From: Paul Moore <[email protected]>
To: Joel Granados <[email protected]>
Cc: [email protected], [email protected],
[email protected], Arnd Bergmann <[email protected]>,
Greg Kroah-Hartman <[email protected]>,
Luis Chamberlain <[email protected]>
Subject: Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook
Date: Thu, 1 Sep 2022 17:30:38 -0400 [thread overview]
Message-ID: <CAHC9VhTDJogwcYhm2xc29kyO74CZ4wcCysySUr1CX6GcUkPf0Q@mail.gmail.com> (raw)
In-Reply-To: <20220901201551.hmdrvthtin4gkdz3@localhost>
On Thu, Sep 1, 2022 at 4:15 PM Joel Granados <[email protected]> wrote:
> Hey Paul
>
> I realize that you have already sent this upstream but I wanted to share
> the Selinux part of the testing that we did to see if there is any
> feedback.
>
> With my tests I see that the selinux_uring_cmd hook is run and it
> results in a "avc : denied" when I run it with selinux in permissive
> mode with an unpriviledged user. I assume that this is the expected
> behavior. Here is how I tested
>
> *** With the patch:
> * I ran the io_uring_passthrough.c test on a char device with an
> unpriviledged user.
> * I took care of changing the permissions of /dev/ng0n1 to 666 prior
> to any testing.
> * made sure that Selinux was in permissive mode.
> * Made sure to have audit activated by passing "audit=1" to the kernel
> * After noticing that some audit messages where getting lost I upped the
> backlog limit to 256
> * Prior to executing the test, I also placed a breakpoint inside
> selinux_uring_cmd to make sure that it was executed.
> * This is the output of the audit when I executed the test:
>
> [ 136.615924] audit: type=1400 audit(1662043624.701:94): avc: denied { create } for pid=263 comm="io_uring_passth" anonclass=[io_uring] scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> [ 136.621036] audit: type=1300 audit(1662043624.701:94): arch=c000003e syscall=425 success=yes exit=3 a0=40 a1=7ffca29835a0 a2=7ffca29835a0 a3=561529be2300 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
> [ 136.624812] audit: type=1327 audit(1662043624.701:94): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
> [ 136.626074] audit: type=1400 audit(1662043624.702:95): avc: denied { map } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> [ 136.628012] audit: type=1400 audit(1662043624.702:95): avc: denied { read write } for pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> [ 136.629873] audit: type=1300 audit(1662043624.702:95): arch=c000003e syscall=9 success=yes exit=140179765297152 a0=0 a1=1380 a2=3 a3=8001 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
> [ 136.632415] audit: type=1327 audit(1662043624.702:95): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
> [ 136.633652] audit: type=1400 audit(1662043624.705:96): avc: denied { cmd } for pid=263 comm="io_uring_passth" path="/dev/ng0n1" dev="devtmpfs" ino=120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=io_uring permissive=1
> [ 136.635384] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
> [ 136.636863] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
>
> * From the output on time 136.633652 I see that the access should have
> been denied had selinux been enforcing.
> * I also saw that the breakpoint hit.
>
> *** Without the patch:
> * I ran the io_uring_passthrough.c test on a char device with an
> unpriviledged user.
> * I took care of changing the permissions of /dev/ng0n1 to 666 prior
> to any testing.
> * made sure that Selinux was in permissive mode.
> * Made sure to have audit activated by passing "audit=1" to the kernel
> * After noticing that some audit messages where getting lost I upped the
> backlog limit to 256
> * There were no audit messages when I executed the test.
>
> As with my smack tests I would really appreciate feecback on the
> approach I took to testing and it's validity.
Hi Joel,
Thanks for the additional testing and verification! Work like this is
always welcome, regardless if the patch has already been merged
upstream.
As far as you test approach is concerned, I think you are on the right
track, I might suggest resolving the other SELinux/AVC denials you are
seeing with your test application to help reduce the noise in the
logs. Are you familiar with the selinux-testsuite (link below)?
* https://github.com/SELinuxProject/selinux-testsuite
--
paul-moore.com
next prev parent reply other threads:[~2022-09-01 21:30 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 21:21 [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore
2022-08-22 21:21 ` [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op Paul Moore
2022-08-23 6:53 ` Greg Kroah-Hartman
2022-08-23 16:48 ` Paul Moore
2022-08-24 6:12 ` Greg Kroah-Hartman
2022-08-24 14:00 ` Paul Moore
2022-08-22 21:21 ` [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook Paul Moore
2022-08-23 6:52 ` Greg Kroah-Hartman
2022-08-23 16:49 ` Paul Moore
[not found] ` <CGME20220901201553eucas1p258ee1cba97c888aab172d31d9c06e922@eucas1p2.samsung.com>
2022-09-01 20:15 ` Joel Granados
2022-09-01 21:30 ` Paul Moore [this message]
2022-09-07 8:17 ` Joel Granados
2022-09-16 12:59 ` Joel Granados
2022-08-22 21:21 ` [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support Paul Moore
2022-08-22 22:36 ` Jens Axboe
2022-08-22 23:09 ` Paul Moore
2022-08-22 23:13 ` Jens Axboe
2022-08-22 23:19 ` Paul Moore
2022-08-22 23:25 ` Jens Axboe
2022-08-22 23:37 ` Paul Moore
2022-08-23 6:51 ` Greg Kroah-Hartman
2022-08-23 13:33 ` Jens Axboe
2022-08-23 17:02 ` Paul Moore
2022-08-23 6:52 ` Greg Kroah-Hartman
2022-08-23 17:02 ` Paul Moore
2022-08-24 6:10 ` Greg Kroah-Hartman
2022-08-24 14:06 ` Paul Moore
2022-08-26 16:27 ` [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhTDJogwcYhm2xc29kyO74CZ4wcCysySUr1CX6GcUkPf0Q@mail.gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox