io_uring creds, or task A) match the file's
creds (also task A since the io_uring opened the file).  Following
code paths in task B that end up going through
security_file_permission() and similar hooks may very well end up
catching the mismatch between the file's creds and task B (depending
on the LSM), but arguably it is something that should have been caught
at receive_fd() time.

--
paul-moore.com