tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'lsm-pr-20250323' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Pull lsm updates from Paul Moore:

- Various minor updates to the LSM Rust bindings

Changes include marking trivial Rust bindings as inlines and comment
tweaks to better reflect the LSM hooks.

- Add LSM/SELinux access controls to io_uring_allowed()

Similar to the io_uring_disabled sysctl, add a LSM hook to
io_uring_allowed() to enable LSMs a simple way to enforce security
policy on the use of io_uring. This pull request includes SELinux
support for this new control using the io_uring/allowed permission.

- Remove an unused parameter from the security_perf_event_open() hook

The perf_event_attr struct parameter was not used by any currently
supported LSMs, remove it from the hook.

- Add an explicit MAINTAINERS entry for the credentials code

We've seen problems in the past where patches to the credentials code
sent by non-maintainers would often languish on the lists for
multiple months as there was no one explicitly tasked with the
responsibility of reviewing and/or merging credentials related code.

Considering that most of the code under security/ has a vested
interest in ensuring that the credentials code is well maintained,
I'm volunteering to look after the credentials code and Serge Hallyn
has also volunteered to step up as an official reviewer. I posted the
MAINTAINERS update as a RFC to LKML in hopes that someone else would
jump up with an "I'll do it!", but beyond Serge it was all crickets.

- Update Stephen Smalley's old email address to prevent confusion

This includes a corresponding update to the mailmap file.

* tag 'lsm-pr-20250323' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
mailmap: map Stephen Smalley's old email addresses
lsm: remove old email address for Stephen Smalley
MAINTAINERS: add Serge Hallyn as a credentials reviewer
MAINTAINERS: add an explicit credentials entry
cred,rust: mark Credential methods inline
lsm,rust: reword "destroy" -> "release" in SecurityCtx
lsm,rust: mark SecurityCtx methods inline
perf: Remove unnecessary parameter of security check
lsm: fix a missing security_uring_allowed() prototype
io_uring,lsm,selinux: add LSM hooks for io_uring_setup()
io_uring: refactor io_uring_allowed()

Linus Torvalds 05457026 b3c623b9

+100 -42
+2
.mailmap
··· 685 685 Stephen Hemminger <stephen@networkplumber.org> <shemminger@osdl.org> 686 686 Stephen Hemminger <stephen@networkplumber.org> <sthemmin@microsoft.com> 687 687 Stephen Hemminger <stephen@networkplumber.org> <sthemmin@vyatta.com> 688 + Stephen Smalley <stephen.smalley.work@gmail.com> <sds@epoch.ncsc.mil> 689 + Stephen Smalley <stephen.smalley.work@gmail.com> <sds@tycho.nsa.gov> 688 690 Steve Wise <larrystevenwise@gmail.com> <swise@chelsio.com> 689 691 Steve Wise <larrystevenwise@gmail.com> <swise@opengridcomputing.com> 690 692 Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com> <subashab@codeaurora.org>
+10
MAINTAINERS
··· 6154 6154 S: Maintained 6155 6155 F: drivers/hid/hid-creative-sb0540.c 6156 6156 6157 + CREDENTIALS 6158 + M: Paul Moore <paul@paul-moore.com> 6159 + R: Serge Hallyn <sergeh@kernel.org> 6160 + L: linux-security-module@vger.kernel.org 6161 + S: Supported 6162 + T: git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git 6163 + F: include/linux/cred.h 6164 + F: kernel/cred.c 6165 + F: Documentation/security/credentials.rst 6166 + 6157 6167 INTEL CRPS COMMON REDUNDANT PSU DRIVER 6158 6168 M: Ninad Palsule <ninad@linux.ibm.com> 6159 6169 L: linux-hwmon@vger.kernel.org
+1 -1
arch/x86/events/amd/ibs.c
··· 1343 1343 * unprivileged users. 1344 1344 */ 1345 1345 if ((event->attr.sample_type & PERF_SAMPLE_RAW) && 1346 - perf_allow_kernel(&event->attr)) { 1346 + perf_allow_kernel()) { 1347 1347 perf_ibs_phyaddr_clear(perf_ibs, &ibs_data); 1348 1348 } 1349 1349
+1 -1
arch/x86/events/intel/bts.c
··· 574 574 * to the user in a zero-copy fashion. 575 575 */ 576 576 if (event->attr.exclude_kernel) { 577 - ret = perf_allow_kernel(&event->attr); 577 + ret = perf_allow_kernel(); 578 578 if (ret) 579 579 return ret; 580 580 }
+1 -1
arch/x86/events/intel/core.c
··· 4297 4297 if (x86_pmu.version < 3) 4298 4298 return -EINVAL; 4299 4299 4300 - ret = perf_allow_cpu(&event->attr); 4300 + ret = perf_allow_cpu(); 4301 4301 if (ret) 4302 4302 return ret; 4303 4303
+1 -1
arch/x86/events/intel/p4.c
··· 777 777 * the user needs special permissions to be able to use it 778 778 */ 779 779 if (p4_ht_active() && p4_event_bind_map[v].shared) { 780 - v = perf_allow_cpu(&event->attr); 780 + v = perf_allow_cpu(); 781 781 if (v) 782 782 return v; 783 783 }
+2 -2
drivers/perf/arm_spe_pmu.c
··· 50 50 51 51 static void set_spe_event_has_cx(struct perf_event *event) 52 52 { 53 - if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && !perf_allow_kernel(&event->attr)) 53 + if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && !perf_allow_kernel()) 54 54 event->hw.flags |= SPE_PMU_HW_FLAGS_CX; 55 55 } 56 56 ··· 765 765 set_spe_event_has_cx(event); 766 766 reg = arm_spe_event_to_pmscr(event); 767 767 if (reg & (PMSCR_EL1_PA | PMSCR_EL1_PCT)) 768 - return perf_allow_kernel(&event->attr); 768 + return perf_allow_kernel(); 769 769 770 770 return 0; 771 771 }
+1 -1
include/linux/lsm_audit.h
··· 5 5 * 6 6 * Author : Etienne BASSET <etienne.basset@ensta.org> 7 7 * 8 - * All credits to : Stephen Smalley, <sds@tycho.nsa.gov> 8 + * All credits to : Stephen Smalley 9 9 * All BUGS to : Etienne BASSET <etienne.basset@ensta.org> 10 10 */ 11 11 #ifndef _LSM_COMMON_LOGGING_
+2 -1
include/linux/lsm_hook_defs.h
··· 445 445 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) 446 446 447 447 #ifdef CONFIG_PERF_EVENTS 448 - LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) 448 + LSM_HOOK(int, 0, perf_event_open, int type) 449 449 LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) 450 450 LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) 451 451 LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) ··· 455 455 LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) 456 456 LSM_HOOK(int, 0, uring_sqpoll, void) 457 457 LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) 458 + LSM_HOOK(int, 0, uring_allowed, void) 458 459 #endif /* CONFIG_IO_URING */ 459 460 460 461 LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void)
+5 -5
include/linux/perf_event.h
··· 1698 1698 return sysctl_perf_event_paranoid > -1; 1699 1699 } 1700 1700 1701 - int perf_allow_kernel(struct perf_event_attr *attr); 1701 + int perf_allow_kernel(void); 1702 1702 1703 - static inline int perf_allow_cpu(struct perf_event_attr *attr) 1703 + static inline int perf_allow_cpu(void) 1704 1704 { 1705 1705 if (sysctl_perf_event_paranoid > 0 && !perfmon_capable()) 1706 1706 return -EACCES; 1707 1707 1708 - return security_perf_event_open(attr, PERF_SECURITY_CPU); 1708 + return security_perf_event_open(PERF_SECURITY_CPU); 1709 1709 } 1710 1710 1711 - static inline int perf_allow_tracepoint(struct perf_event_attr *attr) 1711 + static inline int perf_allow_tracepoint(void) 1712 1712 { 1713 1713 if (sysctl_perf_event_paranoid > -1 && !perfmon_capable()) 1714 1714 return -EPERM; 1715 1715 1716 - return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT); 1716 + return security_perf_event_open(PERF_SECURITY_TRACEPOINT); 1717 1717 } 1718 1718 1719 1719 extern int perf_exclude_event(struct perf_event *event, struct pt_regs *regs);
+7 -3
include/linux/security.h
··· 2324 2324 struct perf_event; 2325 2325 2326 2326 #ifdef CONFIG_SECURITY 2327 - extern int security_perf_event_open(struct perf_event_attr *attr, int type); 2327 + extern int security_perf_event_open(int type); 2328 2328 extern int security_perf_event_alloc(struct perf_event *event); 2329 2329 extern void security_perf_event_free(struct perf_event *event); 2330 2330 extern int security_perf_event_read(struct perf_event *event); 2331 2331 extern int security_perf_event_write(struct perf_event *event); 2332 2332 #else 2333 - static inline int security_perf_event_open(struct perf_event_attr *attr, 2334 - int type) 2333 + static inline int security_perf_event_open(int type) 2335 2334 { 2336 2335 return 0; 2337 2336 } ··· 2361 2362 extern int security_uring_override_creds(const struct cred *new); 2362 2363 extern int security_uring_sqpoll(void); 2363 2364 extern int security_uring_cmd(struct io_uring_cmd *ioucmd); 2365 + extern int security_uring_allowed(void); 2364 2366 #else 2365 2367 static inline int security_uring_override_creds(const struct cred *new) 2366 2368 { ··· 2372 2372 return 0; 2373 2373 } 2374 2374 static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) 2375 + { 2376 + return 0; 2377 + } 2378 + static inline int security_uring_allowed(void) 2375 2379 { 2376 2380 return 0; 2377 2381 }
+14 -7
io_uring/io_uring.c
··· 3793 3793 return io_uring_create(entries, &p, params); 3794 3794 } 3795 3795 3796 - static inline bool io_uring_allowed(void) 3796 + static inline int io_uring_allowed(void) 3797 3797 { 3798 3798 int disabled = READ_ONCE(sysctl_io_uring_disabled); 3799 3799 kgid_t io_uring_group; 3800 3800 3801 3801 if (disabled == 2) 3802 - return false; 3802 + return -EPERM; 3803 3803 3804 3804 if (disabled == 0 || capable(CAP_SYS_ADMIN)) 3805 - return true; 3805 + goto allowed_lsm; 3806 3806 3807 3807 io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group); 3808 3808 if (!gid_valid(io_uring_group)) 3809 - return false; 3809 + return -EPERM; 3810 3810 3811 - return in_group_p(io_uring_group); 3811 + if (!in_group_p(io_uring_group)) 3812 + return -EPERM; 3813 + 3814 + allowed_lsm: 3815 + return security_uring_allowed(); 3812 3816 } 3813 3817 3814 3818 SYSCALL_DEFINE2(io_uring_setup, u32, entries, 3815 3819 struct io_uring_params __user *, params) 3816 3820 { 3817 - if (!io_uring_allowed()) 3818 - return -EPERM; 3821 + int ret; 3822 + 3823 + ret = io_uring_allowed(); 3824 + if (ret) 3825 + return ret; 3819 3826 3820 3827 return io_uring_setup(entries, params); 3821 3828 }
+7 -7
kernel/events/core.c
··· 4886 4886 4887 4887 if (!task) { 4888 4888 /* Must be root to operate on a CPU event: */ 4889 - err = perf_allow_cpu(&event->attr); 4889 + err = perf_allow_cpu(); 4890 4890 if (err) 4891 4891 return ERR_PTR(err); 4892 4892 ··· 12848 12848 } 12849 12849 /* privileged levels capture (kernel, hv): check permissions */ 12850 12850 if (mask & PERF_SAMPLE_BRANCH_PERM_PLM) { 12851 - ret = perf_allow_kernel(attr); 12851 + ret = perf_allow_kernel(); 12852 12852 if (ret) 12853 12853 return ret; 12854 12854 } ··· 13105 13105 return err; 13106 13106 13107 13107 /* Do we allow access to perf_event_open(2) ? */ 13108 - err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); 13108 + err = security_perf_event_open(PERF_SECURITY_OPEN); 13109 13109 if (err) 13110 13110 return err; 13111 13111 13112 13112 if (!attr.exclude_kernel) { 13113 - err = perf_allow_kernel(&attr); 13113 + err = perf_allow_kernel(); 13114 13114 if (err) 13115 13115 return err; 13116 13116 } ··· 13130 13130 13131 13131 /* Only privileged users can get physical addresses */ 13132 13132 if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR)) { 13133 - err = perf_allow_kernel(&attr); 13133 + err = perf_allow_kernel(); 13134 13134 if (err) 13135 13135 return err; 13136 13136 } ··· 13969 13969 return &event->attr; 13970 13970 } 13971 13971 13972 - int perf_allow_kernel(struct perf_event_attr *attr) 13972 + int perf_allow_kernel(void) 13973 13973 { 13974 13974 if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) 13975 13975 return -EACCES; 13976 13976 13977 - return security_perf_event_open(attr, PERF_SECURITY_KERNEL); 13977 + return security_perf_event_open(PERF_SECURITY_KERNEL); 13978 13978 } 13979 13979 EXPORT_SYMBOL_GPL(perf_allow_kernel); 13980 13980
+2 -2
kernel/trace/trace_event_perf.c
··· 49 49 50 50 /* The ftrace function trace is allowed only for root. */ 51 51 if (ftrace_event_is_function(tp_event)) { 52 - ret = perf_allow_tracepoint(&p_event->attr); 52 + ret = perf_allow_tracepoint(); 53 53 if (ret) 54 54 return ret; 55 55 ··· 86 86 * ...otherwise raw tracepoint data can be a severe data leak, 87 87 * only allow root to have these. 88 88 */ 89 - ret = perf_allow_tracepoint(&p_event->attr); 89 + ret = perf_allow_tracepoint(); 90 90 if (ret) 91 91 return ret; 92 92
+5
rust/kernel/cred.rs
··· 47 47 /// 48 48 /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the 49 49 /// returned [`Credential`] reference. 50 + #[inline] 50 51 pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -> &'a Credential { 51 52 // SAFETY: The safety requirements guarantee the validity of the dereference, while the 52 53 // `Credential` type being transparent makes the cast ok. ··· 55 54 } 56 55 57 56 /// Get the id for this security context. 57 + #[inline] 58 58 pub fn get_secid(&self) -> u32 { 59 59 let mut secid = 0; 60 60 // SAFETY: The invariants of this type ensures that the pointer is valid. ··· 64 62 } 65 63 66 64 /// Returns the effective UID of the given credential. 65 + #[inline] 67 66 pub fn euid(&self) -> Kuid { 68 67 // SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid` 69 68 // field of a credential is never changed after initialization, so there is no potential ··· 75 72 76 73 // SAFETY: The type invariants guarantee that `Credential` is always ref-counted. 77 74 unsafe impl AlwaysRefCounted for Credential { 75 + #[inline] 78 76 fn inc_ref(&self) { 79 77 // SAFETY: The existence of a shared reference means that the refcount is nonzero. 80 78 unsafe { bindings::get_cred(self.0.get()) }; 81 79 } 82 80 81 + #[inline] 83 82 unsafe fn dec_ref(obj: core::ptr::NonNull<Credential>) { 84 83 // SAFETY: The safety requirements guarantee that the refcount is nonzero. The cast is okay 85 84 // because `Credential` has the same representation as `struct cred`.
+8 -4
rust/kernel/security.rs
··· 16 16 /// # Invariants 17 17 /// 18 18 /// The `ctx` field corresponds to a valid security context as returned by a successful call to 19 - /// `security_secid_to_secctx`, that has not yet been destroyed by `security_release_secctx`. 19 + /// `security_secid_to_secctx`, that has not yet been released by `security_release_secctx`. 20 20 pub struct SecurityCtx { 21 21 ctx: bindings::lsm_context, 22 22 } 23 23 24 24 impl SecurityCtx { 25 25 /// Get the security context given its id. 26 + #[inline] 26 27 pub fn from_secid(secid: u32) -> Result<Self> { 27 28 // SAFETY: `struct lsm_context` can be initialized to all zeros. 28 29 let mut ctx: bindings::lsm_context = unsafe { core::mem::zeroed() }; ··· 36 35 } 37 36 38 37 /// Returns whether the security context is empty. 38 + #[inline] 39 39 pub fn is_empty(&self) -> bool { 40 40 self.ctx.len == 0 41 41 } 42 42 43 43 /// Returns the length of this security context. 44 + #[inline] 44 45 pub fn len(&self) -> usize { 45 46 self.ctx.len as usize 46 47 } 47 48 48 49 /// Returns the bytes for this security context. 50 + #[inline] 49 51 pub fn as_bytes(&self) -> &[u8] { 50 52 let ptr = self.ctx.context; 51 53 if ptr.is_null() { ··· 65 61 } 66 62 67 63 impl Drop for SecurityCtx { 64 + #[inline] 68 65 fn drop(&mut self) { 69 - // SAFETY: By the invariant of `Self`, this frees a context that came from a successful 70 - // call to `security_secid_to_secctx` and has not yet been destroyed by 71 - // `security_release_secctx`. 66 + // SAFETY: By the invariant of `Self`, this releases an lsm context that came from a 67 + // successful call to `security_secid_to_secctx` and has not yet been released. 72 68 unsafe { bindings::security_release_secctx(&mut self.ctx) }; 73 69 } 74 70 }
+1 -1
security/lsm_audit.c
··· 3 3 * common LSM auditing functions 4 4 * 5 5 * Based on code written for SELinux by : 6 - * Stephen Smalley, <sds@tycho.nsa.gov> 6 + * Stephen Smalley 7 7 * James Morris <jmorris@redhat.com> 8 8 * Author : Etienne Basset, <etienne.basset@ensta.org> 9 9 */
+14 -3
security/security.c
··· 5883 5883 #ifdef CONFIG_PERF_EVENTS 5884 5884 /** 5885 5885 * security_perf_event_open() - Check if a perf event open is allowed 5886 - * @attr: perf event attribute 5887 5886 * @type: type of event 5888 5887 * 5889 5888 * Check whether the @type of perf_event_open syscall is allowed. 5890 5889 * 5891 5890 * Return: Returns 0 if permission is granted. 5892 5891 */ 5893 - int security_perf_event_open(struct perf_event_attr *attr, int type) 5892 + int security_perf_event_open(int type) 5894 5893 { 5895 - return call_int_hook(perf_event_open, attr, type); 5894 + return call_int_hook(perf_event_open, type); 5896 5895 } 5897 5896 5898 5897 /** ··· 5997 5998 int security_uring_cmd(struct io_uring_cmd *ioucmd) 5998 5999 { 5999 6000 return call_int_hook(uring_cmd, ioucmd); 6001 + } 6002 + 6003 + /** 6004 + * security_uring_allowed() - Check if io_uring_setup() is allowed 6005 + * 6006 + * Check whether the current task is allowed to call io_uring_setup(). 6007 + * 6008 + * Return: Returns 0 if permission is granted. 6009 + */ 6010 + int security_uring_allowed(void) 6011 + { 6012 + return call_int_hook(uring_allowed); 6000 6013 } 6001 6014 #endif /* CONFIG_IO_URING */ 6002 6015
+15 -1
security/selinux/hooks.c
··· 7043 7043 }; 7044 7044 7045 7045 #ifdef CONFIG_PERF_EVENTS 7046 - static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 7046 + static int selinux_perf_event_open(int type) 7047 7047 { 7048 7048 u32 requested, sid = current_sid(); 7049 7049 ··· 7139 7139 7140 7140 return avc_has_perm(current_sid(), isec->sid, 7141 7141 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7142 + } 7143 + 7144 + /** 7145 + * selinux_uring_allowed - check if io_uring_setup() can be called 7146 + * 7147 + * Check to see if the current task is allowed to call io_uring_setup(). 7148 + */ 7149 + static int selinux_uring_allowed(void) 7150 + { 7151 + u32 sid = current_sid(); 7152 + 7153 + return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7154 + NULL); 7142 7155 } 7143 7156 #endif /* CONFIG_IO_URING */ 7144 7157 ··· 7406 7393 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7407 7394 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7408 7395 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7396 + LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7409 7397 #endif 7410 7398 7411 7399 /*
+1 -1
security/selinux/include/classmap.h
··· 177 177 { "perf_event", 178 178 { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, 179 179 { "anon_inode", { COMMON_FILE_PERMS, NULL } }, 180 - { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } }, 180 + { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } }, 181 181 { "user_namespace", { "create", NULL } }, 182 182 /* last one */ { NULL, {} } 183 183 };