public inbox for [email protected]
 help / color / mirror / Atom feed
From: Luis Chamberlain <[email protected]>
To: Paul Moore <[email protected]>
Cc: [email protected], [email protected], [email protected],
	[email protected], [email protected],
	[email protected], [email protected],
	[email protected], [email protected]
Subject: Re: [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op
Date: Thu, 14 Jul 2022 18:00:14 -0700	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHC9VhSjfrMtqy_6+=_=VaCsJKbKU1oj6TKghkue9LrLzO_++w@mail.gmail.com>

On Wed, Jul 13, 2022 at 11:00:42PM -0400, Paul Moore wrote:
> On Wed, Jul 13, 2022 at 8:05 PM Luis Chamberlain <[email protected]> wrote:
> >
> > io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
> > add infrastructure for uring-cmd"), this extended the struct
> > file_operations to allow a new command which each subsystem can use
> > to enable command passthrough. Add an LSM specific for the command
> > passthrough which enables LSMs to inspect the command details.
> >
> > This was discussed long ago without no clear pointer for something
> > conclusive, so this enables LSMs to at least reject this new file
> > operation.
> >
> > [0] https://lkml.kernel.org/r/[email protected]
> 
> [NOTE: I now see that the IORING_OP_URING_CMD has made it into the
> v5.19-rcX releases, I'm going to be honest and say that I'm
> disappointed you didn't post the related LSM additions 

It does not mean I didn't ask for them too.

> until
> v5.19-rc6, especially given our earlier discussions.]

And hence since I don't see it either, it's on us now.

As important as I think LSMs are, I cannot convince everyone
to take them as serious as I do.

> While the earlier discussion may not have offered a detailed approach
> on how to solve this, I think it was rather conclusive in that the
> approach used then (and reproduced here) did not provide enough
> context to the LSMs to be able to make a decision.

Right...

> There were similar
> concerns when it came to auditing the command passthrough.  It appears
> that most of my concerns in the original thread still apply to this
> patch.
> 
> Given the LSM hook in this patch, it is very difficult (impossible?)
> to determine the requested operation as these command opcodes are
> device/subsystem specific.  The unfortunate result is that the LSMs
> are likely going to either allow all, or none, of the commands for a
> given device/subsystem, and I think we can all agree that is not a
> good idea.
> 
> That is the critical bit of feedback on this patch, but there is more
> feedback inline below.

Given a clear solution is not easily tangible at this point
I was hoping perhaps at least the abilility to enable LSMs to
reject uring-cmd would be better than nothing at this point.

> > Signed-off-by: Luis Chamberlain <[email protected]>
> > ---
> >  include/linux/lsm_hook_defs.h | 1 +
> >  include/linux/lsm_hooks.h     | 3 +++
> >  include/linux/security.h      | 5 +++++
> >  io_uring/uring_cmd.c          | 5 +++++
> >  security/security.c           | 4 ++++
> >  5 files changed, 18 insertions(+)
> 
> ...
> 
> > diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
> > index 0a421ed51e7e..5e666aa7edb8 100644
> > --- a/io_uring/uring_cmd.c
> > +++ b/io_uring/uring_cmd.c
> > @@ -3,6 +3,7 @@
> >  #include <linux/errno.h>
> >  #include <linux/file.h>
> >  #include <linux/io_uring.h>
> > +#include <linux/security.h>
> >
> >  #include <uapi/linux/io_uring.h>
> >
> > @@ -82,6 +83,10 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
> >         struct file *file = req->file;
> >         int ret;
> >
> > +       ret = security_uring_cmd(ioucmd);
> > +       if (ret)
> > +               return ret;
> > +
> >         if (!req->file->f_op->uring_cmd)
> >                 return -EOPNOTSUPP;
> >
> 
> In order to be consistent with most of the other LSM hooks, the
> 'req->file->f_op->uring_cmd' check should come before the LSM hook
> call. 

Sure.

> The general approach used in most places is to first validate
> the request and do any DAC based access checks before calling into the
> LSM.

OK.

Let me know how you'd like to proceed given our current status.

  Luis

  reply	other threads:[~2022-07-15  1:00 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-14  0:05 [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op Luis Chamberlain
2022-07-14  0:38 ` Casey Schaufler
2022-07-15  0:54   ` Luis Chamberlain
2022-07-15  1:25     ` Casey Schaufler
2022-07-14  3:00 ` Paul Moore
2022-07-15  1:00   ` Luis Chamberlain [this message]
2022-07-15 18:46     ` Paul Moore
2022-07-15 19:02       ` Luis Chamberlain
2022-07-15 19:51         ` Paul Moore
2022-07-15 19:07       ` Jens Axboe
2022-07-15 19:50         ` Paul Moore
2022-07-15 20:00           ` Jens Axboe
2022-07-15 21:16             ` Casey Schaufler
2022-07-15 21:32               ` Jens Axboe
2022-07-15 21:37             ` Luis Chamberlain
2022-07-15 21:47               ` Jens Axboe
2022-07-15 20:50       ` Casey Schaufler
2022-07-15 23:03         ` Casey Schaufler
2022-07-15 23:05           ` Jens Axboe
2022-07-15 23:14             ` Casey Schaufler
2022-07-15 23:18               ` Jens Axboe
2022-07-15 23:31                 ` Casey Schaufler
2022-07-15 23:34                   ` Jens Axboe
2022-07-16  3:20       ` Kanchan Joshi
2022-07-18 14:55         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox