lsm,io_uring: add LSM hooks for the new uring_cmd file op

commit 2a5840124009f133bd09fd855963551fb2cefe22 upstream.

io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
add infrastructure for uring-cmd"), this extended the struct
file_operations to allow a new command which each subsystem can use
to enable command passthrough. Add an LSM specific for the command
passthrough which enables LSMs to inspect the command details.

This was discussed long ago without no clear pointer for something
conclusive, so this enables LSMs to at least reject this new file
operation.

[0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com

Cc: stable@vger.kernel.org
Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
Acked-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index eafa1d2489fdac3d7e48b1e24f7795b89b859887..4e94755098f19f94218672fc7c9a82b45298b857 100644 (file)
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
 #ifdef CONFIG_IO_URING
 LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
 LSM_HOOK(int, 0, uring_sqpoll, void)
+LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
 #endif /* CONFIG_IO_URING */

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 91c8146649f59086400efdbf5ee4033c8db0dd06..b681cfce6190afe85ee769b5870422242c6dd163 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1575,6 +1575,9 @@
  *      Check whether the current task is allowed to spawn a io_uring polling
  *      thread (IORING_SETUP_SQPOLL).
  *
+ * @uring_cmd:
+ *      Check whether the file_operations uring_cmd is allowed to run.
+ *
  */
 union security_list_options {
        #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);

diff --git a/include/linux/security.h b/include/linux/security.h
index 7fc4e9f49f542b521afb53514f1229bca0683edc..3cc127bb5bfd4d528d827c4158f936a5bafc5904 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2051,6 +2051,7 @@ static inline int security_perf_event_write(struct perf_event *event)
 #ifdef CONFIG_SECURITY
 extern int security_uring_override_creds(const struct cred *new);
 extern int security_uring_sqpoll(void);
+extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
 #else
 static inline int security_uring_override_creds(const struct cred *new)
 {
@@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(void)
 {
        return 0;
 }
+static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+       return 0;
+}
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_IO_URING */
 

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index effe3570a051ff0cf3198160b663f315b87f1be6..48833d0edd089262a623420e3dc2ad66fe943e76 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
        if (!req->file->f_op->uring_cmd)
                return -EOPNOTSUPP;
 
+       ret = security_uring_cmd(ioucmd);
+       if (ret)
+               return ret;
+
        if (ctx->flags & IORING_SETUP_SQE128)
                issue_flags |= IO_URING_F_SQE128;
        if (ctx->flags & IORING_SETUP_CQE32)

diff --git a/security/security.c b/security/security.c
index 188b8f7822206042dfbefb2764e611029a0b78a0..8b62654ff3f97a73aeeb60025f756abe15dc6fab 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void)
 {
        return call_int_hook(uring_sqpoll, 0);
 }
+int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+       return call_int_hook(uring_cmd, 0, ioucmd);
+}
 #endif /* CONFIG_IO_URING */