[PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook
Greg Kroah-Hartman
gregkh at linuxfoundation.org
Tue Aug 23 06:52:41 UTC 2022
On Mon, Aug 22, 2022 at 05:21:13PM -0400, Paul Moore wrote:
> Add a SELinux access control for the iouring IORING_OP_URING_CMD
> command. This includes the addition of a new permission in the
> existing "io_uring" object class: "cmd". The subject of the new
> permission check is the domain of the process requesting access, the
> object is the open file which points to the device/file that is the
> target of the IORING_OP_URING_CMD operation. A sample policy rule
> is shown below:
>
> allow <domain> <file>:io_uring { cmd };
>
> Cc: stable at vger.kernel.org
This is not stable material as you are adding a new feature. Please
read the stable documentation for what is and is not allowed.
thanks,
greg k-h
More information about the Linux-security-module-archive
mailing list