[PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook

Paul Moore paul at paul-moore.com
Thu Sep 1 21:30:38 UTC 2022 

On Thu, Sep 1, 2022 at 4:15 PM Joel Granados <j.granados at samsung.com> wrote:
> Hey Paul
>
> I realize that you have already sent this upstream but I wanted to share
> the Selinux part of the testing that we did to see if there is any
> feedback.
>
> With my tests I see that the selinux_uring_cmd hook is run and it
> results in a "avc : denied" when I run it with selinux in permissive
> mode with an unpriviledged user. I assume that this is the expected
> behavior. Here is how I tested
>
> *** With the patch:
> * I ran the io_uring_passthrough.c test on a char device with an
>   unpriviledged user.
> * I took care of changing the permissions of /dev/ng0n1 to 666 prior
>   to any testing.
> * made sure that Selinux was in permissive mode.
> * Made sure to have audit activated by passing "audit=1" to the kernel
> * After noticing that some audit messages where getting lost I upped the
>   backlog limit to 256
> * Prior to executing the test, I also placed a breakpoint inside
>   selinux_uring_cmd to make sure that it was executed.
> * This is the output of the audit when I executed the test:
>
>   [  136.615924] audit: type=1400 audit(1662043624.701:94): avc:  denied  { create } for  pid=263 comm="io_uring_passth" anonclass=[io_uring] scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
>   [  136.621036] audit: type=1300 audit(1662043624.701:94): arch=c000003e syscall=425 success=yes exit=3 a0=40 a1=7ffca29835a0 a2=7ffca29835a0 a3=561529be2300 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
>   [  136.624812] audit: type=1327 audit(1662043624.701:94): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
>   [  136.626074] audit: type=1400 audit(1662043624.702:95): avc:  denied  { map } for  pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
>   [  136.628012] audit: type=1400 audit(1662043624.702:95): avc:  denied  { read write } for  pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
>   [  136.629873] audit: type=1300 audit(1662043624.702:95): arch=c000003e syscall=9 success=yes exit=140179765297152 a0=0 a1=1380 a2=3 a3=8001 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
>   [  136.632415] audit: type=1327 audit(1662043624.702:95): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
>   [  136.633652] audit: type=1400 audit(1662043624.705:96): avc:  denied  { cmd } for  pid=263 comm="io_uring_passth" path="/dev/ng0n1" dev="devtmpfs" ino=120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=io_uring permissive=1
>   [  136.635384] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
>   [  136.636863] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
>
> * From the output on time 136.633652 I see that the access should have
>   been denied had selinux been enforcing.
> * I also saw that the breakpoint hit.
>
> *** Without the patch:
> * I ran the io_uring_passthrough.c test on a char device with an
>   unpriviledged user.
> * I took care of changing the permissions of /dev/ng0n1 to 666 prior
>   to any testing.
> * made sure that Selinux was in permissive mode.
> * Made sure to have audit activated by passing "audit=1" to the kernel
> * After noticing that some audit messages where getting lost I upped the
>   backlog limit to 256
> * There were no audit messages when I executed the test.
>
> As with my smack tests I would really appreciate feecback on the
> approach I took to testing and it's validity.

Hi Joel,

Thanks for the additional testing and verification!  Work like this is
always welcome, regardless if the patch has already been merged
upstream.

As far as you test approach is concerned, I think you are on the right
track, I might suggest resolving the other SELinux/AVC denials you are
seeing with your test application to help reduce the noise in the
logs.  Are you familiar with the selinux-testsuite (link below)?

* https://github.com/SELinuxProject/selinux-testsuite

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list