On 8/26/2022 12:10 PM, Paul Moore wrote:
> On Fri, Aug 26, 2022 at 3:04 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>> On 8/26/2022 11:59 AM, Paul Moore wrote:
>>> On Fri, Aug 26, 2022 at 12:53 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>>>> On 8/26/2022 8:15 AM, Paul Moore wrote:
>>>>> On Tue, Aug 23, 2022 at 8:07 PM Jens Axboe <axboe@xxxxxxxxx> wrote:
>>>>>> On 8/23/22 6:05 PM, Paul Moore wrote:
>>>>>>> On Tue, Aug 23, 2022 at 7:46 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>>>>>>>> Limit io_uring "cmd" options to files for which the caller has
>>>>>>>> Smack read access. There may be cases where the cmd option may
>>>>>>>> be closer to a write access than a read, but there is no way
>>>>>>>> to make that determination.
>>>>>>>>
>>>>>>>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>>>>>>>> --
>>>>>>>> security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
>>>>>>>> 1 file changed, 32 insertions(+)
>>>>>>>>
>>>>>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>>>>>> index 001831458fa2..bffccdc494cb 100644
>>>>>>>> --- a/security/smack/smack_lsm.c
>>>>>>>> +++ b/security/smack/smack_lsm.c
>>>>>>> ...
>>>>>>>
>>>>>>>> @@ -4732,6 +4733,36 @@ static int smack_uring_sqpoll(void)
>>>>>>>> return -EPERM;
>>>>>>>> }
>>>>>>>>
>>>>>>>> +/**
>>>>>>>> + * smack_uring_cmd - check on file operations for io_uring
>>>>>>>> + * @ioucmd: the command in question
>>>>>>>> + *
>>>>>>>> + * Make a best guess about whether a io_uring "command" should
>>>>>>>> + * be allowed. Use the same logic used for determining if the
>>>>>>>> + * file could be opened for read in the absence of better criteria.
>>>>>>>> + */
>>>>>>>> +static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
>>>>>>>> +{
>>>>>>>> + struct file *file = ioucmd->file;
>>>>>>>> + struct smk_audit_info ad;
>>>>>>>> + struct task_smack *tsp;
>>>>>>>> + struct inode *inode;
>>>>>>>> + int rc;
>>>>>>>> +
>>>>>>>> + if (!file)
>>>>>>>> + return -EINVAL;
>>>>>>> Perhaps this is a better question for Jens, but ioucmd->file is always
>>>>>>> going to be valid when the LSM hook is called, yes?
>>>>>> file will always be valid for uring commands, as they are marked as
>>>>>> requiring a file. If no valid fd is given for it, it would've been
>>>>>> errored early on, before reaching f_op->uring_cmd().
>>>>> Hey Casey, where do things stand with this patch? To be specific, did
>>>>> you want me to include this in the lsm/stable-6.0 PR for Linus or are
>>>>> you planning to send it separately? If you want me to send it up, are
>>>>> you planning another revision?
>>>>>
>>>>> There is no right or wrong answer here as far as I'm concerned, I'm
>>>>> just trying to make sure we are all on the same page.
>>>> I think the whole LSM fix for io_uring looks better the more complete
>>>> it is. I don't see the Smack check changing until such time as there's
>>>> better information available to make decisions upon. If you send it along
>>>> with the rest of the patch set I think we'll have done our best.
>>> Okay, will do. Would you like me to tag the patch with the 'Fixes:'
>>> and stable tags, similar to the LSM and SELinux patches?
>> Yes, I think that's best.
> Done and merged to lsm/stable-6.0. I'm going to let the automated
> stuff do it's thing and assuming no problems I'll plan to send it to
> Linus on Monday ... sending stuff like this last thing on a Friday is
> a little too risky for my tastes.
Agreed. Thank you.
