From: Paul Moore <paul@paul-moore.com> To: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>, Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com> Subject: [RFC PATCH v2 9/9] Smack: Brutalist io_uring support with debug Date: Wed, 11 Aug 2021 16:49:07 -0400 [thread overview] Message-ID: <162871494794.63873.18299137802334845525.stgit@olly> (raw) In-Reply-To: <162871480969.63873.9434591871437326374.stgit@olly> From: Casey Schaufler <casey@schaufler-ca.com> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE for the override_creds case and CAP_MAC_ADMIN for creating a polling thread. These choices are based on conjecture regarding the intent of the surrounding code. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: make the smack_uring_* funcs static] Signed-off-by: Paul Moore <paul@paul-moore.com> --- v2: - made the smack_uring_* funcs static v1: - initial draft --- security/smack/smack_lsm.c | 64 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 223a6da0e6dc..7fb094098f38 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4691,6 +4691,66 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, return 0; } +#ifdef CONFIG_IO_URING +/** + * smack_uring_override_creds - Is io_uring cred override allowed? + * @new: the target creds + * + * Check to see if the current task is allowed to override it's credentials + * to service an io_uring operation. + */ +static int smack_uring_override_creds(const struct cred *new) +{ + struct task_smack *tsp = smack_cred(current_cred()); + struct task_smack *nsp = smack_cred(new); + +#if 1 + if (tsp->smk_task == nsp->smk_task) + pr_info("%s: Smack matches %s\n", __func__, + tsp->smk_task->smk_known); + else + pr_info("%s: Smack override check %s to %s\n", __func__, + tsp->smk_task->smk_known, nsp->smk_task->smk_known); +#endif + /* + * Allow the degenerate case where the new Smack value is + * the same as the current Smack value. + */ + if (tsp->smk_task == nsp->smk_task) + return 0; + +#if 1 + pr_info("%s: Smack sqpoll %s\n", __func__, + smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred()) ? + "ok by Smack" : "disallowed (No CAP_MAC_OVERRIDE)"); +#endif + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) + return 0; + + return -EPERM; +} + +/** + * smack_uring_sqpoll - check if a io_uring polling thread can be created + * + * Check to see if the current task is allowed to create a new io_uring + * kernel polling thread. + */ +static int smack_uring_sqpoll(void) +{ +#if 1 + pr_info("%s: Smack new ring %s\n", __func__, + smack_privileged_cred(CAP_MAC_ADMIN, current_cred()) ? + "ok by Smack" : "disallowed (No CAP_MAC_ADMIN)"); +#endif + if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) + return 0; + + return -EPERM; +} + +#endif /* CONFIG_IO_URING */ + struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), .lbs_file = sizeof(struct smack_known *), @@ -4843,6 +4903,10 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), +#ifdef CONFIG_IO_URING + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), +#endif };
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com> To: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, Kumar Kartikeya Dwivedi <memxor@gmail.com>, Jens Axboe <axboe@kernel.dk>, Pavel Begunkov <asml.silence@gmail.com> Subject: [RFC PATCH v2 9/9] Smack: Brutalist io_uring support with debug Date: Wed, 11 Aug 2021 16:49:07 -0400 [thread overview] Message-ID: <162871494794.63873.18299137802334845525.stgit@olly> (raw) In-Reply-To: <162871480969.63873.9434591871437326374.stgit@olly> From: Casey Schaufler <casey@schaufler-ca.com> Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE for the override_creds case and CAP_MAC_ADMIN for creating a polling thread. These choices are based on conjecture regarding the intent of the surrounding code. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: make the smack_uring_* funcs static] Signed-off-by: Paul Moore <paul@paul-moore.com> --- v2: - made the smack_uring_* funcs static v1: - initial draft --- security/smack/smack_lsm.c | 64 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 223a6da0e6dc..7fb094098f38 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4691,6 +4691,66 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, return 0; } +#ifdef CONFIG_IO_URING +/** + * smack_uring_override_creds - Is io_uring cred override allowed? + * @new: the target creds + * + * Check to see if the current task is allowed to override it's credentials + * to service an io_uring operation. + */ +static int smack_uring_override_creds(const struct cred *new) +{ + struct task_smack *tsp = smack_cred(current_cred()); + struct task_smack *nsp = smack_cred(new); + +#if 1 + if (tsp->smk_task == nsp->smk_task) + pr_info("%s: Smack matches %s\n", __func__, + tsp->smk_task->smk_known); + else + pr_info("%s: Smack override check %s to %s\n", __func__, + tsp->smk_task->smk_known, nsp->smk_task->smk_known); +#endif + /* + * Allow the degenerate case where the new Smack value is + * the same as the current Smack value. + */ + if (tsp->smk_task == nsp->smk_task) + return 0; + +#if 1 + pr_info("%s: Smack sqpoll %s\n", __func__, + smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred()) ? + "ok by Smack" : "disallowed (No CAP_MAC_OVERRIDE)"); +#endif + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) + return 0; + + return -EPERM; +} + +/** + * smack_uring_sqpoll - check if a io_uring polling thread can be created + * + * Check to see if the current task is allowed to create a new io_uring + * kernel polling thread. + */ +static int smack_uring_sqpoll(void) +{ +#if 1 + pr_info("%s: Smack new ring %s\n", __func__, + smack_privileged_cred(CAP_MAC_ADMIN, current_cred()) ? + "ok by Smack" : "disallowed (No CAP_MAC_ADMIN)"); +#endif + if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) + return 0; + + return -EPERM; +} + +#endif /* CONFIG_IO_URING */ + struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), .lbs_file = sizeof(struct smack_known *), @@ -4843,6 +4903,10 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), +#ifdef CONFIG_IO_URING + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), +#endif }; -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-08-11 20:49 UTC|newest] Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-08-11 20:48 [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 1/9] audit: prepare audit_context for use in calling contexts beyond syscalls Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 2/9] audit, io_uring, io-wq: " Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 3/9] audit: dev/test patch to force io_uring auditing Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 4/9] audit: add filtering for io_uring records Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 5/9] fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure() Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-12 9:32 ` Mickaël Salaün 2021-08-12 9:32 ` Mickaël Salaün 2021-08-12 14:32 ` Paul Moore 2021-08-12 14:32 ` Paul Moore 2021-08-12 15:35 ` Mickaël Salaün 2021-08-12 15:35 ` Mickaël Salaün 2021-08-11 20:48 ` [RFC PATCH v2 6/9] io_uring: convert io_uring to the secure anon inode interface Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:48 ` [RFC PATCH v2 7/9] lsm,io_uring: add LSM hooks to io_uring Paul Moore 2021-08-11 20:48 ` Paul Moore 2021-08-11 20:49 ` [RFC PATCH v2 8/9] selinux: add support for the io_uring access controls Paul Moore 2021-08-11 20:49 ` Paul Moore 2021-08-11 20:49 ` Paul Moore [this message] 2021-08-11 20:49 ` [RFC PATCH v2 9/9] Smack: Brutalist io_uring support with debug Paul Moore 2021-08-31 14:44 ` Paul Moore 2021-08-31 14:44 ` Paul Moore 2021-08-31 15:03 ` Casey Schaufler 2021-08-31 15:03 ` Casey Schaufler 2021-08-31 16:43 ` Paul Moore 2021-08-31 16:43 ` Paul Moore 2021-08-24 20:57 ` [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring Richard Guy Briggs 2021-08-24 20:57 ` Richard Guy Briggs 2021-08-24 22:27 ` Paul Moore 2021-08-24 22:27 ` Paul Moore 2021-08-25 1:36 ` Richard Guy Briggs 2021-08-25 1:36 ` Richard Guy Briggs 2021-08-26 1:16 ` Richard Guy Briggs 2021-08-26 1:16 ` Richard Guy Briggs 2021-08-26 1:34 ` Paul Moore 2021-08-26 1:34 ` Paul Moore 2021-08-26 16:32 ` Richard Guy Briggs 2021-08-26 16:32 ` Richard Guy Briggs 2021-08-26 19:14 ` Paul Moore 2021-08-26 19:14 ` Paul Moore 2021-08-27 13:35 ` Richard Guy Briggs 2021-08-27 13:35 ` Richard Guy Briggs 2021-08-27 19:49 ` Paul Moore 2021-08-27 19:49 ` Paul Moore 2021-08-28 15:03 ` Richard Guy Briggs 2021-08-28 15:03 ` Richard Guy Briggs 2021-08-29 15:18 ` Paul Moore 2021-08-29 15:18 ` Paul Moore 2021-09-01 19:21 ` Paul Moore 2021-09-01 19:21 ` Paul Moore 2021-09-10 0:58 ` Richard Guy Briggs 2021-09-10 0:58 ` Richard Guy Briggs 2021-09-13 19:23 ` Paul Moore 2021-09-13 19:23 ` Paul Moore 2021-09-14 1:50 ` Paul Moore 2021-09-14 1:50 ` Paul Moore 2021-09-14 2:49 ` Paul Moore 2021-09-14 2:49 ` Paul Moore 2021-09-15 12:29 ` Richard Guy Briggs 2021-09-15 12:29 ` Richard Guy Briggs 2021-09-15 13:02 ` Steve Grubb 2021-09-15 13:02 ` Steve Grubb 2021-09-15 14:12 ` Paul Moore 2021-09-15 14:12 ` Paul Moore 2021-10-02 13:16 ` Steve Grubb 2021-10-03 23:21 ` Paul Moore 2021-10-04 12:39 ` Richard Guy Briggs 2021-10-04 13:27 ` Paul Moore 2021-10-04 14:59 ` Steve Grubb 2021-10-28 20:07 ` Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=162871494794.63873.18299137802334845525.stgit@olly \ --to=paul@paul-moore.com \ --cc=asml.silence@gmail.com \ --cc=axboe@kernel.dk \ --cc=io-uring@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=memxor@gmail.com \ --cc=selinux@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.