From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA966C43217 for ; Mon, 7 Nov 2022 21:17:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233398AbiKGVRs (ORCPT ); Mon, 7 Nov 2022 16:17:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233427AbiKGVRc (ORCPT ); Mon, 7 Nov 2022 16:17:32 -0500 Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C8E81EEF6 for ; Mon, 7 Nov 2022 13:13:37 -0800 (PST) Received: by mail-oi1-x236.google.com with SMTP id q186so1143619oia.9 for ; Mon, 07 Nov 2022 13:13:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pHms/O+9VBq8irGp3MyiuJlyANLL/CCV2NFYd5lytyA=; b=fbz0dJ0XnDpsx+hMge6yfECCLrQ9kRAHBi+2sKrgralxQwXVYVPHT1wlH0vOI9aXS8 Q69Cl3BJx4YPMF4NRILvqzetKOldQMWspeGTkz0lcPKpFBHfezWWbmdr/ZwTypsvUFdJ g5J3srFyn2ZUZP5+9zDAEtyqAlGXF0vIdYcpbhgL85wp04jFhnedzI1rRnmZjWbn6RAL mYWri7hGGN55fKqX+3zh9NzgGpFjgaC7vxXACDyVgFcJ4ZkzpfW7oo1SQYpXUBAmPu8Y 6jkwwIrJAv0O2KHOkdhSm95DZ/t0cfAUEvg9DHWvzYQvYg8crJo1G2MC38vRRwBc4bkh 4FhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pHms/O+9VBq8irGp3MyiuJlyANLL/CCV2NFYd5lytyA=; b=j6Kelj/efzj8WDLbV13RSeNGJvD8w+X3MxPyovGYsj+KCjI1z9EghlQ2lYfzahe4uv W8YugKvdaIMmiK+RzZYHEhjY7MQMOjV30D/5tozoAZ4fuBCkVq9GFp+iemoMtUeJWnI0 8msadmcgZ2B0NO6ZQm/+bpFl/a9F8dRLvzGdoJGqcmxi0V02tODQ3feDidl0/Ldialyx 1Z7GfqOgzV2gUJRZrRbQ0bDs5JCfTqun0T7OW+v/IIaW2tBZvYvtVZP2SqxzlZuyCw7g OXNzM9JkDBEzzr3m2GFLBkc1gyL/m1T93yC0PGJAFXFxxVj/pASVOny8MPt734Jzvcf3 XFxQ== X-Gm-Message-State: ACrzQf2Gu/oOQbN5r3TMC04jA5CGOQKOM9+25+hzXgrrx0VHtKla4g5w vwM5i49v5+/OV+GzouHQb0AZOx7/vYece91iPqt5 X-Google-Smtp-Source: AMsMyM4KnQnz9BbylEC8a4qKc19JcYPq3m7VWW4QnZi9Gv86OMlxbUuEIKo61OnWavUhJ9RvHyxDno+RIArn4c7OBDc= X-Received: by 2002:a05:6808:1441:b0:35a:4a2d:673b with SMTP id x1-20020a056808144100b0035a4a2d673bmr14688971oiv.172.1667855616463; Mon, 07 Nov 2022 13:13:36 -0800 (PST) MIME-Version: 1.0 References: <20221107205754.2635439-1-cukie@google.com> In-Reply-To: <20221107205754.2635439-1-cukie@google.com> From: Paul Moore Date: Mon, 7 Nov 2022 16:13:25 -0500 Message-ID: Subject: Re: [PATCH v1 0/2] Add LSM access controls for io_uring_setup To: Gil Cukierman Cc: Jens Axboe , Pavel Begunkov , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , kernel-team@android.com, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On Mon, Nov 7, 2022 at 3:58 PM Gil Cukierman wrote: > > This patchset provides the changes required for controlling access to > the io_uring_setup system call by LSMs. It does this by adding a new > hook to io_uring. It also provides the SELinux implementation for a new > permission, io_uring { setup }, using the new hook. > > This is important because existing io_uring hooks only support limiting > the sharing of credentials and access to the sensitive uring_cmd file > op. Users of LSMs may also want the ability to tightly control which > callers can retrieve an io_uring capable fd from the kernel, which is > needed for all subsequent io_uring operations. It isn't immediately obvious to me why simply obtaining a io_uring fd from io_uring_setup() would present a problem, as the security relevant operations that are possible with that io_uring fd *should* still be controlled by other LSM hooks. Can you help me understand what security issue you are trying to resolve with this control? -- paul-moore.com