From: Greg Kroah-Hartman Date: Sun, 11 Sep 2022 11:35:39 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v5.19.9~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c619b57a5f1a7ba0a85ee332f90b236830fbecd2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch selinux-implement-the-security_uring_cmd-lsm-hook.patch smack-provide-read-control-for-io_uring_cmd.patch --- diff --git a/queue-5.19/lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch b/queue-5.19/lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch new file mode 100644 index 00000000000..0b58076caab --- /dev/null +++ b/queue-5.19/lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch @@ -0,0 +1,100 @@ +From 2a5840124009f133bd09fd855963551fb2cefe22 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain +Date: Fri, 15 Jul 2022 12:16:22 -0700 +Subject: lsm,io_uring: add LSM hooks for the new uring_cmd file op + +From: Luis Chamberlain + +commit 2a5840124009f133bd09fd855963551fb2cefe22 upstream. + +io-uring cmd support was added through ee692a21e9bf ("fs,io_uring: +add infrastructure for uring-cmd"), this extended the struct +file_operations to allow a new command which each subsystem can use +to enable command passthrough. Add an LSM specific for the command +passthrough which enables LSMs to inspect the command details. + +This was discussed long ago without no clear pointer for something +conclusive, so this enables LSMs to at least reject this new file +operation. + +[0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com + +Cc: stable@vger.kernel.org +Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd") +Signed-off-by: Luis Chamberlain +Acked-by: Jens Axboe +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lsm_hook_defs.h | 1 + + include/linux/lsm_hooks.h | 3 +++ + include/linux/security.h | 5 +++++ + io_uring/io_uring.c | 4 ++++ + security/security.c | 4 ++++ + 5 files changed, 17 insertions(+) + +--- a/include/linux/lsm_hook_defs.h ++++ b/include/linux/lsm_hook_defs.h +@@ -406,4 +406,5 @@ LSM_HOOK(int, 0, perf_event_write, struc + #ifdef CONFIG_IO_URING + LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) + LSM_HOOK(int, 0, uring_sqpoll, void) ++LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) + #endif /* CONFIG_IO_URING */ +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -1575,6 +1575,9 @@ + * Check whether the current task is allowed to spawn a io_uring polling + * thread (IORING_SETUP_SQPOLL). + * ++ * @uring_cmd: ++ * Check whether the file_operations uring_cmd is allowed to run. ++ * + */ + union security_list_options { + #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -2051,6 +2051,7 @@ static inline int security_perf_event_wr + #ifdef CONFIG_SECURITY + extern int security_uring_override_creds(const struct cred *new); + extern int security_uring_sqpoll(void); ++extern int security_uring_cmd(struct io_uring_cmd *ioucmd); + #else + static inline int security_uring_override_creds(const struct cred *new) + { +@@ -2060,6 +2061,10 @@ static inline int security_uring_sqpoll( + { + return 0; + } ++static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) ++{ ++ return 0; ++} + #endif /* CONFIG_SECURITY */ + #endif /* CONFIG_IO_URING */ + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -4878,6 +4878,10 @@ static int io_uring_cmd(struct io_kiocb + if (!req->file->f_op->uring_cmd) + return -EOPNOTSUPP; + ++ ret = security_uring_cmd(ioucmd); ++ if (ret) ++ return ret; ++ + if (ctx->flags & IORING_SETUP_SQE128) + issue_flags |= IO_URING_F_SQE128; + if (ctx->flags & IORING_SETUP_CQE32) +--- a/security/security.c ++++ b/security/security.c +@@ -2654,4 +2654,8 @@ int security_uring_sqpoll(void) + { + return call_int_hook(uring_sqpoll, 0); + } ++int security_uring_cmd(struct io_uring_cmd *ioucmd) ++{ ++ return call_int_hook(uring_cmd, 0, ioucmd); ++} + #endif /* CONFIG_IO_URING */ diff --git a/queue-5.19/selinux-implement-the-security_uring_cmd-lsm-hook.patch b/queue-5.19/selinux-implement-the-security_uring_cmd-lsm-hook.patch new file mode 100644 index 00000000000..4a4ef61bb97 --- /dev/null +++ b/queue-5.19/selinux-implement-the-security_uring_cmd-lsm-hook.patch @@ -0,0 +1,86 @@ +From f4d653dcaa4e4056e1630423e6a8ece4869b544f Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 10 Aug 2022 15:55:36 -0400 +Subject: selinux: implement the security_uring_cmd() LSM hook + +From: Paul Moore + +commit f4d653dcaa4e4056e1630423e6a8ece4869b544f upstream. + +Add a SELinux access control for the iouring IORING_OP_URING_CMD +command. This includes the addition of a new permission in the +existing "io_uring" object class: "cmd". The subject of the new +permission check is the domain of the process requesting access, the +object is the open file which points to the device/file that is the +target of the IORING_OP_URING_CMD operation. A sample policy rule +is shown below: + + allow :io_uring { cmd }; + +Cc: stable@vger.kernel.org +Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd") +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 24 ++++++++++++++++++++++++ + security/selinux/include/classmap.h | 2 +- + 2 files changed, 25 insertions(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -91,6 +91,7 @@ + #include + #include + #include ++#include + + #include "avc.h" + #include "objsec.h" +@@ -6990,6 +6991,28 @@ static int selinux_uring_sqpoll(void) + return avc_has_perm(&selinux_state, sid, sid, + SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); + } ++ ++/** ++ * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed ++ * @ioucmd: the io_uring command structure ++ * ++ * Check to see if the current domain is allowed to execute an ++ * IORING_OP_URING_CMD against the device/file specified in @ioucmd. ++ * ++ */ ++static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) ++{ ++ struct file *file = ioucmd->file; ++ struct inode *inode = file_inode(file); ++ struct inode_security_struct *isec = selinux_inode(inode); ++ struct common_audit_data ad; ++ ++ ad.type = LSM_AUDIT_DATA_FILE; ++ ad.u.file = file; ++ ++ return avc_has_perm(&selinux_state, current_sid(), isec->sid, ++ SECCLASS_IO_URING, IO_URING__CMD, &ad); ++} + #endif /* CONFIG_IO_URING */ + + /* +@@ -7234,6 +7257,7 @@ static struct security_hook_list selinux + #ifdef CONFIG_IO_URING + LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), + LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), ++ LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), + #endif + + /* +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -253,7 +253,7 @@ const struct security_class_mapping secc + { "anon_inode", + { COMMON_FILE_PERMS, NULL } }, + { "io_uring", +- { "override_creds", "sqpoll", NULL } }, ++ { "override_creds", "sqpoll", "cmd", NULL } }, + { NULL } + }; + diff --git a/queue-5.19/series b/queue-5.19/series index 27aa9e57111..ae7622e06a5 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -156,3 +156,6 @@ perf-record-fix-synthesis-failure-warnings.patch hwmon-tps23861-fix-byte-order-in-resistance-register.patch asoc-mchp-spdiftx-remove-references-to-mchp_i2s_caps.patch asoc-mchp-spdiftx-fix-clang-wbitfield-constant-conversion.patch +lsm-io_uring-add-lsm-hooks-for-the-new-uring_cmd-file-op.patch +selinux-implement-the-security_uring_cmd-lsm-hook.patch +smack-provide-read-control-for-io_uring_cmd.patch diff --git a/queue-5.19/smack-provide-read-control-for-io_uring_cmd.patch b/queue-5.19/smack-provide-read-control-for-io_uring_cmd.patch new file mode 100644 index 00000000000..cb0fd5a5184 --- /dev/null +++ b/queue-5.19/smack-provide-read-control-for-io_uring_cmd.patch @@ -0,0 +1,78 @@ +From dd9373402280cf4715fdc8fd5070f7d039e43511 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Tue, 23 Aug 2022 16:46:18 -0700 +Subject: Smack: Provide read control for io_uring_cmd + +From: Casey Schaufler + +commit dd9373402280cf4715fdc8fd5070f7d039e43511 upstream. + +Limit io_uring "cmd" options to files for which the caller has +Smack read access. There may be cases where the cmd option may +be closer to a write access than a read, but there is no way +to make that determination. + +Cc: stable@vger.kernel.org +Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd") +Signed-off-by: Casey Schaufler +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + #include "smack.h" + + #define TRANS_TRUE "TRUE" +@@ -4739,6 +4740,36 @@ static int smack_uring_sqpoll(void) + return -EPERM; + } + ++/** ++ * smack_uring_cmd - check on file operations for io_uring ++ * @ioucmd: the command in question ++ * ++ * Make a best guess about whether a io_uring "command" should ++ * be allowed. Use the same logic used for determining if the ++ * file could be opened for read in the absence of better criteria. ++ */ ++static int smack_uring_cmd(struct io_uring_cmd *ioucmd) ++{ ++ struct file *file = ioucmd->file; ++ struct smk_audit_info ad; ++ struct task_smack *tsp; ++ struct inode *inode; ++ int rc; ++ ++ if (!file) ++ return -EINVAL; ++ ++ tsp = smack_cred(file->f_cred); ++ inode = file_inode(file); ++ ++ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); ++ smk_ad_setfield_u_fs_path(&ad, file->f_path); ++ rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); ++ rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); ++ ++ return rc; ++} ++ + #endif /* CONFIG_IO_URING */ + + struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { +@@ -4896,6 +4927,7 @@ static struct security_hook_list smack_h + #ifdef CONFIG_IO_URING + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), ++ LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), + #endif + }; +