• Paul Moore's avatar
    lsm,io_uring: add LSM hooks to io_uring · cdc1404a
    Paul Moore authored
    A full expalantion of io_uring is beyond the scope of this commit
    description, but in summary it is an asynchronous I/O mechanism
    which allows for I/O requests and the resulting data to be queued
    in memory mapped "rings" which are shared between the kernel and
    userspace.  Optionally, io_uring offers the ability for applications
    to spawn kernel threads to dequeue I/O requests from the ring and
    submit the requests in the kernel, helping to minimize the syscall
    overhead.  Rings are accessed in userspace by memory mapping a file
    descriptor provided by the io_uring_setup(2), and can be shared
    between applications as one might do with any open file descriptor.
    Finally, process credentials can be registered with a given ring
    and any process with access to that ring can submit I/O requests
    using any of the registered credentials.
    
    While the io_uring functionality is widely recognized as offering a
    vastly improved, and high performing asynchronous I/O mechanism, its
    ability to allow processes to submit I/O requests with credentials
    other than its own presents a challenge to LSMs.  When a process
    creates a new io_uring ring the ring's credentials are inhertied
    from the calling process; if this ring is shared with another
    process operating with different credentials there is the potential
    to bypass the LSMs security policy.  Similarly, registering
    credentials with a given ring allows any process with access to that
    ring to submit I/O requests with those credentials.
    
    In an effort to allow LSMs to apply security policy to io_uring I/O
    operations, this patch adds two new LSM hooks.  These hooks, in
    conjunction with the LSM anonymous inode support previously
    submitted, allow an LSM to apply access control policy to the
    sharing of io_uring rings as well as any io_uring credential changes
    requested by a process.
    
    The new LSM hooks are described below:
    
     * int security_uring_override_creds(cred)
       Controls if the current task, executing an io_uring operation,
       is allowed to override it's credentials with @cred.  In cases
       where the current task is a user application, the current
       credentials will be those of the user application.  In cases
       where the current task is a kernel thread servicing io_uring
       requests the current credentials will be those of the io_uring
       ring (inherited from the process that created the ring).
    
     * int security_uring_sqpoll(void)
       Controls if the current task is allowed to create an io_uring
       polling thread (IORING_SETUP_SQPOLL).  Without a SQPOLL thread
       in the kernel processes must submit I/O requests via
       io_uring_enter(2) which allows us to compare any requested
       credential changes against the application making the request.
       With a SQPOLL thread, we can no longer compare requested
       credential changes against the application making the request,
       the comparison is made against the ring's credentials.
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    cdc1404a
security.c 65.9 KB