This patchset provides the changes required for controlling access to
the io_uring_setup system call by LSMs. It does this by adding a new
hook to io_uring. It also provides the SELinux implementation for a new
permission, io_uring { setup }, using the new hook.
This is important because existing io_uring hooks only support limiting
the sharing of credentials and access to the sensitive uring_cmd file
op. Users of LSMs may also want the ability to tightly control which
callers can retrieve an io_uring capable fd from the kernel, which is
needed for all subsequent io_uring operations.
This was tested by running the liburing test suite on a kernel
containing these patches.
Gil Cukierman (2):
lsm,io_uring: add LSM hook for io_uring_setup
selinux: add support for the io_uring setup permission
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 5 +++++
io_uring/io_uring.c | 5 +++++
security/security.c | 4 ++++
security/selinux/hooks.c | 13 +++++++++++++
security/selinux/include/classmap.h | 2 +-
7 files changed, 32 insertions(+), 1 deletion(-)
--
2.38.0.135.g90850a2211-goog
