[PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook
Paul Moore
paul at paul-moore.com
Tue Aug 23 16:49:08 UTC 2022
On Tue, Aug 23, 2022 at 2:52 AM Greg Kroah-Hartman
<gregkh at linuxfoundation.org> wrote:
> On Mon, Aug 22, 2022 at 05:21:13PM -0400, Paul Moore wrote:
> > Add a SELinux access control for the iouring IORING_OP_URING_CMD
> > command. This includes the addition of a new permission in the
> > existing "io_uring" object class: "cmd". The subject of the new
> > permission check is the domain of the process requesting access, the
> > object is the open file which points to the device/file that is the
> > target of the IORING_OP_URING_CMD operation. A sample policy rule
> > is shown below:
> >
> > allow <domain> <file>:io_uring { cmd };
> >
> > Cc: stable at vger.kernel.org
>
> This is not stable material as you are adding a new feature. Please
> read the stable documentation for what is and is not allowed.
Strongly disagree, see my comments on patch 1/3 in this patchset.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list