From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7C0AC4320A for ; Wed, 11 Aug 2021 20:52:40 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 413516105A for ; Wed, 11 Aug 2021 20:52:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 413516105A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-579-H3a1LyCyOUSDd0mjOmyByA-1; Wed, 11 Aug 2021 16:52:36 -0400 X-MC-Unique: H3a1LyCyOUSDd0mjOmyByA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1C7148799EB; Wed, 11 Aug 2021 20:52:33 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DBE8329671; Wed, 11 Aug 2021 20:52:32 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A6F344BB7C; Wed, 11 Aug 2021 20:52:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 17BKmInV021166 for ; Wed, 11 Aug 2021 16:48:18 -0400 Received: by smtp.corp.redhat.com (Postfix) id 73355FDCE6; Wed, 11 Aug 2021 20:48:18 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6E2B71037AB for ; Wed, 11 Aug 2021 20:48:15 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CABA0800B28 for ; Wed, 11 Aug 2021 20:48:15 +0000 (UTC) Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-16-iqXIGwLDO8GRAy1Y8FnLGw-1; Wed, 11 Aug 2021 16:48:13 -0400 X-MC-Unique: iqXIGwLDO8GRAy1Y8FnLGw-1 Received: by mail-qk1-f179.google.com with SMTP id e14so3949306qkg.3 for ; Wed, 11 Aug 2021 13:48:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=zBlBSbAuxRUJW1lgOYptxB+0Lua2LslYZABHs/8DQw8=; b=mD/+nAj790+cCEc2XWPNwgUZIlWajunHacazMgwhqCgCiAEEZRkwyM5MnS/3wG7MH4 cAGYyCNAnOXYxfHHHXOaplqStPmrjDYjxwJ7DR6VxIJmxTcglScqD9m77x42yOX34O2F hAtphtJl86HCn5OFg5sanDYSGqYFbK1ehpYuLJCG57mNN1NPWSNS0H2hFJPNyqZx61nT p4Id1ZDQW5ZvE0CBf/l4ZVD0Irr/d1zIFGOB89vgkOXjO3+navCslZL6cYlcaRs/eYOu /9IwqVtEi+AXRfdOA7/+70tfgbZLMnIJgqqWwLc6eFQ2RIFkw35KT54Vc0FVQ+4uwkbX 0cSQ== X-Gm-Message-State: AOAM531lw9a4GmibjKpUsRGpobjpYrpVtO28p2SvS6WwUw52gcggQrgS Dvl3K7hhASVSDHfAX4VvnKXA X-Google-Smtp-Source: ABdhPJydL0ykzGSU3mSv7znsNMhnb+x6axRiQjqG6NUGWFR49FmN7RGZaFHzTlB9WZgH5isKA3x/lQ== X-Received: by 2002:a37:b082:: with SMTP id z124mr964004qke.298.1628714892595; Wed, 11 Aug 2021 13:48:12 -0700 (PDT) Received: from localhost (pool-96-237-52-188.bstnma.fios.verizon.net. [96.237.52.188]) by smtp.gmail.com with ESMTPSA id k1sm159186qkj.21.2021.08.11.13.48.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Aug 2021 13:48:12 -0700 (PDT) Subject: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring From: Paul Moore To: linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-audit@redhat.com, io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, Kumar Kartikeya Dwivedi , Jens Axboe , Pavel Begunkov Date: Wed, 11 Aug 2021 16:48:11 -0400 Message-ID: <162871480969.63873.9434591871437326374.stgit@olly> User-Agent: StGit/1.1 MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Draft #2 of the patchset which brings auditing and proper LSM access controls to the io_uring subsystem. The original patchset was posted in late May and can be found via lore using the link below: https://lore.kernel.org/linux-security-module/162163367115.8379.8459012634106035341.stgit@sifl/ This draft should incorporate all of the feedback from the original posting as well as a few smaller things I noticed while playing further with the code. The big change is of course the selective auditing in the io_uring op servicing, but that has already been discussed quite a bit in the original thread so I won't go into detail here; the important part is that we found a way to move forward and this draft captures that. For those of you looking to play with these patches, they are based on Linus' v5.14-rc5 tag and on my test system they boot and appear to function without problem; they pass the selinux-testsuite and audit-testsuite and I have not noticed any regressions in the normal use of the system. If you want to get a copy of these patches straight from git you can use the "working-io_uring" branch in the repo below: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git Beyond the existing test suite tests mentioned above, I've cobbled together some very basic, very crude tests to exercise some of the things I care about from a LSM/audit perspective. These tests are pretty awful (I'm not kidding), but they might be helpful for the other LSM/audit developers who want to test things: https://drop.paul-moore.com/90.kUgq There are currently two tests: 'iouring.2' and 'iouring.3'; 'iouring.1' was lost in a misguided and overzealous 'rm' command. The first test is standalone and basically tests the SQPOLL functionality while the second tests sharing io_urings across process boundaries and the credential/personality sharing mechanism. The console output of both tests isn't particularly useful, the more interesting bits are in the audit and LSM specific logs. The 'iouring.2' command requires no special arguments to run but the 'iouring.3' test is split into a "server" and "client"; the server should be run without argument: % ./iouring.3s >>> server started, pid = 11678 >>> memfd created, fd = 3 >>> io_uring created; fd = 5, creds = 1 ... while the client should be run with two arguments: the first is the PID of the server process, the second is the "memfd" fd number: % ./iouring.3c 11678 3 >>> client started, server_pid = 11678 server_memfd = 3 >>> io_urings = 5 (server) / 5 (client) >>> io_uring ops using creds = 1 >>> async op result: 36 >>> async op result: 36 >>> async op result: 36 >>> async op result: 36 >>> START file contents What is this life if, full of care, we have no time to stand and stare. >>> END file contents The tests were hacked together from various sources online, attribution and links to additional info can be found in the test sources, but I expect these tests to die a fiery death in the not to distant future as I work to add some proper tests to the SELinux and audit test suites. As I believe these patches should spend a full -rcX cycle in linux-next, my current plan is to continue to solicit feedback on these patches while they undergo additional testing (next up is verification of the audit filter code for io_uring). Assuming no critical issues are found on the mailing lists or during testing, I will post a proper patchset later with the idea of merging it into selinux/next after the upcoming merge window closes. Any comments, feedback, etc. are welcome. --- Casey Schaufler (1): Smack: Brutalist io_uring support with debug Paul Moore (8): audit: prepare audit_context for use in calling contexts beyond syscalls audit,io_uring,io-wq: add some basic audit support to io_uring audit: dev/test patch to force io_uring auditing audit: add filtering for io_uring records fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure() io_uring: convert io_uring to the secure anon inode interface lsm,io_uring: add LSM hooks to io_uring selinux: add support for the io_uring access controls fs/anon_inodes.c | 29 ++ fs/io-wq.c | 4 + fs/io_uring.c | 69 +++- include/linux/anon_inodes.h | 4 + include/linux/audit.h | 26 ++ include/linux/lsm_hook_defs.h | 5 + include/linux/lsm_hooks.h | 13 + include/linux/security.h | 16 + include/uapi/linux/audit.h | 4 +- kernel/audit.h | 7 +- kernel/audit_tree.c | 3 +- kernel/audit_watch.c | 3 +- kernel/auditfilter.c | 15 +- kernel/auditsc.c | 483 +++++++++++++++++++----- security/security.c | 12 + security/selinux/hooks.c | 34 ++ security/selinux/include/classmap.h | 2 + security/smack/smack_lsm.c | 64 ++++ 18 files changed, 678 insertions(+), 115 deletions(-) -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit