On Jan 27, 2025 Hamza Mahfooz [off-list ref] wrote:

It is desirable to allow LSM to configure accessibility to io_uring
because it is a coarse yet very simple way to restrict access to it. So,
add an LSM for io_uring_allowed() to guard access to io_uring.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Hamza Mahfooz <redacted>
---
 include/linux/lsm_hook_defs.h       |  1 +
 include/linux/security.h            |  5 +++++
 io_uring/io_uring.c                 |  2 +-
 security/security.c                 | 12 ++++++++++++
 security/selinux/hooks.c            | 14 ++++++++++++++
 security/selinux/include/classmap.h |  2 +-
 6 files changed, 34 insertions(+), 2 deletions(-)

Thanks Hamza, this looks good to me, but we need to wait until we get an
ACK from Jens on path 1/2; he's pretty responsive so I don't think we'll
have to wait too long.

As far as the return/label issue in patch 1/2, as long as there are no
other issues, and you are okay with the change, I can fix that up when
merging your patches.

--
paul-moore.com