From: Paul Moore <[email protected]>
To: Luis Chamberlain <[email protected]>
Cc: [email protected], [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected]
Subject: Re: [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op
Date: Wed, 13 Jul 2022 23:00:42 -0400 [thread overview]
Message-ID: <CAHC9VhSjfrMtqy_6+=_=VaCsJKbKU1oj6TKghkue9LrLzO_++w@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
On Wed, Jul 13, 2022 at 8:05 PM Luis Chamberlain <[email protected]> wrote:
>
> io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
> add infrastructure for uring-cmd"), this extended the struct
> file_operations to allow a new command which each subsystem can use
> to enable command passthrough. Add an LSM specific for the command
> passthrough which enables LSMs to inspect the command details.
>
> This was discussed long ago without no clear pointer for something
> conclusive, so this enables LSMs to at least reject this new file
> operation.
>
> [0] https://lkml.kernel.org/r/[email protected]
[NOTE: I now see that the IORING_OP_URING_CMD has made it into the
v5.19-rcX releases, I'm going to be honest and say that I'm
disappointed you didn't post the related LSM additions until
v5.19-rc6, especially given our earlier discussions.]
While the earlier discussion may not have offered a detailed approach
on how to solve this, I think it was rather conclusive in that the
approach used then (and reproduced here) did not provide enough
context to the LSMs to be able to make a decision. There were similar
concerns when it came to auditing the command passthrough. It appears
that most of my concerns in the original thread still apply to this
patch.
Given the LSM hook in this patch, it is very difficult (impossible?)
to determine the requested operation as these command opcodes are
device/subsystem specific. The unfortunate result is that the LSMs
are likely going to either allow all, or none, of the commands for a
given device/subsystem, and I think we can all agree that is not a
good idea.
That is the critical bit of feedback on this patch, but there is more
feedback inline below.
> Signed-off-by: Luis Chamberlain <[email protected]>
> ---
> include/linux/lsm_hook_defs.h | 1 +
> include/linux/lsm_hooks.h | 3 +++
> include/linux/security.h | 5 +++++
> io_uring/uring_cmd.c | 5 +++++
> security/security.c | 4 ++++
> 5 files changed, 18 insertions(+)
...
> diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
> index 0a421ed51e7e..5e666aa7edb8 100644
> --- a/io_uring/uring_cmd.c
> +++ b/io_uring/uring_cmd.c
> @@ -3,6 +3,7 @@
> #include <linux/errno.h>
> #include <linux/file.h>
> #include <linux/io_uring.h>
> +#include <linux/security.h>
>
> #include <uapi/linux/io_uring.h>
>
> @@ -82,6 +83,10 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
> struct file *file = req->file;
> int ret;
>
> + ret = security_uring_cmd(ioucmd);
> + if (ret)
> + return ret;
> +
> if (!req->file->f_op->uring_cmd)
> return -EOPNOTSUPP;
>
In order to be consistent with most of the other LSM hooks, the
'req->file->f_op->uring_cmd' check should come before the LSM hook
call. The general approach used in most places is to first validate
the request and do any DAC based access checks before calling into the
LSM.
--
paul-moore.com
next prev parent reply other threads:[~2022-07-14 3:00 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 0:05 [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op Luis Chamberlain
2022-07-14 0:38 ` Casey Schaufler
2022-07-15 0:54 ` Luis Chamberlain
2022-07-15 1:25 ` Casey Schaufler
2022-07-14 3:00 ` Paul Moore [this message]
2022-07-15 1:00 ` Luis Chamberlain
2022-07-15 18:46 ` Paul Moore
2022-07-15 19:02 ` Luis Chamberlain
2022-07-15 19:51 ` Paul Moore
2022-07-15 19:07 ` Jens Axboe
2022-07-15 19:50 ` Paul Moore
2022-07-15 20:00 ` Jens Axboe
2022-07-15 21:16 ` Casey Schaufler
2022-07-15 21:32 ` Jens Axboe
2022-07-15 21:37 ` Luis Chamberlain
2022-07-15 21:47 ` Jens Axboe
2022-07-15 20:50 ` Casey Schaufler
2022-07-15 23:03 ` Casey Schaufler
2022-07-15 23:05 ` Jens Axboe
2022-07-15 23:14 ` Casey Schaufler
2022-07-15 23:18 ` Jens Axboe
2022-07-15 23:31 ` Casey Schaufler
2022-07-15 23:34 ` Jens Axboe
2022-07-16 3:20 ` Kanchan Joshi
2022-07-18 14:55 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhSjfrMtqy_6+=_=VaCsJKbKU1oj6TKghkue9LrLzO_++w@mail.gmail.com' \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox