On Fri, Jan 19, 2024 at 11:33:37AM -0500, Paul Moore wrote: > Hello all, > > I just noticed the recent addition of IORING_OP_FIXED_FD_INSTALL and I > see that it is currently written to skip the io_uring auditing. > Assuming I'm understanding the patch correctly, and I'll admit that > I've only looked at it for a short time today, my gut feeling is that > we want to audit the FIXED_FD_INSTALL opcode as it could make a > previously io_uring-only fd generally accessible to userspace. > > I'm also trying to determine how worried we should be about > io_install_fixed_fd() potentially happening with the current task's > credentials overridden by the io_uring's personality. Given that this > io_uring operation inserts a fd into the current process, I believe > that we should be checking to see if the current task's credentials, > and not the io_uring's credentials/personality, are allowed to receive > the fd in receive_fd()/security_file_receive(). I don't see an > obvious way to filter/block credential overrides on a per-opcode > basis, but if we don't want to add a mask for io_kiocb::flags in > io_issue_defs (or something similar), perhaps we can forcibly mask out > REQ_F_CREDS in io_install_fixed_fd_prep()? I'm very interested to > hear what others think about this. Right, completely forgot about the creds support in io_uring. Just disallow this together with FIXED_FD_INSTALL. That's also the gist of the rest of this thread iiuc.
