git.itanic.dy.fi Git - linux-stable/commit

author	Paul Moore <paul@paul-moore.com>
	Wed, 10 Aug 2022 19:55:36 +0000 (15:55 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 15 Sep 2022 08:47:18 +0000 (10:47 +0200)
commit	2ad39828ee35c87e9a7eff735a4fc1ef90ba863a
tree	b670694e785989e6d4d3bfb9d2eeac714a221934	tree \| snapshot
parent	13069e1c8fef9b6f959784cc89ddbf75b31eef36	commit \| diff

selinux: implement the security_uring_cmd() LSM hook

commit f4d653dcaa4e4056e1630423e6a8ece4869b544f upstream.

Add a SELinux access control for the iouring IORING_OP_URING_CMD
command.  This includes the addition of a new permission in the
existing "io_uring" object class: "cmd".  The subject of the new
permission check is the domain of the process requesting access, the
object is the open file which points to the device/file that is the
target of the IORING_OP_URING_CMD operation.  A sample policy rule
is shown below:

  allow <domain> <file>:io_uring { cmd };

Cc: stable@vger.kernel.org
Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

security/selinux/hooks.c		diff \| blob \| history
security/selinux/include/classmap.h		diff \| blob \| history