lsm,io_uring: add LSM hooks for the new uring_cmd file op

author Luis Chamberlain <mcgrof@kernel.org>

Fri, 15 Jul 2022 19:16:22 +0000 (12:16 -0700)

committer Paul Moore <paul@paul-moore.com>

Fri, 26 Aug 2022 15:19:43 +0000 (11:19 -0400)
author Luis Chamberlain <mcgrof@kernel.org>
Fri, 15 Jul 2022 19:16:22 +0000 (12:16 -0700)
committer Paul Moore <paul@paul-moore.com>
Fri, 26 Aug 2022 15:19:43 +0000 (11:19 -0400)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h

index 8064481730333deb7ac23e1d39541d138dc93b94..60fff133c0b17be7ad5647f26d990d15696d7695 100644 (file)
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -407,4 +407,5 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
  #ifdef CONFIG_IO_URING
  LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
  LSM_HOOK(int, 0, uring_sqpoll, void)
+LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
  #endif /* CONFIG_IO_URING */
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h

index 84a0d7e02176969b2a9549dbd58058ad1862e745..3aa6030302f5b9ff502d289213084ced64317158 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1582,6 +1582,9 @@
   *      Check whether the current task is allowed to spawn a io_uring polling
   *      thread (IORING_SETUP_SQPOLL).
   *
+ * @uring_cmd:
+ *      Check whether the file_operations uring_cmd is allowed to run.
+ *
   */
  union security_list_options {
         #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
diff --git a/include/linux/security.h b/include/linux/security.h

index 1bc362cb413f2ffa4e252d6a0dd75b60b452d0bc..7bd0c490703d325148bc96fb09ffcbdd22bdc19f 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2060,6 +2060,7 @@ static inline int security_perf_event_write(struct perf_event *event)
  #ifdef CONFIG_SECURITY
  extern int security_uring_override_creds(const struct cred *new);
  extern int security_uring_sqpoll(void);
+extern int security_uring_cmd(struct io_uring_cmd *ioucmd);
  #else
  static inline int security_uring_override_creds(const struct cred *new)
  {
@@ -2069,6 +2070,10 @@ static inline int security_uring_sqpoll(void)
  {
         return 0;
  }
+static inline int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+       return 0;
+}
  #endif /* CONFIG_SECURITY */
  #endif /* CONFIG_IO_URING */
  
diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c

index 8e0cc2d9205eaeeec162510d805932f176ff1bbc..0f7ad956ddcbb5192fd9a80029d1c0aa70f4e236 100644 (file)
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -3,6 +3,7 @@
  #include <linux/errno.h>
  #include <linux/file.h>
  #include <linux/io_uring.h>
+#include <linux/security.h>
  
  #include <uapi/linux/io_uring.h>
  
@@ -88,6 +89,10 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
         if (!req->file->f_op->uring_cmd)
                 return -EOPNOTSUPP;
  
+       ret = security_uring_cmd(ioucmd);
+       if (ret)
+               return ret;
+
         if (ctx->flags & IORING_SETUP_SQE128)
                 issue_flags |= IO_URING_F_SQE128;
         if (ctx->flags & IORING_SETUP_CQE32)
diff --git a/security/security.c b/security/security.c

index 14d30fec8a0031d2a2ed32dbd4e61fe1966e1dfb..4b95de24bc8dc2e15f315295b883d8a290fcd6fb 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -2660,4 +2660,8 @@ int security_uring_sqpoll(void)
  {
         return call_int_hook(uring_sqpoll, 0);
  }
+int security_uring_cmd(struct io_uring_cmd *ioucmd)
+{
+       return call_int_hook(uring_cmd, 0, ioucmd);
+}
  #endif /* CONFIG_IO_URING */
author	Luis Chamberlain <mcgrof@kernel.org>
	Fri, 15 Jul 2022 19:16:22 +0000 (12:16 -0700)
committer	Paul Moore <paul@paul-moore.com>
	Fri, 26 Aug 2022 15:19:43 +0000 (11:19 -0400)
include/linux/lsm_hook_defs.h		patch \| blob \| history
include/linux/lsm_hooks.h		patch \| blob \| history
include/linux/security.h		patch \| blob \| history
io_uring/uring_cmd.c		patch \| blob \| history
security/security.c		patch \| blob \| history