[PATCH] lsm, io_uring: add LSM hooks to for the new uring_cmd file op

Mon Jul 18 14:55:24 UTC 2022

On Fri, Jul 15, 2022 at 11:26 PM Kanchan Joshi <joshi.k at samsung.com> wrote:
> On Fri, Jul 15, 2022 at 02:46:16PM -0400, Paul Moore wrote:
> >On Thu, Jul 14, 2022 at 9:00 PM Luis Chamberlain <mcgrof at kernel.org> wrote:
> >> On Wed, Jul 13, 2022 at 11:00:42PM -0400, Paul Moore wrote:
> >> > On Wed, Jul 13, 2022 at 8:05 PM Luis Chamberlain <mcgrof at kernel.org> wrote:
> >> > >
> >> > > io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
> >> > > add infrastructure for uring-cmd"), this extended the struct
> >> > > file_operations to allow a new command which each subsystem can use
> >> > > to enable command passthrough. Add an LSM specific for the command
> >> > > passthrough which enables LSMs to inspect the command details.
> >> > >
> >> > > This was discussed long ago without no clear pointer for something
> >> > > conclusive, so this enables LSMs to at least reject this new file
> >> > > operation.
> >> > >
> >> > > [0] https://lkml.kernel.org/r/8adf55db-7bab-f59d-d612-ed906b948d19@schaufler-ca.com
> >> >
> >> > [NOTE: I now see that the IORING_OP_URING_CMD has made it into the
> >> > v5.19-rcX releases, I'm going to be honest and say that I'm
> >> > disappointed you didn't post the related LSM additions
> >>
> >> It does not mean I didn't ask for them too.
> >>
> >> > until
> >> > v5.19-rc6, especially given our earlier discussions.]
> >>
> >> And hence since I don't see it either, it's on us now.
> >
> >It looks like I owe you an apology, Luis.  While my frustration over
> >io_uring remains, along with my disappointment that the io_uring
> >developers continue to avoid discussing access controls with the LSM
> >community, you are not the author of the IORING_OP_URING_CMD.   You
>
> I am to be shot down here. Solely.
> My LSM understanding has been awful. At a level that I am not clear
> how to fix if someone says - your code lacks LSM consideration.
> But nothing to justify, I fully understand this is not someone else's
> problem but mine. I intend to get better at it.
> And I owe apology (to you/LSM-folks, Luis, Jens) for the mess.

Thanks for your honesty.  If it is any consolation, my understanding
of io_uring remains superficial at best, and it's one of the reasons
I've asked the io_uring devs to ack/review the LSM io_uring hooks and
their placement in the io_uring code.  Developing a deep understanding
of one kernel subsystem is often very difficult, doing the same across
multiple subsystems requires a *lot* of time and effort.  We have to
rely on our combined expertise to help each other fill in the gaps :)

If you are ever unsure about something in the LSM layer, or how a
change to io_uring (or any other subsystem) might impact the LSMs,
please don't hesitate to ask us.  It might take all of us a little
while to sort it out, but we can usually get it working in the end.

There shouldn't be harm in asking for help/clarification, the harm
usually comes when assumptions are made.

-- 
paul-moore.com