On Wed, Jul 13, 2022 at 05:38:42PM -0700, Casey Schaufler wrote:

On 7/13/2022 5:05 PM, Luis Chamberlain wrote:

quoted

io-uring cmd support was added through ee692a21e9bf ("fs,io_uring:
add infrastructure for uring-cmd"), this extended the struct
file_operations to allow a new command which each subsystem can use
to enable command passthrough. Add an LSM specific for the command
passthrough which enables LSMs to inspect the command details.

This was discussed long ago without no clear pointer for something
conclusive, so this enables LSMs to at least reject this new file
operation.

tl;dr - Yuck. Again.

You're passing the complexity of uring-cmd directly into each
and every security module. SELinux, AppArmor, Smack, BPF and
every other LSM now needs to know the gory details of everything
that might be in any arbitrary subsystem so that it can make a
wild guess about what to do. And I thought ioctl was hard to deal
with.

Yes... I cannot agree anymore.

Look at what Paul Moore did for the existing io_uring code.
Carry that forward into your passthrough implementation.

Which one in particular? I didn't see any glaring obvious answers.

No, I don't think that waving security away because we haven't
proposed a fix for your flawed design is acceptable. Sure, we
can help.

Hey if the answer was obvious it would have been implemented.

  Luis