--- /dev/null
+From 2a5840124009f133bd09fd855963551fb2cefe22 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Fri, 15 Jul 2022 12:16:22 -0700
+Subject: lsm,io_uring: add LSM hooks for the new uring_cmd file op
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 2a5840124009f133bd09fd855963551fb2cefe22 upstream.
+
+io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
+add infrastructure for uring-cmd"), this extended the struct
+file_operations to allow a new command which each subsystem can use
+to enable command passthrough. Add an LSM specific for the command
+passthrough which enables LSMs to inspect the command details.
+
+This was discussed long ago without no clear pointer for something
+conclusive, so this enables LSMs to at least reject this new file
+operation.
+
+[0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com
+
+Cc: stable@vger.kernel.org
+Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 1 +
+ include/linux/lsm_hooks.h | 3 +++
+ include/linux/security.h | 5 +++++
+ io_uring/io_uring.c | 4 ++++
+ security/security.c | 4 ++++
+ 5 files changed, 17 insertions(+)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struc
+ #ifdef CONFIG_IO_URING
+ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
+ LSM_HOOK(int, 0, uring_sqpoll, void)
++LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
+ #endif /* CONFIG_IO_URING */
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1575,6 +1575,9 @@
+ * Check whether the current task is allowed to spawn a io_uring polling
+ * thread (IORING_SETUP_SQPOLL).
+ *
++ * @uring_cmd:
++ * Check whether the file_operations uring_cmd is allowed to run.
++ *
+ */
+ union security_list_options {
+ #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2051,6 +2051,7 @@ static inline int security_perf_event_wr
+ #ifdef CONFIG_SECURITY
+ extern int security_uring_override_creds(const struct cred *new);
+ extern int security_uring_sqpoll(void);
++extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
+ #else
+ static inline int security_uring_override_creds(const struct cred *new)
+ {
+@@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll(
+ {
+ return 0;
+ }
++static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
++{
++ return 0;
++}
+ #endif /* CONFIG_SECURITY */
+ #endif /* CONFIG_IO_URING */
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb
+ if (!req->file->f_op->uring_cmd)
+ return -EOPNOTSUPP;
+
++ ret = security_uring_cmd(ioucmd);
++ if (ret)
++ return ret;
++
+ if (ctx->flags & IORING_SETUP_SQE128)
+ issue_flags |= IO_URING_F_SQE128;
+ if (ctx->flags & IORING_SETUP_CQE32)
+--- a/security/security.c
++++ b/security/security.c
+@@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void)
+ {
+ return call_int_hook(uring_sqpoll, 0);
+ }
++int security_uring_cmd(struct io_uring_cmd *ioucmd)
++{
++ return call_int_hook(uring_cmd, 0, ioucmd);
++}
+ #endif /* CONFIG_IO_URING */
--- /dev/null
+From f4d653dcaa4e4056e1630423e6a8ece4869b544f Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Wed, 10 Aug 2022 15:55:36 -0400
+Subject: selinux: implement the security_uring_cmd() LSM hook
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit f4d653dcaa4e4056e1630423e6a8ece4869b544f upstream.
+
+Add a SELinux access control for the iouring IORING_OP_URING_CMD
+command. This includes the addition of a new permission in the
+existing "io_uring" object class: "cmd". The subject of the new
+permission check is the domain of the process requesting access, the
+object is the open file which points to the device/file that is the
+target of the IORING_OP_URING_CMD operation. A sample policy rule
+is shown below:
+
+ allow <domain> <file>:io_uring { cmd };
+
+Cc: stable@vger.kernel.org
+Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/hooks.c | 24 ++++++++++++++++++++++++
+ security/selinux/include/classmap.h | 2 +-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -91,6 +91,7 @@
+ #include <uapi/linux/mount.h>
+ #include <linux/fsnotify.h>
+ #include <linux/fanotify.h>
++#include <linux/io_uring.h>
+
+ #include "avc.h"
+ #include "objsec.h"
+@@ -6990,6 +6991,28 @@ static int selinux_uring_sqpoll(void)
+ return avc_has_perm(&selinux_state, sid, sid,
+ SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
+ }
++
++/**
++ * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
++ * @ioucmd: the io_uring command structure
++ *
++ * Check to see if the current domain is allowed to execute an
++ * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
++ *
++ */
++static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
++{
++ struct file *file = ioucmd->file;
++ struct inode *inode = file_inode(file);
++ struct inode_security_struct *isec = selinux_inode(inode);
++ struct common_audit_data ad;
++
++ ad.type = LSM_AUDIT_DATA_FILE;
++ ad.u.file = file;
++
++ return avc_has_perm(&selinux_state, current_sid(), isec->sid,
++ SECCLASS_IO_URING, IO_URING__CMD, &ad);
++}
+ #endif /* CONFIG_IO_URING */
+
+ /*
+@@ -7234,6 +7257,7 @@ static struct security_hook_list selinux
+ #ifdef CONFIG_IO_URING
+ LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
+ LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
++ LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
+ #endif
+
+ /*
+--- a/security/selinux/include/classmap.h
++++ b/security/selinux/include/classmap.h
+@@ -253,7 +253,7 @@ const struct security_class_mapping secc
+ { "anon_inode",
+ { COMMON_FILE_PERMS, NULL } },
+ { "io_uring",
+- { "override_creds", "sqpoll", NULL } },
++ { "override_creds", "sqpoll", "cmd", NULL } },
+ { NULL }
+ };
+
hwmon-tps23861-fix-byte-order-in-resistance-register.patch
asoc-mchp-spdiftx-remove-references-to-mchp_i2s_caps.patch
asoc-mchp-spdiftx-fix-clang-wbitfield-constant-conversion.patch
+lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch
+selinux-implement-the-security_uring_cmd-lsm-hook.patch
+smack-provide-read-control-for-io_uring_cmd.patch
--- /dev/null
+From dd9373402280cf4715fdc8fd5070f7d039e43511 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Tue, 23 Aug 2022 16:46:18 -0700
+Subject: Smack: Provide read control for io_uring_cmd
+
+From: Casey Schaufler <casey@schaufler-ca.com>
+
+commit dd9373402280cf4715fdc8fd5070f7d039e43511 upstream.
+
+Limit io_uring "cmd" options to files for which the caller has
+Smack read access. There may be cases where the cmd option may
+be closer to a write access than a read, but there is no way
+to make that determination.
+
+Cc: stable@vger.kernel.org
+Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -42,6 +42,7 @@
+ #include <linux/fs_context.h>
+ #include <linux/fs_parser.h>
+ #include <linux/watch_queue.h>
++#include <linux/io_uring.h>
+ #include "smack.h"
+
+ #define TRANS_TRUE "TRUE"
+@@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void)
+ return -EPERM;
+ }
+
++/**
++ * smack_uring_cmd - check on file operations for io_uring
++ * @ioucmd: the command in question
++ *
++ * Make a best guess about whether a io_uring "command" should
++ * be allowed. Use the same logic used for determining if the
++ * file could be opened for read in the absence of better criteria.
++ */
++static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
++{
++ struct file *file = ioucmd->file;
++ struct smk_audit_info ad;
++ struct task_smack *tsp;
++ struct inode *inode;
++ int rc;
++
++ if (!file)
++ return -EINVAL;
++
++ tsp = smack_cred(file->f_cred);
++ inode = file_inode(file);
++
++ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
++ smk_ad_setfield_u_fs_path(&ad, file->f_path);
++ rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
++ rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
++
++ return rc;
++}
++
+ #endif /* CONFIG_IO_URING */
+
+ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
+@@ -4896,6 +4927,7 @@ static struct security_hook_list smack_h
+ #ifdef CONFIG_IO_URING
+ LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds),
+ LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
++ LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
+ #endif
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
