Re: [RFC PATCH 7/9] lsm,io_uring: add LSM hooks to io_uring

[RFC PATCH 0/9] Add LSM access controls and auditing to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 1/9] audit: prepare audit_context for use in calling contexts beyond syscalls · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-21
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-05-22
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-22
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-05-23
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-24
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-05-25
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-25
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Steve Grubb <hidden> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Stefan Metzmacher <metze@samba.org> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Victor Stewart <hidden> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Casey Schaufler <casey@schaufler-ca.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Richard Guy Briggs <hidden> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Richard Guy Briggs <hidden> · 2021-05-27
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-28
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-06-02
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Richard Guy Briggs <hidden> · 2021-06-02
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-06-03
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-06-02
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Pavel Begunkov <asml.silence@gmail.com> · 2021-06-03
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Casey Schaufler <casey@schaufler-ca.com> · 2021-06-03
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Jens Axboe <axboe@kernel.dk> · 2021-06-03
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-06-04
Re: [RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
Re: [RFC PATCH 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring · Richard Guy Briggs <hidden> · 2021-06-02
Re: [RFC PATCH 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-06-02
Re: [RFC PATCH 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring · Richard Guy Briggs <hidden> · 2021-08-25
Re: [RFC PATCH 2/9] audit, io_uring, io-wq: add some basic audit support to io_uring · Paul Moore <paul@paul-moore.com> · 2021-08-25
[RFC PATCH 3/9] audit: dev/test patch to force io_uring auditing · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 4/9] audit: add filtering for io_uring records · Paul Moore <paul@paul-moore.com> · 2021-05-21
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Richard Guy Briggs <hidden> · 2021-05-28
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Paul Moore <paul@paul-moore.com> · 2021-05-30
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Richard Guy Briggs <hidden> · 2021-05-31
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Paul Moore <paul@paul-moore.com> · 2021-06-02
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Richard Guy Briggs <hidden> · 2021-06-02
Re: [RFC PATCH 4/9] audit: add filtering for io_uring records · Paul Moore <paul@paul-moore.com> · 2021-06-02
[PATCH 1/2] audit: add filtering for io_uring records, addendum · Richard Guy Briggs <hidden> · 2021-05-31
Re: [PATCH 1/2] audit: add filtering for io_uring records, addendum · kernel test robot <hidden> · 2021-05-31
Re: [PATCH 1/2] audit: add filtering for io_uring records, addendum · kernel test robot <hidden> · 2021-05-31
Re: [PATCH 1/2] audit: add filtering for io_uring records, addendum · Paul Moore <paul@paul-moore.com> · 2021-06-07
Re: [PATCH 1/2] audit: add filtering for io_uring records, addendum · Richard Guy Briggs <hidden> · 2021-06-08
Re: [PATCH 1/2] audit: add filtering for io_uring records, addendum · Paul Moore <paul@paul-moore.com> · 2021-06-09
[PATCH 2/2] audit: block PERM fields being used with io_uring filtering · Richard Guy Briggs <hidden> · 2021-05-31
[RFC PATCH 5/9] fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure() · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 6/9] io_uring: convert io_uring to the secure anon inode interface · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 7/9] lsm,io_uring: add LSM hooks to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-21
Re: [RFC PATCH 7/9] lsm,io_uring: add LSM hooks to io_uring · Stefan Metzmacher <metze@samba.org> · 2021-05-26
Re: [RFC PATCH 7/9] lsm,io_uring: add LSM hooks to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-26
[RFC PATCH 8/9] selinux: add support for the io_uring access controls · Paul Moore <paul@paul-moore.com> · 2021-05-21
[RFC PATCH 9/9] Smack: Brutalist io_uring support with debug · Paul Moore <paul@paul-moore.com> · 2021-05-21
Re: [RFC PATCH 0/9] Add LSM access controls and auditing to io_uring · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-05-22
Re: [RFC PATCH 0/9] Add LSM access controls and auditing to io_uring · Paul Moore <paul@paul-moore.com> · 2021-05-22

From: Stefan Metzmacher <metze@samba.org>
Date: 2021-05-26 14:48:31
Also in: io-uring, linux-fsdevel, selinux

Hi Paul,

quoted hunk ↗ jump to hunk

 #define CREATE_TRACE_POINTS
 #include <trace/events/io_uring.h>

@@ -6537,6 +6538,11 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req,
 		if (!req->work.creds)
 			return -EINVAL;
 		get_cred(req->work.creds);
+		ret = security_uring_override_creds(req->work.creds);
+		if (ret) {
+			put_cred(req->work.creds);
+			return ret;
+		}

Why are you calling this per requests, shouldn't this be done in
io_register_personality()?

I'm also not sure if this really gains anything as io_register_personality()
only captures the value of get_current_cred(), so the process already has changed to
the credentials (at least once for the io_uring_register(IORING_REGISTER_PERSONALITY)
call).

metze

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help