On Tue, Aug 23, 2022 at 7:46 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> Limit io_uring "cmd" options to files for which the caller has
> Smack read access. There may be cases where the cmd option may
> be closer to a write access than a read, but there is no way
> to make that determination.
>
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> --
> security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 001831458fa2..bffccdc494cb 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
...
> @@ -4732,6 +4733,36 @@ static int smack_uring_sqpoll(void)
> return -EPERM;
> }
>
> +/**
> + * smack_uring_cmd - check on file operations for io_uring
> + * @ioucmd: the command in question
> + *
> + * Make a best guess about whether a io_uring "command" should
> + * be allowed. Use the same logic used for determining if the
> + * file could be opened for read in the absence of better criteria.
> + */
> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
> +{
> + struct file *file = ioucmd->file;
> + struct smk_audit_info ad;
> + struct task_smack *tsp;
> + struct inode *inode;
> + int rc;
> +
> + if (!file)
> + return -EINVAL;
Perhaps this is a better question for Jens, but ioucmd->file is always
going to be valid when the LSM hook is called, yes?
> + tsp = smack_cred(file->f_cred);
> + inode = file_inode(file);
> +
> + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
> + smk_ad_setfield_u_fs_path(&ad, file->f_path);
> + rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
> + rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
> +
> + return rc;
> +}
> +
> #endif /* CONFIG_IO_URING */
--
paul-moore.com
