Hello all, I just noticed the recent addition of IORING_OP_FIXED_FD_INSTALL and I see that it is currently written to skip the io_uring auditing. Assuming I'm understanding the patch correctly, and I'll admit that I've only looked at it for a short time today, my gut feeling is that we want to audit the FIXED_FD_INSTALL opcode as it could make a previously io_uring-only fd generally accessible to userspace. I'm also trying to determine how worried we should be about io_install_fixed_fd() potentially happening with the current task's credentials overridden by the io_uring's personality. Given that this io_uring operation inserts a fd into the current process, I believe that we should be checking to see if the current task's credentials, and not the io_uring's credentials/personality, are allowed to receive the fd in receive_fd()/security_file_receive(). I don't see an obvious way to filter/block credential overrides on a per-opcode basis, but if we don't want to add a mask for io_kiocb::flags in io_issue_defs (or something similar), perhaps we can forcibly mask out REQ_F_CREDS in io_install_fixed_fd_prep()? I'm very interested to hear what others think about this. Of course if I'm reading the commit or misunderstanding the IORING_OP_FIXED_FD_INSTALL operation, corrections are welcome :) -- paul-moore.com
