Re: [RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
From: Richard Guy Briggs <hidden>
Date: 2021-08-26 16:32:54
Also in:
io-uring, linux-fsdevel, selinux
On 2021-08-25 21:34, Paul Moore wrote:
On Wed, Aug 25, 2021 at 9:16 PM Richard Guy Briggs [off-list ref] wrote:quoted
On 2021-08-24 16:57, Richard Guy Briggs wrote:quoted
On 2021-08-11 16:48, Paul Moore wrote:quoted
Draft #2 of the patchset which brings auditing and proper LSM access controls to the io_uring subsystem. The original patchset was posted in late May and can be found via lore using the link below: https://lore.kernel.org/linux-security-module/162163367115.8379.8459012634106035341.stgit@sifl/ (local) This draft should incorporate all of the feedback from the original posting as well as a few smaller things I noticed while playing further with the code. The big change is of course the selective auditing in the io_uring op servicing, but that has already been discussed quite a bit in the original thread so I won't go into detail here; the important part is that we found a way to move forward and this draft captures that. For those of you looking to play with these patches, they are based on Linus' v5.14-rc5 tag and on my test system they boot and appear to function without problem; they pass the selinux-testsuite and audit-testsuite and I have not noticed any regressions in the normal use of the system. If you want to get a copy of these patches straight from git you can use the "working-io_uring" branch in the repo below: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git Beyond the existing test suite tests mentioned above, I've cobbled together some very basic, very crude tests to exercise some of the things I care about from a LSM/audit perspective. These tests are pretty awful (I'm not kidding), but they might be helpful for the other LSM/audit developers who want to test things: https://drop.paul-moore.com/90.kUgq There are currently two tests: 'iouring.2' and 'iouring.3'; 'iouring.1' was lost in a misguided and overzealous 'rm' command. The first test is standalone and basically tests the SQPOLL functionality while the second tests sharing io_urings across process boundaries and the credential/personality sharing mechanism. The console output of both tests isn't particularly useful, the more interesting bits are in the audit and LSM specific logs. The 'iouring.2' command requires no special arguments to run but the 'iouring.3' test is split into a "server" and "client"; the server should be run without argument: % ./iouring.3s >>> server started, pid = 11678 >>> memfd created, fd = 3 >>> io_uring created; fd = 5, creds = 1 ... while the client should be run with two arguments: the first is the PID of the server process, the second is the "memfd" fd number: % ./iouring.3c 11678 3 >>> client started, server_pid = 11678 server_memfd = 3 >>> io_urings = 5 (server) / 5 (client) >>> io_uring ops using creds = 1 >>> async op result: 36 >>> async op result: 36 >>> async op result: 36 >>> async op result: 36 >>> START file contents What is this life if, full of care, we have no time to stand and stare. >>> END file contents The tests were hacked together from various sources online, attribution and links to additional info can be found in the test sources, but I expect these tests to die a fiery death in the not to distant future as I work to add some proper tests to the SELinux and audit test suites. As I believe these patches should spend a full -rcX cycle in linux-next, my current plan is to continue to solicit feedback on these patches while they undergo additional testing (next up is verification of the audit filter code for io_uring). Assuming no critical issues are found on the mailing lists or during testing, I will post a proper patchset later with the idea of merging it into selinux/next after the upcoming merge window closes. Any comments, feedback, etc. are welcome.Thanks for the tests. I have a bunch of userspace patches to add to the last set I posted and these tests will help exercise them. I also have one more kernel patch to post... I'll dive back into that now. I had wanted to post them before now but got distracted with AUDIT_TRIM breakage.Please tell me about liburing.h that is needed for these. There is one in tools/io_uring/liburing.h but I don't think that one is right. The next obvious one would be include/uapi/linux/io_uring.h I must be missing something obvious here...You are looking for the liburing header files, the upstream is here: -> https://github.com/axboe/liburing If you are on a RH/IBM based distro it is likely called liburing[-devel]:
Found it but struct io_uring missing "features" in everything except rawhide. Forced upgrade of my test VMs. :-) audit-testsuite still passes. I'm getting: # ./iouring.2 Kernel thread io_uring-sq is not running. Unable to setup io_uring: Permission denied # ./iouring.3s >>> server started, pid = 2082 >>> memfd created, fd = 3 io_uring_queue_init: Permission denied I have CONFIG_IO_URING=y set, what else is needed?
% dnf whatprovides */liburing.h
Last metadata expiration check: 0:38:37 ago on Wed 25 Aug 2021 08:54:22 PM EDT.
liburing-devel-2.0-2.fc35.i686 : Development files for Linux-native io_uring I/O
: access library
Repo : rawhide
Matched from:
Filename : /usr/include/liburing.h
liburing-devel-2.0-2.fc35.x86_64 : Development files for Linux-native io_uring
: I/O access library
Repo : @System
Matched from:
Filename : /usr/include/liburing.h
liburing-devel-2.0-2.fc35.x86_64 : Development files for Linux-native io_uring
: I/O access library
Repo : rawhide
Matched from:
Filename : /usr/include/liburing.h
--
paul moore- RGB -- Richard Guy Briggs [off-list ref] Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635