[PATCH v3 5/8] io_uring: convert io_uring to the secure anon inode interface
Converting io_uring's anonymous inode to the secure anon inode API enables LSMs to enforce policy on the io_uring anonymous inodes if they chose to do so. This is an important first step towards providing the necessary mechanisms so that LSMs can apply security policy to io_uring operations. Signed-off-by: Paul Moore --- v3: - no change v2: - no change v1: - initial draft --- fs/io_uring.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 388754b24785..56cc9aba0d01 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -10155,8 +10155,8 @@ static struct file *io_uring_get_file(struct io_ring_ctx *ctx) return ERR_PTR(ret); #endif - file = anon_inode_getfile("[io_uring]", _uring_fops, ctx, - O_RDWR | O_CLOEXEC); + file = anon_inode_getfile_secure("[io_uring]", _uring_fops, ctx, +O_RDWR | O_CLOEXEC, NULL); #if defined(CONFIG_UNIX) if (IS_ERR(file)) { sock_release(ctx->ring_sock); -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v3 8/8] Smack: Brutalist io_uring support with debug
From: Casey Schaufler Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE for the override_creds case and CAP_MAC_ADMIN for creating a polling thread. These choices are based on conjecture regarding the intent of the surrounding code. Signed-off-by: Casey Schaufler [PM: make the smack_uring_* funcs static, remove debug code] Signed-off-by: Paul Moore --- v3: - removed debug code v2: - made the smack_uring_* funcs static v1: - initial draft --- security/smack/smack_lsm.c | 46 1 file changed, 46 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index cacbe7518519..f90ab1efeb6d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4691,6 +4691,48 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, return 0; } +#ifdef CONFIG_IO_URING +/** + * smack_uring_override_creds - Is io_uring cred override allowed? + * @new: the target creds + * + * Check to see if the current task is allowed to override it's credentials + * to service an io_uring operation. + */ +static int smack_uring_override_creds(const struct cred *new) +{ + struct task_smack *tsp = smack_cred(current_cred()); + struct task_smack *nsp = smack_cred(new); + + /* +* Allow the degenerate case where the new Smack value is +* the same as the current Smack value. +*/ + if (tsp->smk_task == nsp->smk_task) + return 0; + + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) + return 0; + + return -EPERM; +} + +/** + * smack_uring_sqpoll - check if a io_uring polling thread can be created + * + * Check to see if the current task is allowed to create a new io_uring + * kernel polling thread. + */ +static int smack_uring_sqpoll(void) +{ + if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) + return 0; + + return -EPERM; +} + +#endif /* CONFIG_IO_URING */ + struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct task_smack), .lbs_file = sizeof(struct smack_known *), @@ -4843,6 +4885,10 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), +#ifdef CONFIG_IO_URING + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), +#endif }; -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v3 6/8] lsm,io_uring: add LSM hooks to io_uring
A full expalantion of io_uring is beyond the scope of this commit description, but in summary it is an asynchronous I/O mechanism which allows for I/O requests and the resulting data to be queued in memory mapped "rings" which are shared between the kernel and userspace. Optionally, io_uring offers the ability for applications to spawn kernel threads to dequeue I/O requests from the ring and submit the requests in the kernel, helping to minimize the syscall overhead. Rings are accessed in userspace by memory mapping a file descriptor provided by the io_uring_setup(2), and can be shared between applications as one might do with any open file descriptor. Finally, process credentials can be registered with a given ring and any process with access to that ring can submit I/O requests using any of the registered credentials. While the io_uring functionality is widely recognized as offering a vastly improved, and high performing asynchronous I/O mechanism, its ability to allow processes to submit I/O requests with credentials other than its own presents a challenge to LSMs. When a process creates a new io_uring ring the ring's credentials are inhertied from the calling process; if this ring is shared with another process operating with different credentials there is the potential to bypass the LSMs security policy. Similarly, registering credentials with a given ring allows any process with access to that ring to submit I/O requests with those credentials. In an effort to allow LSMs to apply security policy to io_uring I/O operations, this patch adds two new LSM hooks. These hooks, in conjunction with the LSM anonymous inode support previously submitted, allow an LSM to apply access control policy to the sharing of io_uring rings as well as any io_uring credential changes requested by a process. The new LSM hooks are described below: * int security_uring_override_creds(cred) Controls if the current task, executing an io_uring operation, is allowed to override it's credentials with @cred. In cases where the current task is a user application, the current credentials will be those of the user application. In cases where the current task is a kernel thread servicing io_uring requests the current credentials will be those of the io_uring ring (inherited from the process that created the ring). * int security_uring_sqpoll(void) Controls if the current task is allowed to create an io_uring polling thread (IORING_SETUP_SQPOLL). Without a SQPOLL thread in the kernel processes must submit I/O requests via io_uring_enter(2) which allows us to compare any requested credential changes against the application making the request. With a SQPOLL thread, we can no longer compare requested credential changes against the application making the request, the comparison is made against the ring's credentials. Signed-off-by: Paul Moore --- v3: - removed work-in-progress warning from the description v2: - no change v1: - initial draft --- fs/io_uring.c | 10 ++ include/linux/lsm_hook_defs.h |5 + include/linux/lsm_hooks.h | 13 + include/linux/security.h | 16 security/security.c | 12 5 files changed, 56 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 56cc9aba0d01..f89d00af3a67 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -80,6 +80,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include @@ -7070,6 +7071,11 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, if (!req->creds) return -EINVAL; get_cred(req->creds); + ret = security_uring_override_creds(req->creds); + if (ret) { + put_cred(req->creds); + return ret; + } req->flags |= REQ_F_CREDS; } state = >submit_state; @@ -8566,6 +8572,10 @@ static int io_sq_offload_create(struct io_ring_ctx *ctx, struct io_sq_data *sqd; bool attached; + ret = security_uring_sqpoll(); + if (ret) + return ret; + sqd = io_get_sq_data(p, ); if (IS_ERR(sqd)) { ret = PTR_ERR(sqd); diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 2adeea44c0d5..b3c525353769 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -402,3 +402,8 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #endif /* CONFIG_PERF_EVENTS */ + +#ifdef CONFIG_IO_URING +LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) +LSM_HOOK(int, 0, uring_sqpoll, void) +#endif /* CONFIG_IO_URING
[PATCH v3 4/8] fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure()
Extending the secure anonymous inode support to other subsystems requires that we have a secure anon_inode_getfile() variant in addition to the existing secure anon_inode_getfd() variant. Thankfully we can reuse the existing __anon_inode_getfile() function and just wrap it with the proper arguments. Acked-by: Mickaël Salaün Signed-off-by: Paul Moore --- v3: - no change v2: - no change v1: - initial draft --- fs/anon_inodes.c| 29 + include/linux/anon_inodes.h |4 2 files changed, 33 insertions(+) diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c index a280156138ed..e0c3e33c4177 100644 --- a/fs/anon_inodes.c +++ b/fs/anon_inodes.c @@ -148,6 +148,35 @@ struct file *anon_inode_getfile(const char *name, } EXPORT_SYMBOL_GPL(anon_inode_getfile); +/** + * anon_inode_getfile_secure - Like anon_inode_getfile(), but creates a new + * !S_PRIVATE anon inode rather than reuse the + * singleton anon inode and calls the + * inode_init_security_anon() LSM hook. This + * allows for both the inode to have its own + * security context and for the LSM to enforce + * policy on the inode's creation. + * + * @name:[in]name of the "class" of the new file + * @fops:[in]file operations for the new file + * @priv:[in]private data for the new file (will be file's private_data) + * @flags: [in]flags + * @context_inode: + * [in]the logical relationship with the new inode (optional) + * + * The LSM may use @context_inode in inode_init_security_anon(), but a + * reference to it is not held. Returns the newly created file* or an error + * pointer. See the anon_inode_getfile() documentation for more information. + */ +struct file *anon_inode_getfile_secure(const char *name, + const struct file_operations *fops, + void *priv, int flags, + const struct inode *context_inode) +{ + return __anon_inode_getfile(name, fops, priv, flags, + context_inode, true); +} + static int __anon_inode_getfd(const char *name, const struct file_operations *fops, void *priv, int flags, diff --git a/include/linux/anon_inodes.h b/include/linux/anon_inodes.h index 71881a2b6f78..5deaddbd7927 100644 --- a/include/linux/anon_inodes.h +++ b/include/linux/anon_inodes.h @@ -15,6 +15,10 @@ struct inode; struct file *anon_inode_getfile(const char *name, const struct file_operations *fops, void *priv, int flags); +struct file *anon_inode_getfile_secure(const char *name, + const struct file_operations *fops, + void *priv, int flags, + const struct inode *context_inode); int anon_inode_getfd(const char *name, const struct file_operations *fops, void *priv, int flags); int anon_inode_getfd_secure(const char *name, -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v3 3/8] audit: add filtering for io_uring records
This patch adds basic audit io_uring filtering, using as much of the existing audit filtering infrastructure as possible. In order to do this we reuse the audit filter rule's syscall mask for the io_uring operation and we create a new filter for io_uring operations as AUDIT_FILTER_URING_EXIT/audit_filter_list[7]. Thanks to Richard Guy Briggs for his review, feedback, and work on the corresponding audit userspace changes. Signed-off-by: Paul Moore --- v3: - removed work-in-progress warning from the description v2: - incorporate feedback from Richard v1: - initial draft --- include/uapi/linux/audit.h |3 +- kernel/audit_tree.c|3 +- kernel/audit_watch.c |3 +- kernel/auditfilter.c | 15 +-- kernel/auditsc.c | 61 ++-- 5 files changed, 65 insertions(+), 20 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index a1997697c8b1..ecf1edd2affa 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -167,8 +167,9 @@ #define AUDIT_FILTER_EXCLUDE 0x05/* Apply rule before record creation */ #define AUDIT_FILTER_TYPE AUDIT_FILTER_EXCLUDE /* obsolete misleading naming */ #define AUDIT_FILTER_FS0x06/* Apply rule at __audit_inode_child */ +#define AUDIT_FILTER_URING_EXIT0x07/* Apply rule at io_uring op exit */ -#define AUDIT_NR_FILTERS 7 +#define AUDIT_NR_FILTERS 8 #define AUDIT_FILTER_PREPEND 0x10/* Prepend to front of list */ diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 2cd7b5694422..338c53a961c5 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -726,7 +726,8 @@ int audit_make_tree(struct audit_krule *rule, char *pathname, u32 op) { if (pathname[0] != '/' || - rule->listnr != AUDIT_FILTER_EXIT || + (rule->listnr != AUDIT_FILTER_EXIT && +rule->listnr != AUDIT_FILTER_URING_EXIT) || op != Audit_equal || rule->inode_f || rule->watch || rule->tree) return -EINVAL; diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 2acf7ca49154..698b62b4a2ec 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -183,7 +183,8 @@ int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op) return -EOPNOTSUPP; if (path[0] != '/' || path[len-1] == '/' || - krule->listnr != AUDIT_FILTER_EXIT || + (krule->listnr != AUDIT_FILTER_EXIT && +krule->listnr != AUDIT_FILTER_URING_EXIT) || op != Audit_equal || krule->inode_f || krule->watch || krule->tree) return -EINVAL; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index db2c6b59dfc3..d75acb014ccd 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -44,7 +44,8 @@ struct list_head audit_filter_list[AUDIT_NR_FILTERS] = { LIST_HEAD_INIT(audit_filter_list[4]), LIST_HEAD_INIT(audit_filter_list[5]), LIST_HEAD_INIT(audit_filter_list[6]), -#if AUDIT_NR_FILTERS != 7 + LIST_HEAD_INIT(audit_filter_list[7]), +#if AUDIT_NR_FILTERS != 8 #error Fix audit_filter_list initialiser #endif }; @@ -56,6 +57,7 @@ static struct list_head audit_rules_list[AUDIT_NR_FILTERS] = { LIST_HEAD_INIT(audit_rules_list[4]), LIST_HEAD_INIT(audit_rules_list[5]), LIST_HEAD_INIT(audit_rules_list[6]), + LIST_HEAD_INIT(audit_rules_list[7]), }; DEFINE_MUTEX(audit_filter_mutex); @@ -151,7 +153,8 @@ char *audit_unpack_string(void **bufp, size_t *remain, size_t len) static inline int audit_to_inode(struct audit_krule *krule, struct audit_field *f) { - if (krule->listnr != AUDIT_FILTER_EXIT || + if ((krule->listnr != AUDIT_FILTER_EXIT && +krule->listnr != AUDIT_FILTER_URING_EXIT) || krule->inode_f || krule->watch || krule->tree || (f->op != Audit_equal && f->op != Audit_not_equal)) return -EINVAL; @@ -248,6 +251,7 @@ static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data * pr_err("AUDIT_FILTER_ENTRY is deprecated\n"); goto exit_err; case AUDIT_FILTER_EXIT: + case AUDIT_FILTER_URING_EXIT: case AUDIT_FILTER_TASK: #endif case AUDIT_FILTER_USER: @@ -332,6 +336,10 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) if (entry->rule.listnr != AUDIT_FILTER_FS) return -EINVAL; break; + case AUDIT_PERM: + if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT) + return -EINVAL; + break; } switch (entry->rule.listnr) { @@ -980,7 +988,8 @@ static inline int audit_add_rule(struct audit_entry *entry) } entry->rule.prio = ~0ULL; - if
[PATCH v3 2/8] audit, io_uring, io-wq: add some basic audit support to io_uring
This patch adds basic auditing to io_uring operations, regardless of their context. This is accomplished by allocating audit_context structures for the io-wq worker and io_uring SQPOLL kernel threads as well as explicitly auditing the io_uring operations in io_issue_sqe(). Individual io_uring operations can bypass auditing through the "audit_skip" field in the struct io_op_def definition for the operation; although great care must be taken so that security relevant io_uring operations do not bypass auditing; please contact the audit mailing list (see the MAINTAINERS file) with any questions. The io_uring operations are audited using a new AUDIT_URINGOP record, an example is shown below: type=UNKNOWN[1336] msg=audit(1630523381.288:260): uring_op=19 success=yes exit=0 items=0 ppid=853 pid=1204 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" Thanks to Richard Guy Briggs for review and feedback. Signed-off-by: Paul Moore --- v3: - removed work-in-progress warning from the description v2: - added dummy funcs for audit_uring_{entry,exit}() - replaced opcode checks in io_issue_sqe() with audit_skip checks - moved fastpath checks into audit_uring_{entry,exit}() - audit_log_uring() uses GFP_ATOMIC - don't record the arch in __audit_uring_entry() v1: - initial draft --- fs/io-wq.c |4 + fs/io_uring.c | 55 -- include/linux/audit.h | 26 +++ include/uapi/linux/audit.h |1 kernel/audit.h |2 + kernel/auditsc.c | 174 6 files changed, 256 insertions(+), 6 deletions(-) diff --git a/fs/io-wq.c b/fs/io-wq.c index 6c55362c1f99..dac5c5961c9d 100644 --- a/fs/io-wq.c +++ b/fs/io-wq.c @@ -14,6 +14,7 @@ #include #include #include +#include #include "io-wq.h" @@ -562,6 +563,8 @@ static int io_wqe_worker(void *data) snprintf(buf, sizeof(buf), "iou-wrk-%d", wq->task->pid); set_task_comm(current, buf); + audit_alloc_kernel(current); + while (!test_bit(IO_WQ_BIT_EXIT, >state)) { long ret; @@ -601,6 +604,7 @@ static int io_wqe_worker(void *data) io_worker_handle_work(worker); } + audit_free(current); io_worker_exit(worker); return 0; } diff --git a/fs/io_uring.c b/fs/io_uring.c index 16fb7436043c..388754b24785 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -79,6 +79,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include @@ -917,6 +918,8 @@ struct io_op_def { unsignedneeds_async_setup : 1; /* should block plug */ unsignedplug : 1; + /* skip auditing */ + unsignedaudit_skip : 1; /* size of async data needed, if any */ unsigned short async_size; }; @@ -930,6 +933,7 @@ static const struct io_op_def io_op_defs[] = { .buffer_select = 1, .needs_async_setup = 1, .plug = 1, + .audit_skip = 1, .async_size = sizeof(struct io_async_rw), }, [IORING_OP_WRITEV] = { @@ -939,16 +943,19 @@ static const struct io_op_def io_op_defs[] = { .pollout= 1, .needs_async_setup = 1, .plug = 1, + .audit_skip = 1, .async_size = sizeof(struct io_async_rw), }, [IORING_OP_FSYNC] = { .needs_file = 1, + .audit_skip = 1, }, [IORING_OP_READ_FIXED] = { .needs_file = 1, .unbound_nonreg_file= 1, .pollin = 1, .plug = 1, + .audit_skip = 1, .async_size = sizeof(struct io_async_rw), }, [IORING_OP_WRITE_FIXED] = { @@ -957,15 +964,20 @@ static const struct io_op_def io_op_defs[] = { .unbound_nonreg_file= 1, .pollout= 1, .plug = 1, + .audit_skip = 1, .async_size = sizeof(struct io_async_rw), }, [IORING_OP_POLL_ADD] = { .needs_file = 1, .unbound_nonreg_file= 1, + .audit_skip = 1, + }, + [IORING_OP_POLL_REMOVE] = { + .audit_skip = 1, }, - [IORING_OP_POLL_REMOVE] = {}, [IORING_OP_SYNC_FILE_RANGE] = { .needs_file
[PATCH v3 1/8] audit: prepare audit_context for use in calling contexts beyond syscalls
This patch cleans up some of our audit_context handling by abstracting out the reset and return code fixup handling to dedicated functions. Not only does this help make things easier to read and inspect, it allows for easier reuse by future patches. We also convert the simple audit_context->in_syscall flag into an enum which can be used to by future patches to indicate a calling context other than the syscall context. Thanks to Richard Guy Briggs for review and feedback. Acked-by: Richard Guy Briggs Signed-off-by: Paul Moore --- v3: - removed work-in-progress warning from the description v2: - no change v1: - initial draft --- kernel/audit.h |5 + kernel/auditsc.c | 256 ++ 2 files changed, 167 insertions(+), 94 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index d6a2c899a8db..13abc48de0bd 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -100,7 +100,10 @@ struct audit_proctitle { /* The per-task audit context. */ struct audit_context { int dummy; /* must be the first element */ - int in_syscall; /* 1 if task is in a syscall */ + enum { + AUDIT_CTX_UNUSED, /* audit_context is currently unused */ + AUDIT_CTX_SYSCALL, /* in use by syscall */ + } context; enum audit_statestate, current_state; unsigned intserial; /* serial number for record */ int major; /* syscall number */ diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8dd73a64f921..c0383d554e61 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -915,10 +915,80 @@ static inline void audit_free_aux(struct audit_context *context) context->aux = aux->next; kfree(aux); } + context->aux = NULL; while ((aux = context->aux_pids)) { context->aux_pids = aux->next; kfree(aux); } + context->aux_pids = NULL; +} + +/** + * audit_reset_context - reset a audit_context structure + * @ctx: the audit_context to reset + * + * All fields in the audit_context will be reset to an initial state, all + * references held by fields will be dropped, and private memory will be + * released. When this function returns the audit_context will be suitable + * for reuse, so long as the passed context is not NULL or a dummy context. + */ +static void audit_reset_context(struct audit_context *ctx) +{ + if (!ctx) + return; + + /* if ctx is non-null, reset the "ctx->state" regardless */ + ctx->context = AUDIT_CTX_UNUSED; + if (ctx->dummy) + return; + + /* +* NOTE: It shouldn't matter in what order we release the fields, so +* release them in the order in which they appear in the struct; +* this gives us some hope of quickly making sure we are +* resetting the audit_context properly. +* +* Other things worth mentioning: +* - we don't reset "dummy" +* - we don't reset "state", we do reset "current_state" +* - we preserver "filterkey" if "state" is AUDIT_STATE_RECORD +* - much of this is likely overkill, but play it safe for now +* - we really need to work on improving the audit_context struct +*/ + + ctx->current_state = ctx->state; + ctx->serial = 0; + ctx->major = 0; + ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; + memset(ctx->argv, 0, sizeof(ctx->argv)); + ctx->return_code = 0; + ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); + ctx->return_valid = AUDITSC_INVALID; + audit_free_names(ctx); + if (ctx->state != AUDIT_STATE_RECORD) { + kfree(ctx->filterkey); + ctx->filterkey = NULL; + } + audit_free_aux(ctx); + kfree(ctx->sockaddr); + ctx->sockaddr = NULL; + ctx->sockaddr_len = 0; + ctx->pid = ctx->ppid = 0; + ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0); + ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0); + ctx->personality = 0; + ctx->arch = 0; + ctx->target_pid = 0; + ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); + ctx->target_sessionid = 0; + ctx->target_sid = 0; + ctx->target_comm[0] = '\0'; + unroll_tree_refs(ctx, NULL, 0); + WARN_ON(!list_empty(>killed_trees)); + ctx->type = 0; + audit_free_module(ctx); + ctx->fds[0] = -1; + audit_proctitle_free(ctx); } static inline struct audit_context *audit_alloc_context(enum audit_state state) @@ -928,6 +998,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state) context = kzalloc(sizeof(*context), GFP_KERNEL); if (!context) return NULL; +
[PATCH v3 0/8] Add LSM access controls and auditing to io_uring
As promised, here is revision #3 of the io_uring/LSM/audit patchset. The changes from revision #2 are minimal and noted in the individual patches; they are mostly focused on removing debug/dev code and scary "BEWARE, DEVELOPMENT PATCH!" language from the commit descriptions. With plenty of good discussion happening on the initial RFC posting, and the second revision incorporating all the feedback garnering no objections, I plan to merge this patchset into the selinux/next tree later this week. Jens, Pavel, it would nice if I could get your ACK on the io_uring patches before I merge them. For those of you who may be seeing this for the first time, the second RFC revision of the patchset can be found in the archives at the link below: https://lore.kernel.org/linux-security-module/162871480969.63873.9434591871437326374.stgit@olly/ ... and the initial draft RFC can be found here: https://lore.kernel.org/linux-security-module/162163367115.8379.8459012634106035341.stgit@sifl/ Those who would prefer to fetch these patches directly from git can do so using the tree/branch below: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git (checkout branch "working-io_uring") -Paul --- Casey Schaufler (1): Smack: Brutalist io_uring support with debug Paul Moore (7): audit: prepare audit_context for use in calling contexts beyond syscalls audit,io_uring,io-wq: add some basic audit support to io_uring audit: add filtering for io_uring records fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure() io_uring: convert io_uring to the secure anon inode interface lsm,io_uring: add LSM hooks to io_uring selinux: add support for the io_uring access controls fs/anon_inodes.c| 29 ++ fs/io-wq.c | 4 + fs/io_uring.c | 69 +++- include/linux/anon_inodes.h | 4 + include/linux/audit.h | 26 ++ include/linux/lsm_hook_defs.h | 5 + include/linux/lsm_hooks.h | 13 + include/linux/security.h| 16 + include/uapi/linux/audit.h | 4 +- kernel/audit.h | 7 +- kernel/audit_tree.c | 3 +- kernel/audit_watch.c| 3 +- kernel/auditfilter.c| 15 +- kernel/auditsc.c| 477 ++-- security/security.c | 12 + security/selinux/hooks.c| 34 ++ security/selinux/include/classmap.h | 2 + security/smack/smack_lsm.c | 46 +++ 18 files changed, 654 insertions(+), 115 deletions(-) -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [ANNOUNCE][CFP] Linux Security Summit 2021
For folks presenting remotely, the deadline for video talks is extended to 20th September, 2021. Reminder: you can keep track LSS event information via: https://twitter.com/LinuxSecSummit -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
On Mon, Sep 13, 2021 at 9:50 PM Paul Moore wrote: > On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote: > > On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote: > > > On 2021-09-01 15:21, Paul Moore wrote: > > > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote: > > > > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs > > > > > wrote: > > > > > > I did set a syscall filter for > > > > > > -a exit,always -F arch=b64 -S > > > > > > io_uring_enter,io_uring_setup,io_uring_register -F > > > > > > key=iouringsyscall > > > > > > and that yielded some records with a couple of orphans that > > > > > > surprised me > > > > > > a bit. > > > > > > > > > > Without looking too closely at the log you sent, you can expect URING > > > > > records without an associated SYSCALL record when the uring op is > > > > > being processed in the io-wq or sqpoll context. In the io-wq case the > > > > > processing is happening after the thread finished the syscall but > > > > > before the execution context returns to userspace and in the case of > > > > > sqpoll the processing is handled by a separate kernel thread with no > > > > > association to a process thread. > > > > > > > > I spent some time this morning/afternoon playing with the io_uring > > > > audit filtering capability and with your audit userspace > > > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, > > > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't > > > > map the io_uring ops correctly), but I know you mentioned you have a > > > > number of fixes/improvements still as a work-in-progress there so I'm > > > > not too concerned. The important part is that the kernel pieces look > > > > to be working correctly. > > > > > > Ok, I have squashed and pushed the audit userspace support for iouring: > > > > > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea > > > > > > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1 > > > There are test rpms for f35 here: > > > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/ > > > > > > userspace v2 changelog: > > > - check for watch before adding perm > > > - update manpage to include filesystem filter > > > - update support for the uring filter list: doc, -U op, op names > > > - add support for the AUDIT_URINGOP record type > > > - add uringop support to ausearch > > > - add uringop support to aureport > > > - lots of bug fixes > > > > > > "auditctl -a uring,always -S ..." will now throw an error and require > > > "-U" instead. > > > > Thanks Richard. > > > > FYI, I rebased the io_uring/LSM/audit patchset on top of v5.15-rc1 > > today and tested both with your v1.0 and with your v2.1 branch and the > > various combinations seemed to work just fine (of course the v2.1 > > userspace branch was more polished, less warts, etc.). I'm going to > > go over the patch set one more time to make sure everything is still > > looking good, write up an updated cover letter, and post a v3 revision > > later tonight with the hope of merging it into -next later this week. > > Best laid plans of mice and men ... > > It turns out the LSM hook macros are full of warnings-now-errors that > should likely be resolved before sending anything LSM related to > Linus. I'll post v3 once I fix this, which may not be until tomorrow. > > (To be clear, the warnings/errors aren't new to this patchset, I'm > likely just the first person to notice them.) Actually, scratch that ... I'm thinking that might just be an oddity of the Intel 0day test robot building for the xtensa arch. I'll post the v3 patchset tonight. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
On Mon, Sep 13, 2021 at 3:23 PM Paul Moore wrote: > On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote: > > On 2021-09-01 15:21, Paul Moore wrote: > > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote: > > > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs > > > > wrote: > > > > > I did set a syscall filter for > > > > > -a exit,always -F arch=b64 -S > > > > > io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall > > > > > and that yielded some records with a couple of orphans that surprised > > > > > me > > > > > a bit. > > > > > > > > Without looking too closely at the log you sent, you can expect URING > > > > records without an associated SYSCALL record when the uring op is > > > > being processed in the io-wq or sqpoll context. In the io-wq case the > > > > processing is happening after the thread finished the syscall but > > > > before the execution context returns to userspace and in the case of > > > > sqpoll the processing is handled by a separate kernel thread with no > > > > association to a process thread. > > > > > > I spent some time this morning/afternoon playing with the io_uring > > > audit filtering capability and with your audit userspace > > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, > > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't > > > map the io_uring ops correctly), but I know you mentioned you have a > > > number of fixes/improvements still as a work-in-progress there so I'm > > > not too concerned. The important part is that the kernel pieces look > > > to be working correctly. > > > > Ok, I have squashed and pushed the audit userspace support for iouring: > > > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea > > > > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1 > > There are test rpms for f35 here: > > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/ > > > > userspace v2 changelog: > > - check for watch before adding perm > > - update manpage to include filesystem filter > > - update support for the uring filter list: doc, -U op, op names > > - add support for the AUDIT_URINGOP record type > > - add uringop support to ausearch > > - add uringop support to aureport > > - lots of bug fixes > > > > "auditctl -a uring,always -S ..." will now throw an error and require > > "-U" instead. > > Thanks Richard. > > FYI, I rebased the io_uring/LSM/audit patchset on top of v5.15-rc1 > today and tested both with your v1.0 and with your v2.1 branch and the > various combinations seemed to work just fine (of course the v2.1 > userspace branch was more polished, less warts, etc.). I'm going to > go over the patch set one more time to make sure everything is still > looking good, write up an updated cover letter, and post a v3 revision > later tonight with the hope of merging it into -next later this week. Best laid plans of mice and men ... It turns out the LSM hook macros are full of warnings-now-errors that should likely be resolved before sending anything LSM related to Linus. I'll post v3 once I fix this, which may not be until tomorrow. (To be clear, the warnings/errors aren't new to this patchset, I'm likely just the first person to notice them.) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: Fix build failure by renaming struct node to struct audit_node
On Tue, Sep 7, 2021 at 11:45 AM LEROY Christophe wrote: > > -Message d'origine- > > De : Paul Moore > > On Mon, Sep 6, 2021 at 2:41 AM LEROY Christophe > > wrote: > > > Le 03/09/2021 à 19:06, Paul Moore a écrit : > > > > On Fri, Sep 3, 2021 at 11:48 AM Christophe Leroy > > > > wrote: > > > >> > > > >> struct node defined in kernel/audit_tree.c conflicts with struct > > > >> node defined in include/linux/node.h > > > >> > > > >>CC kernel/audit_tree.o > > > >> kernel/audit_tree.c:33:9: error: redefinition of 'struct node' > > > >> 33 | struct node { > > > >>| ^~~~ > > > >> In file included from ./include/linux/cpu.h:17, > > > >> from ./include/linux/static_call.h:102, > > > >> from ./arch/powerpc/include/asm/machdep.h:10, > > > >> from > > > >> ./arch/powerpc/include/asm/archrandom.h:7, > > > >> from ./include/linux/random.h:121, > > > >> from ./include/linux/net.h:18, > > > >> from ./include/linux/skbuff.h:26, > > > >> from kernel/audit.h:11, > > > >> from kernel/audit_tree.c:2: > > > >> ./include/linux/node.h:84:8: note: originally defined here > > > >> 84 | struct node { > > > >>|^~~~ > > > >> make[2]: *** [kernel/audit_tree.o] Error 1 > > > >> > > > >> Rename it audit_node. > > > >> > > > >> Signed-off-by: Christophe Leroy > > > >> --- > > > >> kernel/audit_tree.c | 20 ++-- > > > >> 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > That's interesting, I wonder why we didn't see this prior? Also as > > > > an aside, there are evidently a good handful of symbols named > > > > "node". In fact I don't see this now in the audit/stable-5.15 or > > > > Linus' tree as of a right now, both using an allyesconfig: > > > > > > > > % git show-ref HEAD > > > > a9c9a6f741cdaa2fa9ba24a790db8d07295761e3 refs/remotes/linus/HEAD % > > > > touch kernel/audit_tree.c % make C=1 kernel/ > > > > CALLscripts/checksyscalls.sh > > > > CALLscripts/atomic/check-atomics.sh > > > > DESCEND objtool > > > > CHK kernel/kheaders_data.tar.xz > > > > CC kernel/audit_tree.o > > > > CHECK kernel/audit_tree.c > > > > AR kernel/built-in.a > > > > > > > > What tree and config are you using where you see this error? > > > > Looking at your error, I'm guessing this is limited to ppc builds, > > > > and if I look at the arch/powerpc/include/asm/machdep.h file in > > > > Linus tree I don't see a static_call.h include so I'm guessing this > > > > is a -next tree for ppc? Something else? > > > > > > > > Without knowing the context, is adding the static_call.h include in > > > > arch/powerpc/include/asm/machdep.h intentional or simply a bit of > > > > include file creep? > > > > > > struct machdep_calls in asm/machdep.h is full of function pointers and > > > I'm working on converting that to static_calls > > > (https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=260878 > > > =*) > > > > > > So yes, adding static_call.h in asm/machdep.h is intentional and the > > > issue was detected by CI build test > > > (http://kisskb.ellerman.id.au/kisskb/buildresult/14628100/) > > > > > > I submitted this change to you because for me it make sense to not > > > re-use globably defined struct names in local C files, and anybody may > > > encounter the problem as soon as linux/node.h gets included directly > > > or indirectly. But if you prefer I guess the fix may be merged through > > > powerpc tree as part of this series. > > > > Yes, this patch should go in via the audit tree, and while I don't have an > > objection to the patch, whenever I see a patch to fix an issue that is not > > visible in > > Linus' tree or the audit tree it raises some questions. I usually hope to > > see those > > questions answered proactively in the cover letter and/or patch description > > but > > that wasn't the case here so you get to play a game of 20 questions. > > > > Speaking of which, I don't recall seeing an answer to the "where do these > > include file changes live?" question, is is the ppc -next tree, or are they > > still > > unmerged and just on the ppc list? > > It is still an RFC in the ppc list. I just merged this into audit/next but I rewrote chunks of the subject line and commit description as the build failure isn't yet "real" as the offending patch is still just a RFC. Hopefully be merging this patch into audit/next now we'll prevent future problems if/when the other patch is merged. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: Convert to SPDX identifier
On Sat, Aug 21, 2021 at 10:14 PM Cai Huoqing wrote: > > use SPDX-License-Identifier instead of a verbose license text > > Signed-off-by: Cai Huoqing > --- > kernel/auditsc.c | 15 +-- > 1 file changed, 1 insertion(+), 14 deletions(-) > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 8dd73a64f921..969c1613fed9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1,3 +1,4 @@ > +// SPDX-License-Identifier: GPL-2.0+ It appears the current recommended token is "GPL-2.0-or-later", please update this patch to use the preferred license identifier. * https://spdx.org/licenses > /* auditsc.c -- System-call auditing support > * Handles all system-call specific auditing features. > * > @@ -6,20 +7,6 @@ > * Copyright (C) 2005, 2006 IBM Corporation > * All Rights Reserved. > * > - * This program is free software; you can redistribute it and/or modify > - * it under the terms of the GNU General Public License as published by > - * the Free Software Foundation; either version 2 of the License, or > - * (at your option) any later version. > - * > - * This program is distributed in the hope that it will be useful, > - * but WITHOUT ANY WARRANTY; without even the implied warranty of > - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > - * GNU General Public License for more details. > - * > - * You should have received a copy of the GNU General Public License > - * along with this program; if not, write to the Free Software > - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > - * > * Written by Rickard E. (Rik) Faith > * > * Many of the ideas implemented here are from Stephen C. Tweedie, > -- > 2.25.1 -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
On Thu, Sep 9, 2021 at 8:59 PM Richard Guy Briggs wrote: > On 2021-09-01 15:21, Paul Moore wrote: > > On Sun, Aug 29, 2021 at 11:18 AM Paul Moore wrote: > > > On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs > > > wrote: > > > > I did set a syscall filter for > > > > -a exit,always -F arch=b64 -S > > > > io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall > > > > and that yielded some records with a couple of orphans that surprised me > > > > a bit. > > > > > > Without looking too closely at the log you sent, you can expect URING > > > records without an associated SYSCALL record when the uring op is > > > being processed in the io-wq or sqpoll context. In the io-wq case the > > > processing is happening after the thread finished the syscall but > > > before the execution context returns to userspace and in the case of > > > sqpoll the processing is handled by a separate kernel thread with no > > > association to a process thread. > > > > I spent some time this morning/afternoon playing with the io_uring > > audit filtering capability and with your audit userspace > > ghau-iouring-filtering.v1.0 branch it appears to work correctly. Yes, > > the userspace tooling isn't quite 100% yet (e.g. `auditctl -l` doesn't > > map the io_uring ops correctly), but I know you mentioned you have a > > number of fixes/improvements still as a work-in-progress there so I'm > > not too concerned. The important part is that the kernel pieces look > > to be working correctly. > > Ok, I have squashed and pushed the audit userspace support for iouring: > > https://github.com/rgbriggs/audit-userspace/commit/e8bd8d2ea8adcaa758024cb9b8fa93895ae35eea > > https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghak-iouring-filtering.v2.1 > There are test rpms for f35 here: > http://people.redhat.com/~rbriggs/ghak-iouring/git-e8bd8d2-fc35/ > > userspace v2 changelog: > - check for watch before adding perm > - update manpage to include filesystem filter > - update support for the uring filter list: doc, -U op, op names > - add support for the AUDIT_URINGOP record type > - add uringop support to ausearch > - add uringop support to aureport > - lots of bug fixes > > "auditctl -a uring,always -S ..." will now throw an error and require > "-U" instead. Thanks Richard. FYI, I rebased the io_uring/LSM/audit patchset on top of v5.15-rc1 today and tested both with your v1.0 and with your v2.1 branch and the various combinations seemed to work just fine (of course the v2.1 userspace branch was more polished, less warts, etc.). I'm going to go over the patch set one more time to make sure everything is still looking good, write up an updated cover letter, and post a v3 revision later tonight with the hope of merging it into -next later this week. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit