From: Luis Chamberlain <[email protected]>
To: Paul Moore <[email protected]>
Cc: [email protected], [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected]
Subject: Re: [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op
Date: Thu, 14 Jul 2022 18:00:14 -0700 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHC9VhSjfrMtqy_6+=_=VaCsJKbKU1oj6TKghkue9LrLzO_++w@mail.gmail.com>
On Wed, Jul 13, 2022 at 11:00:42PM -0400, Paul Moore wrote:
> On Wed, Jul 13, 2022 at 8:05 PM Luis Chamberlain <[email protected]> wrote:
> >
> > io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
> > add infrastructure for uring-cmd"), this extended the struct
> > file_operations to allow a new command which each subsystem can use
> > to enable command passthrough. Add an LSM specific for the command
> > passthrough which enables LSMs to inspect the command details.
> >
> > This was discussed long ago without no clear pointer for something
> > conclusive, so this enables LSMs to at least reject this new file
> > operation.
> >
> > [0] https://lkml.kernel.org/r/[email protected]
>
> [NOTE: I now see that the IORING_OP_URING_CMD has made it into the
> v5.19-rcX releases, I'm going to be honest and say that I'm
> disappointed you didn't post the related LSM additions
It does not mean I didn't ask for them too.
> until
> v5.19-rc6, especially given our earlier discussions.]
And hence since I don't see it either, it's on us now.
As important as I think LSMs are, I cannot convince everyone
to take them as serious as I do.
> While the earlier discussion may not have offered a detailed approach
> on how to solve this, I think it was rather conclusive in that the
> approach used then (and reproduced here) did not provide enough
> context to the LSMs to be able to make a decision.
Right...
> There were similar
> concerns when it came to auditing the command passthrough. It appears
> that most of my concerns in the original thread still apply to this
> patch.
>
> Given the LSM hook in this patch, it is very difficult (impossible?)
> to determine the requested operation as these command opcodes are
> device/subsystem specific. The unfortunate result is that the LSMs
> are likely going to either allow all, or none, of the commands for a
> given device/subsystem, and I think we can all agree that is not a
> good idea.
>
> That is the critical bit of feedback on this patch, but there is more
> feedback inline below.
Given a clear solution is not easily tangible at this point
I was hoping perhaps at least the abilility to enable LSMs to
reject uring-cmd would be better than nothing at this point.
> > Signed-off-by: Luis Chamberlain <[email protected]>
> > ---
> > include/linux/lsm_hook_defs.h | 1 +
> > include/linux/lsm_hooks.h | 3 +++
> > include/linux/security.h | 5 +++++
> > io_uring/uring_cmd.c | 5 +++++
> > security/security.c | 4 ++++
> > 5 files changed, 18 insertions(+)
>
> ...
>
> > diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
> > index 0a421ed51e7e..5e666aa7edb8 100644
> > --- a/io_uring/uring_cmd.c
> > +++ b/io_uring/uring_cmd.c
> > @@ -3,6 +3,7 @@
> > #include <linux/errno.h>
> > #include <linux/file.h>
> > #include <linux/io_uring.h>
> > +#include <linux/security.h>
> >
> > #include <uapi/linux/io_uring.h>
> >
> > @@ -82,6 +83,10 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
> > struct file *file = req->file;
> > int ret;
> >
> > + ret = security_uring_cmd(ioucmd);
> > + if (ret)
> > + return ret;
> > +
> > if (!req->file->f_op->uring_cmd)
> > return -EOPNOTSUPP;
> >
>
> In order to be consistent with most of the other LSM hooks, the
> 'req->file->f_op->uring_cmd' check should come before the LSM hook
> call.
Sure.
> The general approach used in most places is to first validate
> the request and do any DAC based access checks before calling into the
> LSM.
OK.
Let me know how you'd like to proceed given our current status.
Luis
next prev parent reply other threads:[~2022-07-15 1:00 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-14 0:05 [PATCH] lsm,io_uring: add LSM hooks to for the new uring_cmd file op Luis Chamberlain
2022-07-14 0:38 ` Casey Schaufler
2022-07-15 0:54 ` Luis Chamberlain
2022-07-15 1:25 ` Casey Schaufler
2022-07-14 3:00 ` Paul Moore
2022-07-15 1:00 ` Luis Chamberlain [this message]
2022-07-15 18:46 ` Paul Moore
2022-07-15 19:02 ` Luis Chamberlain
2022-07-15 19:51 ` Paul Moore
2022-07-15 19:07 ` Jens Axboe
2022-07-15 19:50 ` Paul Moore
2022-07-15 20:00 ` Jens Axboe
2022-07-15 21:16 ` Casey Schaufler
2022-07-15 21:32 ` Jens Axboe
2022-07-15 21:37 ` Luis Chamberlain
2022-07-15 21:47 ` Jens Axboe
2022-07-15 20:50 ` Casey Schaufler
2022-07-15 23:03 ` Casey Schaufler
2022-07-15 23:05 ` Jens Axboe
2022-07-15 23:14 ` Casey Schaufler
2022-07-15 23:18 ` Jens Axboe
2022-07-15 23:31 ` Casey Schaufler
2022-07-15 23:34 ` Jens Axboe
2022-07-16 3:20 ` Kanchan Joshi
2022-07-18 14:55 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox