Re: [RFC 1/1] Use ioctl selinux callback io_uring commands that implement the ioctl op convention

From: Kanchan Joshi <joshi.k@samsung.com>
To: Joel Granados <j.granados@samsung.com>
Cc: ddiss@suse.de, mcgrof@kernel.org, paul@paul-moore.com,
	linux-security-module@vger.kernel.org, io-uring@vger.kernel.org
Subject: Re: [RFC 1/1] Use ioctl selinux callback io_uring commands that implement the ioctl op convention
Date: Wed, 16 Nov 2022 23:08:21 +0530	[thread overview]
Message-ID: <20221116173821.GC5094@test-zns> (raw)
In-Reply-To: <20221116125051.3338926-2-j.granados@samsung.com>

[-- Attachment #1: Type: text/plain, Size: 2701 bytes --]

On Wed, Nov 16, 2022 at 01:50:51PM +0100, Joel Granados wrote:
>Signed-off-by: Joel Granados <j.granados@samsung.com>
>---
> security/selinux/hooks.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
>diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>index f553c370397e..a3f37ae5a980 100644
>--- a/security/selinux/hooks.c
>+++ b/security/selinux/hooks.c
>@@ -21,6 +21,7 @@
>  *  Copyright (C) 2016 Mellanox Technologies
>  */
>
>+#include "linux/nvme_ioctl.h"
> #include <linux/init.h>
> #include <linux/kd.h>
> #include <linux/kernel.h>
>@@ -7005,12 +7006,22 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
> 	struct inode *inode = file_inode(file);
> 	struct inode_security_struct *isec = selinux_inode(inode);
> 	struct common_audit_data ad;
>+	const struct cred *cred = current_cred();
>
> 	ad.type = LSM_AUDIT_DATA_FILE;
> 	ad.u.file = file;
>
>-	return avc_has_perm(&selinux_state, current_sid(), isec->sid,
>-			    SECCLASS_IO_URING, IO_URING__CMD, &ad);
>+	switch (ioucmd->cmd_op) {
>+	case NVME_URING_CMD_IO:
>+	case NVME_URING_CMD_IO_VEC:
>+	case NVME_URING_CMD_ADMIN:
>+	case NVME_URING_CMD_ADMIN_VEC:

We do not have to spell out these opcodes here.
How about this instead:

+       /*
+        * nvme uring-cmd continue to follow the ioctl format, so reuse what
+        * we do for ioctl.
+        */
+       if(_IOC_TYPE(ioucmd->cmd_op) == 'N')
+               return ioctl_has_perm(cred, file, FILE__IOCTL, (u16) ioucmd->cmd_op);
+       else
+               return avc_has_perm(&selinux_state, current_sid(), isec->sid,
+                                   SECCLASS_IO_URING, IO_URING__CMD, &ad);
+       }
+

Now, if we write the above fragment this way -

if (__IOC_TYPE(ioucmd->cmd_op) != 0)
	reuse_what_is_done_for_ioctl;
else
	current_check;

That will be bit more generic and can support more opcodes than nvme.
ublk will continue to fall into else case, but something else (of
future) may go into the if-part and be as fine-granular as ioctl hook
has been.
Although we defined new nvme opcodes to be used with uring-cmd, it is
also possible that some other provider decides to work with existing
ioctl-opcode packaged inside uring-cmd and turns it async. It's just
another implmentation choice.

Not so nice with the above could be that driver-type being 0 seems
under conflict already. The table in this page:
https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-number.html
But that is first four out of many others. So those four will fall into
else-part (if ever we get there) and everything else will go into the
if-part.

Let's see whether Paul considers all this an improvement from what is
present now.

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]