Landlock: LANDLOCK_ACCESS_FS_IOCTL_DEV bypass via io_uring IORING_OP_URING_CMD

[Bryam Vargas]

Günther,

Thanks, and #65 looks right.

On the approach: it's a Landlock-only change either way, both hooks already
exist, so no io_uring core churn.

Coarse (block ring creation) can hang off security_uring_allowed(), the existing
io_uring_setup() gate. That matches the creation-control direction Mickaël raised
-- the socket-creation work he said would suit io_uring too -- and it's a fine
default, since most sandboxes don't need io_uring. One caveat: it overlaps
kernel.io_uring_disabled and a seccomp filter on io_uring_setup, so the
Landlock-specific win is mainly composing it in a ruleset.

Fine-grained (gate device uring_cmd) is the only one that closes the asymmetry I
reported. It uses security_uring_cmd() -- the hook SELinux and Smack already have
and we don't -- and needs no new right: gate device files on the existing
IOCTL_DEV, mirroring hook_file_ioctl_common(). All-or-nothing per device, since
cmd_op is a private number space.

So I'd go coarse-first as you suggest, and keep the uring_cmd gate as the granular
step; it's little code and reuses an existing right. Happy to prototype either
once you and Mickaël settle on the shape; I'll hold until then.

Bryam