From nobody Sat Apr 11 12:14:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25BD3C4332F for ; Mon, 7 Nov 2022 20:58:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233114AbiKGU6Z (ORCPT ); Mon, 7 Nov 2022 15:58:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232978AbiKGU6R (ORCPT ); Mon, 7 Nov 2022 15:58:17 -0500 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 07E782BB0D for ; Mon, 7 Nov 2022 12:58:16 -0800 (PST) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-36810cfa61fso117604957b3.6 for ; Mon, 07 Nov 2022 12:58:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=82Sk77X8oVXjFrSC3UdX1BgOsBdJ+Ee5YdnkpmQ5zx0=; b=cz0D6cQc+B6jbJ25lggM2jj1Ve8T+VuhMYi0uDgtW5HCcjLC14ZBS007EYxG+txfot XJMUh5Tm1r1HbdC9+H488e8aFXZpZQwXVRrRVuDwmO5PUHwC2UzNUjplJrnhYQhfn+fA ymjMXGP+1pFVOcLyk+1qYaf18AX9uYX6ctqtvGQ1SwoGbejKXwE+69ZxYPTjIfrsdhdu XHDHJEDaMoRAExQwLG+cwnwSQe3ypSdLgmlJHAu6AH8zzQU5X6a906gpKc1TOxA84TRL 13A2Z9JCtReMXYwSvyLLH1Eb5nhN4ISpk3wBHPZKK9MEyZT02R40w1ZE1oGFubAFHXIc 8eyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=82Sk77X8oVXjFrSC3UdX1BgOsBdJ+Ee5YdnkpmQ5zx0=; b=TSqovywxZgcr6ozyAmNixDg1gTQuvQxhvdP03gWXBOIq2FwEII4DH7xzJpGwz0B9EI d9Jv39C2GfXVduNZ0utKsyHnxizGKdd9hluVMCGHF8/H14nGWj3tIQNdvxuIk9aPcwYq 5VYRR6pR2Ax0+06x8ap+H3GQyvlwsx6dEyP56L9Gp6fIuFVlHCkQ9O9/nrx9Q/HXM38D d6RFoCngzTj/FeT1vl8dc/hd7pyGMw9/HhbqpzGpLfT63XpYP52ENV3Un87aijp14Ug2 Apy7UVObHJXObCHvUm1UtcTNoIlUdr6KuybuUyGdto01E1QV01GjeM5l7UJjOjzyNe9b ii4Q== X-Gm-Message-State: ACrzQf2vWbyxpZkjAlDQevdj6JI7eWqXpWSBCjdtrl1e1HavXVafphUZ i+IE4QbI3G7fMOktcpqpGxq7xHsAHA== X-Google-Smtp-Source: AMsMyM4/w5POlTIghMGwE57Oz98TpTtgzV9HuAg5r2Yigzzk4vfAg9WYpj3Y1exwA2J0cwVR9T4NXW8haw== X-Received: from cukie91.nyc.corp.google.com ([2620:0:1003:314:8113:36e9:8e90:5fb8]) (user=cukie job=sendgmr) by 2002:a0d:e203:0:b0:36a:a52e:fe5b with SMTP id l3-20020a0de203000000b0036aa52efe5bmr47990349ywe.512.1667854695296; Mon, 07 Nov 2022 12:58:15 -0800 (PST) Date: Mon, 7 Nov 2022 15:57:52 -0500 In-Reply-To: <20221107205754.2635439-1-cukie@google.com> Mime-Version: 1.0 References: <20221107205754.2635439-1-cukie@google.com> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog Message-ID: <20221107205754.2635439-2-cukie@google.com> Subject: [PATCH v1 1/2] lsm,io_uring: add LSM hook for io_uring_setup From: Gil Cukierman To: Jens Axboe , Pavel Begunkov , Paul Moore , James Morris , "Serge E. Hallyn" Cc: Gil Cukierman , kernel-team@android.com, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This patch allows LSMs to apply security policies that control access to the io_uring_setup syscall. This is accomplished by adding a new hook: int security_uring_setup(void) Check whether the current task is allowed to call io_uring_setup. This hook, together with the existing hooks for sharing of file descriptors and io_uring credentials, allow LSMs to expose comprehensive controls on the usage of io_uring overall. Signed-off-by: Gil Cukierman --- include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 3 +++ include/linux/security.h | 5 +++++ io_uring/io_uring.c | 5 +++++ security/security.c | 4 ++++ 5 files changed, 18 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ec119da1d89b..ffbf29b32a48 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -409,4 +409,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *e= vent) LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) +LSM_HOOK(int, 0, uring_setup, void) #endif /* CONFIG_IO_URING */ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4ec80b96c22e..bc13a8e664c9 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1589,6 +1589,9 @@ * @uring_cmd: * Check whether the file_operations uring_cmd is allowed to run. * + * @uring_setup: + * Check whether the current task is allowed to call io_uring_setup. + * */ union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); diff --git a/include/linux/security.h b/include/linux/security.h index ca1b7109c0db..0bba7dd85691 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2069,6 +2069,7 @@ static inline int security_perf_event_write(struct pe= rf_event *event) extern int security_uring_override_creds(const struct cred *new); extern int security_uring_sqpoll(void); extern int security_uring_cmd(struct io_uring_cmd *ioucmd); +extern int security_uring_setup(void); #else static inline int security_uring_override_creds(const struct cred *new) { @@ -2082,6 +2083,10 @@ static inline int security_uring_cmd(struct io_uring= _cmd *ioucmd) { return 0; } +static inline int security_uring_setup(void) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #endif /* CONFIG_IO_URING */ =20 diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6cc16e39b27f..1456c85648ed 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -3574,6 +3574,11 @@ static long io_uring_setup(u32 entries, struct io_ur= ing_params __user *params) { struct io_uring_params p; int i; + int ret; + + ret =3D security_uring_setup(); + if (ret) + return ret; =20 if (copy_from_user(&p, params, sizeof(p))) return -EFAULT; diff --git a/security/security.c b/security/security.c index 79d82cb6e469..b1bc95df5a5d 100644 --- a/security/security.c +++ b/security/security.c @@ -2671,4 +2671,8 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) { return call_int_hook(uring_cmd, 0, ioucmd); } +int security_uring_setup(void) +{ + return call_int_hook(uring_setup, 0); +} #endif /* CONFIG_IO_URING */ --=20 2.38.0.135.g90850a2211-goog From nobody Sat Apr 11 12:14:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DC44C433FE for ; Mon, 7 Nov 2022 20:58:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233148AbiKGU62 (ORCPT ); Mon, 7 Nov 2022 15:58:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233103AbiKGU6T (ORCPT ); Mon, 7 Nov 2022 15:58:19 -0500 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 987442C669 for ; Mon, 7 Nov 2022 12:58:18 -0800 (PST) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-368e6c449f2so117943867b3.5 for ; Mon, 07 Nov 2022 12:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=3foneq/Me5MTssYGRHO4cGLKeUJVeV+052anuIJ7S1g=; b=BrFmlNhvbOfCgXUKcVpdmu+NeI+MZF8/aiOApx8jPEdBDiyEV3Svvh1o/TCdDBZaKO 1igwTKOeqGVj7P7hdEp7nKWYI5ppHUVzVJyTdW5P7ZCModH92BK9BO2rEUSSsXavDkWH pQHtiH/zjEzWTB6z+RTIWqzXySFbyTQ2c1p8q/mW/oVKlJcP9iwKOSeI9L2vKx4Cc6gt ruMiDy0Jphz1RFajd/fyO2Z98Y5cY1pf7JumDbhSvATPuFGxPJ8aLWBqjsfh41MBWC+Q 7sQswNHVn80xUfnEpl3eSW7hRFuo3ch0878Z5IgbP82LpVJzJXgImFD51qoR9+ejNUCk Vqeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3foneq/Me5MTssYGRHO4cGLKeUJVeV+052anuIJ7S1g=; b=yQYqlANUo+oasaE5mNosY+l6TuE+pNjAo0hQByEo7er77Bqwfi4o4yl8MXN3v2pQQn En+FC0EGtgkXEfejC/DbC6PG4QLllu4Fp/z+kFuY0D/STbaMRUQa5J86FY1vTFTGkEgh OANr0n7VZcHi2HHWrhCTpHirisSyYCxxRPvAKtcIK7YoVCfoZf9rb0/LZrou0wa5EmM0 shGW8flfijF+vjCLV0kwHLen0qPVtdiOV9y6CDSt6rvocXaliW5cHFthdqeQyKdWaOLv kikAMMJCKcx1dOkPGm7BEFLKABuBghgWJgrGTSuxDUTo5kgCW/lsjqDRSA3vuVzNMSfm DsQA== X-Gm-Message-State: ACrzQf23S18erCYXRCaPIAup5VVgYoRCcGk7Pl2KjqZXQ3gGZuybS8DW lKEkP3JqiIJI+323eVQ6pt4qd9HfuQ== X-Google-Smtp-Source: AMsMyM79Sr2FjutrrhIUyLR+MG6TrL/mZtICyJMPRV3JOwtMH/oKViBoSdzJYvHnTeZTwNMsCoWM/oBh3A== X-Received: from cukie91.nyc.corp.google.com ([2620:0:1003:314:8113:36e9:8e90:5fb8]) (user=cukie job=sendgmr) by 2002:a25:7102:0:b0:6be:a3ae:e43b with SMTP id m2-20020a257102000000b006bea3aee43bmr797309ybc.302.1667854697844; Mon, 07 Nov 2022 12:58:17 -0800 (PST) Date: Mon, 7 Nov 2022 15:57:53 -0500 In-Reply-To: <20221107205754.2635439-1-cukie@google.com> Mime-Version: 1.0 References: <20221107205754.2635439-1-cukie@google.com> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog Message-ID: <20221107205754.2635439-3-cukie@google.com> Subject: [PATCH v1 2/2] selinux: add support for the io_uring setup permission From: Gil Cukierman To: Paul Moore , Stephen Smalley , Eric Paris Cc: Gil Cukierman , kernel-team@android.com, selinux@vger.kernel.org, linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This patch implements a new io_uring permission that controls access to the io_uring_setup system call. The new permission, io_uring { setup }, is added to the existing io_uring class. This is important as it allows users to restrict their attack surface by limiting which subjects are allowed retrieve fds from the kernel that are necessary for the use of all other io_uring functionality. Signed-off-by: Gil Cukierman --- security/selinux/hooks.c | 13 +++++++++++++ security/selinux/include/classmap.h | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f553c370397e..d2becf833a07 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7012,6 +7012,18 @@ static int selinux_uring_cmd(struct io_uring_cmd *io= ucmd) return avc_has_perm(&selinux_state, current_sid(), isec->sid, SECCLASS_IO_URING, IO_URING__CMD, &ad); } +/** + * selinux_uring_setup - check to see if io_uring setup is allowed + * + * Check to see if the current task is allowed to execute io_uring_setup. + */ +static int selinux_uring_setup(void) +{ + int sid =3D current_sid(); + + return avc_has_perm(&selinux_state, sid, sid, SECCLASS_IO_URING, + IO_URING__SETUP, NULL); +} #endif /* CONFIG_IO_URING */ =20 /* @@ -7258,6 +7270,7 @@ static struct security_hook_list selinux_hooks[] __ls= m_ro_after_init =3D { LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), + LSM_HOOK_INIT(uring_setup, selinux_uring_setup), #endif =20 /* diff --git a/security/selinux/include/classmap.h b/security/selinux/include= /classmap.h index a3c380775d41..48da4e7f7d62 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] =3D { { "anon_inode", { COMMON_FILE_PERMS, NULL } }, { "io_uring", - { "override_creds", "sqpoll", "cmd", NULL } }, + { "override_creds", "sqpoll", "cmd", "setup", NULL } }, { "user_namespace", { "create", NULL } }, { NULL } --=20 2.38.0.135.g90850a2211-goog