[RFC 0/1] RFC on how to include LSM hooks for io_uring commands

Joel Granados j.granados at samsung.com
Wed Nov 16 12:50:50 UTC 2022


The motivation for this patch is to continue the discussion around how to
include LSM callback hooks in the io_uring infrastructure. To begin I take
the nvme io_uring passthrough and try to include it in the already existing
LSM infrastructure that is there for ioctl. This is far from a general
io_uring approach, but its a start :)

You are very welcome to comment on the patch, but I have specific questions
in mind:

1. The nvme io_uring are governed by ioctl numbers. In this patch I have
passed this number directly to the ioctl_has_perm function in selinux. For
the io_uring commands that follow such a pattern, is it enough to forward
the call? or do we need to plumb something else? @Paul: really interested
in hearing your thoughts.

2. Could we use something similar for commands that are not structured as
an ioctl? Does ublk structure its commands after ioctl, or does it use
another system? @David would like to hear your thoughts on
this.

3. Finally, Is there anything preventing us from gathering all these
io_uring commands under a common LSM infrastructure like the one that
already exists for ioctl?

Comments are greatly appreciated

Joel Granados (1):
  Use ioctl selinux callback io_uring commands that implement the ioctl
    op convention

 security/selinux/hooks.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

-- 
2.30.2



More information about the Linux-security-module-archive mailing list