linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Joel Granados <j.granados@samsung.com>
To: Ming Lei <ming.lei@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Kanchan Joshi <joshi.k@samsung.com>, <ddiss@suse.de>,
	<linux-security-module@vger.kernel.org>,
	<io-uring@vger.kernel.org>
Subject: Re: [RFC 1/1] Use ioctl selinux callback io_uring commands that implement the ioctl op convention
Date: Mon, 28 Nov 2022 11:13:29 +0100	[thread overview]
Message-ID: <20221128101329.lcn3bimihmtwsqqm@localhost> (raw)
In-Reply-To: <Y3zW02nH1LQhb/qz@T590>

[-- Attachment #1: Type: text/plain, Size: 4351 bytes --]

On Tue, Nov 22, 2022 at 10:04:03PM +0800, Ming Lei wrote:
> On Mon, Nov 21, 2022 at 04:05:37PM -0500, Paul Moore wrote:
> > On Mon, Nov 21, 2022 at 2:53 PM Luis Chamberlain <mcgrof@kernel.org> wrote:
> > > On Thu, Nov 17, 2022 at 05:10:07PM -0500, Paul Moore wrote:
> > > > On Thu, Nov 17, 2022 at 4:40 AM Joel Granados <j.granados@samsung.com> wrote:
> > > > > On Wed, Nov 16, 2022 at 02:21:14PM -0500, Paul Moore wrote:
> > > >
> > > > ...
> > > >
> > > > > > * As we discussed previously, the real problem is the fact that we are
> > > > > > missing the necessary context in the LSM hook to separate the
> > > > > > different types of command targets.  With traditional ioctls we can
> > > > > > look at the ioctl number and determine both the type of
> > > > > > device/subsystem/etc. as well as the operation being requested; there
> > > > > > is no such information available with the io_uring command
> > > > > > passthrough.  In this sense, the io_uring command passthrough is
> > > > > > actually worse than traditional ioctls from an access control
> > > > > > perspective.  Until we have an easy(ish)[1] way to determine the
> > > > > > io_uring command target type, changes like the one suggested here are
> > > > > > going to be doomed as each target type is free to define their own
> > > > > > io_uring commands.
> > > > >
> > > > > The only thing that comes immediately to mind is that we can have
> > > > > io_uring users define a function that is then passed to the LSM
> > > > > infrastructure. This function will have all the logic to give relative
> > > > > context to LSM. It would be general enough to fit all the possible commands
> > > > > and the logic would be implemented in the "drivers" side so there is no
> > > > > need for LSM folks to know all io_uring users.
> > > >
> > > > Passing a function pointer to the LSM to fetch, what will likely be
> > > > just a constant value, seems kinda ugly, but I guess we only have ugly
> > > > options at this point.
> > >
> > > I am not sure if this helps yet, but queued on modules-next we now have
> > > an improvement in speed of about 1500x for kallsyms_lookup_name(), and
> > > so symbol lookups are now fast. Makes me wonder if a type of special
> > > export could be drawn up for specific calls which follow a structure
> > > and so the respective lsm could be inferred by a prefix instead of
> > > placing the calls in-place. Then it would not mattter where a call is
> > > used, so long as it would follow a specific pattern / structure with
> > > all the crap you need on it.
> > 
> > I suspect we may be talking about different things here, I don't think
> > the issue is which LSM(s) may be enabled, as the call is to
> > security_uring_cmd() regardless.  I believe the issue is more of how
> > do the LSMs determine the target of the io_uring command, e.g. nvme or
> > ublk.
> > 
> > My understanding is that Joel was suggesting a change to the LSM hook
> > to add a function specific pointer (presumably defined as part of the
> > file_operations struct) that could be called by the LSM to determine
> > the target.
> > 
> > Although now that I'm looking again at the file_operations struct, I
> > wonder if we would be better off having the LSMs inspect the
> > file_operations::owner field, potentially checking the module::name
> > field.  It's a little painful in the sense that it is potentially
> > multiple strcmp() calls for each security_uring_cmd() call, but I'm
> > not sure the passed function approach would be much better.  Do we
> > have a consistent per-module scalar value we can use instead of a
> > character string?
> 
> In future there may be more uring_cmd kernel users, maybe we need to
> consider to use one reserved field in io_uring_sqe for describing the
> target type if it is one must for security subsystem, and this way
> will be similar with traditional ioctl which encodes this kind of
> info in command type.
This is of course another option. I was a bit reluctant to start the
discussion with this implementation, but now that you have brought it up
I can come up with an initial RFC and we can add it to the mix of
possibilities.

Would you just add it to the end of the struct? or what reserved field
are you referring to?
> 
> 
> Thanks,
> Ming
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

  reply	other threads:[~2022-11-28 10:13 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20221116125430eucas1p2f2969a4a795614ce3b8c06f9ea3be36f@eucas1p2.samsung.com>
2022-11-16 12:50 ` [RFC 0/1] RFC on how to include LSM hooks for io_uring commands Joel Granados
     [not found]   ` <CGME20221116125431eucas1p1dfd03b80863fce674a7c662660c94092@eucas1p1.samsung.com>
2022-11-16 12:50     ` [RFC 1/1] Use ioctl selinux callback io_uring commands that implement the ioctl op convention Joel Granados
2022-11-16 17:38       ` Kanchan Joshi
2022-11-16 19:21         ` Paul Moore
2022-11-17  9:40           ` Joel Granados
2022-11-17 22:10             ` Paul Moore
2022-11-21 19:53               ` Luis Chamberlain
2022-11-21 21:05                 ` Paul Moore
2022-11-22 11:18                   ` Joel Granados
2022-11-22 14:04                   ` Ming Lei
2022-11-28 10:13                     ` Joel Granados [this message]
2022-11-28 10:59                       ` Ming Lei
2022-11-22 11:15                 ` Joel Granados
2022-11-17  9:25         ` Joel Granados

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221128101329.lcn3bimihmtwsqqm@localhost \
    --to=j.granados@samsung.com \
    --cc=ddiss@suse.de \
    --cc=io-uring@vger.kernel.org \
    --cc=joshi.k@samsung.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=ming.lei@redhat.com \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).