From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 2 Nov 2021 04:06:18 +0000 (-0700)
Subject: Merge tag 'selinux-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git... 
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=cdab10bf3285ee354e8f50254aa799631b7a95e0;p=linux.git

Merge tag 'selinux-pr-20211101' of git://git./linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

 - Add LSM/SELinux/Smack controls and auditing for io-uring.

   As usual, the individual commit descriptions have more detail, but we
   were basically missing two things which we're adding here:

      + establishment of a proper audit context so that auditing of
        io-uring ops works similarly to how it does for syscalls (with
        some io-uring additions because io-uring ops are *not* syscalls)

      + additional LSM hooks to enable access control points for some of
        the more unusual io-uring features, e.g. credential overrides.

   The additional audit callouts and LSM hooks were done in conjunction
   with the io-uring folks, based on conversations and RFC patches
   earlier in the year.

 - Fixup the binder credential handling so that the proper credentials
   are used in the LSM hooks; the commit description and the code
   comment which is removed in these patches are helpful to understand
   the background and why this is the proper fix.

 - Enable SELinux genfscon policy support for securityfs, allowing
   improved SELinux filesystem labeling for other subsystems which make
   use of securityfs, e.g. IMA.

* tag 'selinux-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  security: Return xattr name from security_dentry_init_security()
  selinux: fix a sock regression in selinux_ip_postroute_compat()
  binder: use cred instead of task for getsecid
  binder: use cred instead of task for selinux checks
  binder: use euid from cred instead of using task
  LSM: Avoid warnings about potentially unused hook variables
  selinux: fix all of the W=1 build warnings
  selinux: make better use of the nf_hook_state passed to the NF hooks
  selinux: fix race condition when computing ocontext SIDs
  selinux: remove unneeded ipv6 hook wrappers
  selinux: remove the SELinux lockdown implementation
  selinux: enable genfscon labeling for securityfs
  Smack: Brutalist io_uring support
  selinux: add support for the io_uring access controls
  lsm,io_uring: add LSM hooks to io_uring
  io_uring: convert io_uring to the secure anon inode interface
  fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure()
  audit: add filtering for io_uring records
  audit,io_uring,io-wq: add some basic audit support to io_uring
  audit: prepare audit_context for use in calling contexts beyond syscalls
---

cdab10bf3285ee354e8f50254aa799631b7a95e0
diff --cc fs/io-wq.c
index 38b33ad9e8cf2,dac5c5961c9da..c516912622082
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@@ -14,7 -14,7 +14,8 @@@
  #include <linux/rculist_nulls.h>
  #include <linux/cpu.h>
  #include <linux/tracehook.h>
+ #include <linux/audit.h>
 +#include <uapi/linux/io_uring.h>
  
  #include "io-wq.h"
  
diff --cc fs/io_uring.c
index 3a4af9799d9ad,f89d00af3a678..3ecd4b51510ea
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@@ -910,8 -917,10 +912,10 @@@ struct io_op_def 
  	unsigned		buffer_select : 1;
  	/* do prep async if is going to be punted */
  	unsigned		needs_async_setup : 1;
 -	/* should block plug */
 -	unsigned		plug : 1;
 +	/* opcode is not supported by this kernel */
 +	unsigned		not_supported : 1;
+ 	/* skip auditing */
+ 	unsigned		audit_skip : 1;
  	/* size of async data needed, if any */
  	unsigned short		async_size;
  };
@@@ -6578,9 -6621,13 +6612,12 @@@ static int io_issue_sqe(struct io_kioc
  	const struct cred *creds = NULL;
  	int ret;
  
 -	if ((req->flags & REQ_F_CREDS) && req->creds != current_cred())
 +	if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred()))
  		creds = override_creds(req->creds);
  
+ 	if (!io_op_defs[req->opcode].audit_skip)
+ 		audit_uring_entry(req->opcode);
+ 
  	switch (req->opcode) {
  	case IORING_OP_NOP:
  		ret = io_nop(req, issue_flags);
@@@ -7090,14 -7067,38 +7130,21 @@@ static int io_init_req(struct io_ring_c
  
  	personality = READ_ONCE(sqe->personality);
  	if (personality) {
++		int ret;
++
  		req->creds = xa_load(&ctx->personalities, personality);
  		if (!req->creds)
  			return -EINVAL;
  		get_cred(req->creds);
+ 		ret = security_uring_override_creds(req->creds);
+ 		if (ret) {
+ 			put_cred(req->creds);
+ 			return ret;
+ 		}
  		req->flags |= REQ_F_CREDS;
  	}
 -	state = &ctx->submit_state;
 -
 -	/*
 -	 * Plug now if we have more than 1 IO left after this, and the target
 -	 * is potentially a read/write to block based storage.
 -	 */
 -	if (!state->plug_started && state->ios_left > 1 &&
 -	    io_op_defs[req->opcode].plug) {
 -		blk_start_plug(&state->plug);
 -		state->plug_started = true;
 -	}
 -
 -	if (io_op_defs[req->opcode].needs_file) {
 -		req->file = io_file_get(ctx, req, READ_ONCE(sqe->fd),
 -					(sqe_flags & IOSQE_FIXED_FILE));
 -		if (unlikely(!req->file))
 -			ret = -EBADF;
 -	}
  
 -	state->ios_left--;
 -	return ret;
 +	return io_req_prep(req, sqe);
  }
  
  static int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,