From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40C1854735 for ; Tue, 23 Jan 2024 23:58:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706054311; cv=none; b=e3HVbyHqd6Zqf+b901J1aN5dkeaZbWVx4b+LHIKDmQVmY85Hby4QAzfdd10WdjTNrahFvZOuF4H34HQxazepCDxeJJx7MBhpoUdGVyIIM1LIDf7/65nCrdFNhvFLzGVruFAX4PDxfO6OxmMGGCVvFVrFMnNN7Zr/0ENY/Dj8tyw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706054311; c=relaxed/simple; bh=IynX6u4mvBalm/RbV4Poaqp1DBQ8ctKBACbRd1Iv/o0=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=PRxet9Brs1xbDi5BErCHtr9ZgqSxk/rv++e48maHg6Z0dN0RRCcfYjUFCA/Vf9d81TAiuw42C+R6khMpmR4LASB7GGRBRgw3m0biiB9c8zM+u3c0FEBkvhwZEQX36x64uSTCb2IekTnUBrbMKPp4zszGDsbG+1cReD8NcqB1PCo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com; spf=pass smtp.mailfrom=paul-moore.com; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b=PWva0+iS; arc=none smtp.client-ip=209.85.219.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore.com header.i=@paul-moore.com header.b="PWva0+iS" Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-dae7cc31151so3681711276.3 for ; Tue, 23 Jan 2024 15:58:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1706054309; x=1706659109; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cL6AxRz6Xtq0xrIYdJsZbYeq0wCWJbZQUMTqfFz90ow=; b=PWva0+iSu4xAerRswmveUqTSosX8M1kkN3MR0vF9ZOsDezNAf/IeKNZu9tf8/09PH8 JnDsVqPc6p1fE6kKe0IgXuL9s/rr2D3oNNkP5w7KZ21PbjOBZYehqwbJ8YkZfbiDvtA7 0nxKM4HkeGmJ8ttd6q6RTYGq870qZYKp6NmFzQc/kCHJb1uR68B7UB97kZyP/2xhC3N6 Ar5a/LcJ+yhyZu8nEU4DW5efxHrO8e7eaWSdnRMMaihXrN3xdh9DjtrGxgwOtwVmimwK b5bZXeZRTjq4HXBOs0XzIuglm7zoxtG2KadDH4sgudjRBX48/PNwCmWiyN0lKcV6BEfl bt1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706054309; x=1706659109; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cL6AxRz6Xtq0xrIYdJsZbYeq0wCWJbZQUMTqfFz90ow=; b=uGibXWxLT7iHMkQ1CWBUoNYo0OqUQLf+YHLnGLekLG9xNcXvHRzG/epiKL28LB1y90 iSOGFr3mDcl0z4kcWnhV6B3kPa93893U0zLjlzS3IWxeUZq9GsyYf6UnMjXbpUANXD6e WOFvD50g1TdZcGKj4w2hNTg0cgVSM1r7wGdqYxxoQnqRyXg9AV8gI9tmo8KXPzAvqUZJ 6qyDUZXr/AWUh5t61OxcsyZBJ8AwnxqkmuHgwBeJgRHpLmGQ9RKbe+jrkE24lIB9OosE W25vNQc7gHYMpU1Qhok88Q4kERfRS8BIFwHwr8OWagKrs3UKO8Y9/88hL7GCAG1jhTY1 Llag== X-Gm-Message-State: AOJu0YxlYXkcg3GkSCwpy8/1Llg2bx1F1XqAvzD8tW/dviDlbRwz3tAr WXwKEZwMIDZ/UyUUKM8wUbUKoTHYr6/lmV28J75xMdiwyANqH/R6hIsQnVvsFzoeNti+usgrqJ+ S0mXJwVBDh3gshyI15H/yqzAPCBSKTNPcku2D X-Google-Smtp-Source: AGHT+IEaVh9ckNB9SI9jCXziUhbBHVpZnwT8uzibvDSWQZxDfVcAHLY6UJiD5wdYwnlOMVQdxM0ncF0PvMW/HeoXf3o= X-Received: by 2002:a25:e0c3:0:b0:dc2:65ff:7948 with SMTP id x186-20020a25e0c3000000b00dc265ff7948mr19443ybg.0.1706054309145; Tue, 23 Jan 2024 15:58:29 -0800 (PST) Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240123215501.289566-2-paul@paul-moore.com> <170604930501.2065523.10114697425588415558.b4-ty@kernel.dk> In-Reply-To: From: Paul Moore Date: Tue, 23 Jan 2024 18:58:18 -0500 Message-ID: Subject: Re: [PATCH] io_uring: enable audit and restrict cred override for IORING_OP_FIXED_FD_INSTALL To: Jens Axboe Cc: io-uring@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, audit@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2024 at 5:43=E2=80=AFPM Jens Axboe wrote: > On 1/23/24 3:40 PM, Jens Axboe wrote: > > On 1/23/24 3:35 PM, Jens Axboe wrote: > >> > >> On Tue, 23 Jan 2024 16:55:02 -0500, Paul Moore wrote: > >>> We need to correct some aspects of the IORING_OP_FIXED_FD_INSTALL > >>> command to take into account the security implications of making an > >>> io_uring-private file descriptor generally accessible to a userspace > >>> task. > >>> > >>> The first change in this patch is to enable auditing of the FD_INSTAL= L > >>> operation as installing a file descriptor into a task's file descript= or > >>> table is a security relevant operation and something that admins/user= s > >>> may want to audit. > >>> > >>> [...] > >> > >> Applied, thanks! > >> > >> [1/1] io_uring: enable audit and restrict cred override for IORING_OP_= FIXED_FD_INSTALL > >> commit: 16bae3e1377846734ec6b87eee459c0f3551692c > > > > So after doing that and writing the test case and testing it, it dawned > > on me that we should potentially allow the current task creds. And to > > make matters worse, this is indeed what happens if eg the application > > would submit this with IOSQE_ASYNC or if it was part of a linked series > > and we marked it async. > > > > While I originally reasoned for why this is fine as it'd be silly to > > register your current creds and then proceed to pass in that personalit= y, > > I do think that we should probably handle that case and clearly separat= e > > the case of "we assigned creds from the submitting task because we're > > handing it to a thread" vs "the submitting task asked for other creds > > that were previously registered". > > > > I'll take a look and see what works the best here. > > Actually, a quick look and it's fine, the usual async offload will do > the right thing. So let's just keep it as-is, I don't think there's any > point to complicating this for some theoretically-valid-but-obscure use > case! Perhaps the one case where REQ_F_CREDS is our friend for FD_INSTALL ;) > FWIW, the test case is here, and I'll augment it now to add IOSQE_ASYNC > as well just to cover all the bases. > > https://git.kernel.dk/cgit/liburing/commit/?id=3Dbc576ca398661b266d3e4a4f= 5db3a9cf7f33fe62 Great, thanks! --=20 paul-moore.com