Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook

[PATCH 0/3] LSM hooks for IORING_OP_URING_CMD · Paul Moore <paul@paul-moore.com> · 2022-08-22
[PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-23
Re: [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op · Paul Moore <paul@paul-moore.com> · 2022-08-23
Re: [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-24
Re: [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op · Paul Moore <paul@paul-moore.com> · 2022-08-24
[PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-23
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Paul Moore <paul@paul-moore.com> · 2022-08-23
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Joel Granados <hidden> · 2022-09-01
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Paul Moore <paul@paul-moore.com> · 2022-09-01
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Joel Granados <hidden> · 2022-09-07
Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook · Joel Granados <hidden> · 2022-09-16
[PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Jens Axboe <axboe@kernel.dk> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Jens Axboe <axboe@kernel.dk> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Jens Axboe <axboe@kernel.dk> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-22
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-23
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Jens Axboe <axboe@kernel.dk> · 2022-08-23
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-23
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-23
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-23
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-08-24
Re: [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support · Paul Moore <paul@paul-moore.com> · 2022-08-24
Re: [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD · Paul Moore <paul@paul-moore.com> · 2022-08-26

From: Paul Moore <paul@paul-moore.com>
Date: 2022-08-23 18:29:02
Also in: io-uring, selinux

On Tue, Aug 23, 2022 at 2:52 AM Greg Kroah-Hartman
[off-list ref] wrote:

On Mon, Aug 22, 2022 at 05:21:13PM -0400, Paul Moore wrote:

quoted

Add a SELinux access control for the iouring IORING_OP_URING_CMD
command.  This includes the addition of a new permission in the
existing "io_uring" object class: "cmd".  The subject of the new
permission check is the domain of the process requesting access, the
object is the open file which points to the device/file that is the
target of the IORING_OP_URING_CMD operation.  A sample policy rule
is shown below:

  allow <domain> <file>:io_uring { cmd };

Cc: stable@vger.kernel.org

This is not stable material as you are adding a new feature.  Please
read the stable documentation for what is and is not allowed.

Strongly disagree, see my comments on patch 1/3 in this patchset.

-- 
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help