From: Casey Schaufler <[email protected]>
To: Kanchan Joshi <[email protected]>
Cc: Paul Moore <[email protected]>, Jens Axboe <[email protected]>,
Ankit Kumar <[email protected]>,
[email protected], [email protected]
Subject: Re: [PATCH] Smack: Provide read control for io_uring_cmd
Date: Mon, 29 Aug 2022 09:20:09 -0700 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <20220827155954.GA11498@test-zns>
On 8/27/2022 8:59 AM, Kanchan Joshi wrote:
> On Tue, Aug 23, 2022 at 04:46:18PM -0700, Casey Schaufler wrote:
>> Limit io_uring "cmd" options to files for which the caller has
>> Smack read access. There may be cases where the cmd option may
>> be closer to a write access than a read, but there is no way
>> to make that determination.
>>
>> Signed-off-by: Casey Schaufler <[email protected]>
>> --
>> security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
>> 1 file changed, 32 insertions(+)
>>
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 001831458fa2..bffccdc494cb 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -42,6 +42,7 @@
>> #include <linux/fs_context.h>
>> #include <linux/fs_parser.h>
>> #include <linux/watch_queue.h>
>> +#include <linux/io_uring.h>
>> #include "smack.h"
>>
>> #define TRANS_TRUE "TRUE"
>> @@ -4732,6 +4733,36 @@ static int smack_uring_sqpoll(void)
>> return -EPERM;
>> }
>>
>> +/**
>> + * smack_uring_cmd - check on file operations for io_uring
>> + * @ioucmd: the command in question
>> + *
>> + * Make a best guess about whether a io_uring "command" should
>> + * be allowed. Use the same logic used for determining if the
>> + * file could be opened for read in the absence of better criteria.
>> + */
>> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
>> +{
>> + struct file *file = ioucmd->file;
>> + struct smk_audit_info ad;
>> + struct task_smack *tsp;
>> + struct inode *inode;
>> + int rc;
>> +
>> + if (!file)
>> + return -EINVAL;
>> +
>> + tsp = smack_cred(file->f_cred);
>> + inode = file_inode(file);
>> +
>> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
>> + smk_ad_setfield_u_fs_path(&ad, file->f_path);
>> + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
>> + rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
>> +
>> + return rc;
>> +}
>> +
>> #endif /* CONFIG_IO_URING */
>>
>> struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
>> @@ -4889,6 +4920,7 @@ static struct security_hook_list smack_hooks[]
>> __lsm_ro_after_init = {
>> #ifdef CONFIG_IO_URING
>> LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
>> LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
>> + LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
>> #endif
>
> Tried this on nvme device (/dev/ng0n1).
> Took a while to come out of noob setup-related issues but I see that
> smack is listed (in /sys/kernel/security/lsm), smackfs is present, and
> the hook (smack_uring_cmd) gets triggered fine on doing I/O on
> /dev/ng0n1.
>
> I/O goes fine, which seems aligned with the label on /dev/ng0n1 (which
> is set to floor).
>
> $ chsmack -L /dev/ng0n1
> /dev/ng0n1 access="_"
Setting the Smack on the object that the cmd operates on to
something other than "_" would be the correct test. If that
is /dev/ng0n1 you could use
# chsmack -a Snap /dev/ng0n1
The unprivileged user won't be able to read /dev/ng0n1 so you
won't get as far as testing the cmd interface. I don't know
io_uring and nvme well enough to know what other objects may
be involved. Noob here, too.
>
> I ran fio (/usr/bin/fio), which also has the same label.
> Hope you expect the same outcome.
>
> Do you run something else to see that things are fine e.g. for
> /dev/null, which also has the same label "_".
> If yes, I can try the same on nvme side.
>
next prev parent reply other threads:[~2022-08-29 16:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20220719135821epcas5p1b071b0162cc3e1eb803ca687989f106d@epcas5p1.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 0/5] Add basic test for nvme uring passthrough commands Ankit Kumar
[not found] ` <CGME20220719135832epcas5p31bb7df7c931aba12454b6f16c966a7c8@epcas5p3.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 1/5] configure: check for nvme uring command support Ankit Kumar
[not found] ` <CGME20220719135834epcas5p2f63a49277322756394f19e23a1c4e4ce@epcas5p2.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 2/5] io_uring.h: sync sqe entry with 5.20 io_uring Ankit Kumar
[not found] ` <CGME20220719135835epcas5p2284cbb16a28c4290d3a886449bc7a6d8@epcas5p2.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 3/5] nvme: add nvme opcodes, structures and helper functions Ankit Kumar
[not found] ` <CGME20220719135836epcas5p3f28b20cab964ced538d5a7fdfe367bb4@epcas5p3.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 4/5] test: add io_uring passthrough test Ankit Kumar
[not found] ` <CGME20220719135837epcas5p1eb4beb20bdfbdaaa7409d7b1f6355909@epcas5p1.samsung.com>
2022-07-19 13:52 ` [PATCH liburing 5/5] test/io_uring_passthrough: add test case for poll IO Ankit Kumar
2022-08-12 0:43 ` [PATCH liburing 0/5] Add basic test for nvme uring passthrough commands Casey Schaufler
2022-08-12 1:51 ` Jens Axboe
2022-08-12 15:33 ` Paul Moore
2022-08-12 16:03 ` Casey Schaufler
2022-08-13 11:35 ` Kanchan Joshi
2022-08-23 23:46 ` [PATCH] Smack: Provide read control for io_uring_cmd Casey Schaufler
2022-08-24 0:05 ` Paul Moore
2022-08-24 0:07 ` Jens Axboe
2022-08-26 15:15 ` Paul Moore
2022-08-26 16:53 ` Casey Schaufler
2022-08-26 18:59 ` Paul Moore
2022-08-26 19:04 ` Casey Schaufler
2022-08-26 19:10 ` Paul Moore
2022-08-26 19:31 ` Casey Schaufler
2022-08-27 15:59 ` Kanchan Joshi
2022-08-29 16:20 ` Casey Schaufler [this message]
2022-08-30 13:08 ` Joel Granados
2022-08-30 14:16 ` Casey Schaufler
2022-08-31 7:15 ` Joel Granados
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a6cb7a3b-8393-c8f3-60f6-00ae08dab23a@schaufler-ca.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox