On 8/26/2022 11:59 AM, Paul Moore wrote:
> On Fri, Aug 26, 2022 at 12:53 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>> On 8/26/2022 8:15 AM, Paul Moore wrote:
>>> On Tue, Aug 23, 2022 at 8:07 PM Jens Axboe <axboe@xxxxxxxxx> wrote:
>>>> On 8/23/22 6:05 PM, Paul Moore wrote:
>>>>> On Tue, Aug 23, 2022 at 7:46 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>>>>>> Limit io_uring "cmd" options to files for which the caller has
>>>>>> Smack read access. There may be cases where the cmd option may
>>>>>> be closer to a write access than a read, but there is no way
>>>>>> to make that determination.
>>>>>>
>>>>>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>>>>>> --
>>>>>> security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
>>>>>> 1 file changed, 32 insertions(+)
>>>>>>
>>>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>>>> index 001831458fa2..bffccdc494cb 100644
>>>>>> --- a/security/smack/smack_lsm.c
>>>>>> +++ b/security/smack/smack_lsm.c
>>>>> ...
>>>>>
>>>>>> @@ -4732,6 +4733,36 @@ static int smack_uring_sqpoll(void)
>>>>>> return -EPERM;
>>>>>> }
>>>>>>
>>>>>> +/**
>>>>>> + * smack_uring_cmd - check on file operations for io_uring
>>>>>> + * @ioucmd: the command in question
>>>>>> + *
>>>>>> + * Make a best guess about whether a io_uring "command" should
>>>>>> + * be allowed. Use the same logic used for determining if the
>>>>>> + * file could be opened for read in the absence of better criteria.
>>>>>> + */
>>>>>> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
>>>>>> +{
>>>>>> + struct file *file = ioucmd->file;
>>>>>> + struct smk_audit_info ad;
>>>>>> + struct task_smack *tsp;
>>>>>> + struct inode *inode;
>>>>>> + int rc;
>>>>>> +
>>>>>> + if (!file)
>>>>>> + return -EINVAL;
>>>>> Perhaps this is a better question for Jens, but ioucmd->file is always
>>>>> going to be valid when the LSM hook is called, yes?
>>>> file will always be valid for uring commands, as they are marked as
>>>> requiring a file. If no valid fd is given for it, it would've been
>>>> errored early on, before reaching f_op->uring_cmd().
>>> Hey Casey, where do things stand with this patch? To be specific, did
>>> you want me to include this in the lsm/stable-6.0 PR for Linus or are
>>> you planning to send it separately? If you want me to send it up, are
>>> you planning another revision?
>>>
>>> There is no right or wrong answer here as far as I'm concerned, I'm
>>> just trying to make sure we are all on the same page.
>> I think the whole LSM fix for io_uring looks better the more complete
>> it is. I don't see the Smack check changing until such time as there's
>> better information available to make decisions upon. If you send it along
>> with the rest of the patch set I think we'll have done our best.
> Okay, will do. Would you like me to tag the patch with the 'Fixes:'
> and stable tags, similar to the LSM and SELinux patches?
Yes, I think that's best.
