Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1019510rwb;
        Thu, 10 Nov 2022 10:07:25 -0800 (PST)
X-Google-Smtp-Source: AMsMyM4y2EV0WKvALE6BzHhwCPymhA9h1TLZwRxowZPmtd/cRATCCLC70qsJLw0lWf4Uk13ANfoW
X-Received: by 2002:a17:902:e843:b0:186:b180:3c3a with SMTP id t3-20020a170902e84300b00186b1803c3amr66244708plg.66.1668103645612;
        Thu, 10 Nov 2022 10:07:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668103645; cv=none;
        d=google.com; s=arc-20160816;
        b=DQ9KR3qFXslTE1fvcAZRT8fa2w/zhgv9aIOJKXkVCj0UMZFALe6JMcLLGRqC3n0RyM
         6SOndL6JH2jsg+5cTTITMGSTMLLmnLKZ2GBjwzcYKxfg/O10tY62AkZYx4AE5xIqiNy9
         kZjiqKmqqLUHt5PdV2sHiQjBe+/+9PrsyDLDjoMme81VaeRKMToD2XJ9u5XdoNWugy3Z
         3b5TdFY2t89Gc8+nSrE7L+4fEhNhIYIJPWvTu1ZTx0wsj1puwFVYuHE3wCH8hSif84eg
         LdVOhgHmrbezO4hngNTXA9+KkgWKgnBG6r88dNSYNIJZp+fDIE0ArLrx56wZosUKojIs
         tr4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=kfHz50Kg7kyBZpgLz1L+duIpLshaF3vQXrti1dXGZLQ=;
        b=C70XfJDSOdurbPIkoAE4xha8LjS65VdPzKw74N4Hx608Wi3PAaeY0pDlc9TKiNY6PG
         foCTxzZAaXJc7ArxI5X/VyVU0bH9W1VovPkHWHo0A9E5PwkbvqbpBDWKdiZdnQ+FddpF
         RpyroPzgOMwY7tetpFtdzone3/Xy/MthE0M326WjLYah6wd9vJ0pUvo1L3j3y/8xrCsk
         J069cadvj9UPKcVaea4VZvjnLfI7bwX/GFUDtvABgJ8qKjufQ4OHw0wc8mEfdDD+cyUz
         nCSv00/rxtU6wCWb8vSG95uGEELFJ+7+mCVvbN9m5JrQpPxMgbkxlJeBVOupwwizkb5U
         etkg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=himkAUve;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x64-20020a638643000000b0043c5fa4c118si21011036pgd.814.2022.11.10.10.07.13;
        Thu, 10 Nov 2022 10:07:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=himkAUve;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231448AbiKJRyS (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 92 others); Thu, 10 Nov 2022 12:54:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38790 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231364AbiKJRyQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Nov 2022 12:54:16 -0500
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B1BB49B51
        for <linux-kernel@vger.kernel.org>; Thu, 10 Nov 2022 09:54:15 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id ft34so6835997ejc.12
        for <linux-kernel@vger.kernel.org>; Thu, 10 Nov 2022 09:54:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=kfHz50Kg7kyBZpgLz1L+duIpLshaF3vQXrti1dXGZLQ=;
        b=himkAUve95kura1F4xyrjgF2Ao9L01DaBYcsivT7aKJ5J4AF6ajPklOMnZ88snF8S/
         Sm6FEemOqLF/MrgUC5yLIaXtMop2DLyIxPzRPUoUFaA5aKTYxAFSqWUMJk850gnqShNb
         wE7XZ4ZD0YABNLuFjY+X3KglYL7nJG8JNkkvLu3QJtRk3djhDQghiY7LCQX3IS7glCq2
         M3Z3rUTcmamKd9fp2ozIcuSHynhl1Xgi/GnqGciIWHpaSJNBKuTCOn3Ej65qPgsyN7ok
         8FB28sjmPUx11WchT1uogNEcf84eSNHyyoLzumQXLDUlwM/q3BMdB2xufOMmSmbksCWm
         YjnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kfHz50Kg7kyBZpgLz1L+duIpLshaF3vQXrti1dXGZLQ=;
        b=Z3p3ZWAaFGjynWAOcDfzhiF0x741wZPPBzEXP16e4769CN/yF8+2qnvqDR4ISg4bcS
         GURwMGWNW1PBo78cATLLKYcyyqURAJ4nmkoAYzkE30bd9psdx++rxdAszIwPZHM/eImT
         3Ff6eZNo6x5V/DtCMbl9W+/7YlP9uSBuTm/78M73hM/1CJx4viit086AzM87gS7ngQMc
         dnkrLwrNZwRvCPwx/Gulx9iCuaVpHqZE1LK3PGSpphI7YoZTbVStP6HhNfi16RlytH1K
         AWQ0N/wfvuuITIrOtXsZ0080WpOwFhBkIkuWKCcs3KD6/gkAG2RuAAkMUtWEHNNDy4Q/
         AoTg==
X-Gm-Message-State: ACrzQf3utt0ODM9aByv6zra7g6wVxdVnpYKIPKAhKpDVoDWyDCI3WqCo
        2JOOarK1MGWeFvCWfBXsJhxYPCsLBDhrhc/a5pd61A==
X-Received: by 2002:a17:906:b34b:b0:7ad:e8dd:837c with SMTP id
 cd11-20020a170906b34b00b007ade8dd837cmr3571084ejb.264.1668102853085; Thu, 10
 Nov 2022 09:54:13 -0800 (PST)
MIME-Version: 1.0
References: <20221107205754.2635439-1-cukie@google.com> <CAHC9VhTLBWkw2XzqdFx1LFVKDtaAL2pEfsmm+LEmS0OWM1mZgA@mail.gmail.com>
In-Reply-To: <CAHC9VhTLBWkw2XzqdFx1LFVKDtaAL2pEfsmm+LEmS0OWM1mZgA@mail.gmail.com>
From:   Jeffrey Vander Stoep <jeffv@google.com>
Date:   Thu, 10 Nov 2022 18:54:00 +0100
Message-ID: <CABXk95ChjusTneWJgj5a58CZceZv0Ay-P-FwBcH2o4rO0g2Ggw@mail.gmail.com>
Subject: Re: [PATCH v1 0/2] Add LSM access controls for io_uring_setup
To:     Paul Moore <paul@paul-moore.com>
Cc:     Gil Cukierman <cukie@google.com>, Jens Axboe <axboe@kernel.dk>,
        Pavel Begunkov <asml.silence@gmail.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Eric Paris <eparis@parisplace.org>, kernel-team@android.com,
        linux-kernel@vger.kernel.org, io-uring@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Paul,

There are a few reasons why we want this particular hook.

1.  It aligns well with how other resources are managed by selinux
where access to the resource is the first control point (e.g. "create"
for files, sockets, or bpf_maps, "prog_load" for bpf programs, and
"open" for perf_event) and then additional functionality or
capabilities require additional permissions.
2. It aligns well with how resources are managed on Android. We often
do not grant direct access to resources (like memory buffers). For
example, a single domain on Android manages the loading of all bpf
programs and the creation of all bpf maps. Other domains can be
granted access to these only once they're created. We can enforce base
properties with MAC, while allowing the system to manage and grant
access to resources at run-time via DAC (e.g. using Android's
permission model). This allows us to do better management and
accounting of resources.
3. Attack surface management. One of the primary uses of selinux on
Android is to assess and limit attack surface (e.g.
https://twitter.com/jeffvanderstoep/status/1422771606309335043) . As
io_uring vulnerabilities have made their way through our vulnerability
management system, it's become apparent that it's complicated to
assess the impact. Is a use-after-free reachable? Creating
proof-of-concept exploits takes a lot of time, and often functionality
can be reached by multiple paths. How many of the known io_uring
vulnerabilities would be gated by the existing checks? How many future
ones will be gated by the existing checks? I don't know the answer to
either of these questions and it's not obvious. I believe some of them
currently are exploitable without any selinux permissions. But in any
case, this hook makes that initial assessment simple and effective.

On Mon, Nov 7, 2022 at 10:17 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Mon, Nov 7, 2022 at 3:58 PM Gil Cukierman <cukie@google.com> wrote:
> >
> > This patchset provides the changes required for controlling access to
> > the io_uring_setup system call by LSMs. It does this by adding a new
> > hook to io_uring. It also provides the SELinux implementation for a new
> > permission, io_uring { setup }, using the new hook.
> >
> > This is important because existing io_uring hooks only support limiting
> > the sharing of credentials and access to the sensitive uring_cmd file
> > op. Users of LSMs may also want the ability to tightly control which
> > callers can retrieve an io_uring capable fd from the kernel, which is
> > needed for all subsequent io_uring operations.
>
> It isn't immediately obvious to me why simply obtaining a io_uring fd
> from io_uring_setup() would present a problem, as the security
> relevant operations that are possible with that io_uring fd *should*
> still be controlled by other LSM hooks.  Can you help me understand
> what security issue you are trying to resolve with this control?


I think there are a few reasons why we want this particular hook.

1.  It aligns well with how other resources are managed by selinux
where access to the resource is the first control point (e.g. "create"
for files, sockets, or bpf_maps, "prog_load" for bpf programs, and
"open" for perf_event) and then additional functionality or
capabilities require additional permissions.
2. It aligns well with how resources are managed on Android. We often
do not grant direct access to resources (like memory buffers). For
example, a single domain on Android manages the loading of all bpf
programs and the creation of all bpf maps. Other domains can be
granted access to these only once they're created. We can enforce base
properties with MAC, while allowing the system to manage and grant
access to resources at run-time via DAC (e.g. using Android's
permission model). This allows us to do better management and
accounting of resources.
3. Attack surface management. One of the primary uses of selinux on
Android is to assess and limit attack surface (e.g.
https://twitter.com/jeffvanderstoep/status/1422771606309335043) . As
io_uring vulnerabilities have made their way through our vulnerability
management system, it's become apparent that it's complicated to
assess the impact. Is a use-after-free reachable? Creating
proof-of-concept exploits takes a lot of time, and often functionality
can be reached by multiple paths. How many of the known io_uring
vulnerabilities would be gated by the existing checks? How many future
ones will be gated by the existing checks? I don't know the answer to
either of these questions and it's not obvious. This hook makes that
initial assessment simple and effective.
>

>
> --
> paul-moore.com