diff options
| author | Paul Moore <paul@paul-moore.com> | 2021-02-23 18:16:45 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2021-09-19 22:40:32 -0400 |
| commit | 740b03414b20e7f1879cd99aae27d8c401bbcbf9 (patch) | |
| tree | 4829f78116ce3877643c52c2f55a7baca2e8946d /security/smack | |
| parent | cdc1404a40461faba23c5a5ad40adcc7eecc1580 (diff) | |
selinux: add support for the io_uring access controls
This patch implements two new io_uring access controls, specifically
support for controlling the io_uring "personalities" and
IORING_SETUP_SQPOLL. Controlling the sharing of io_urings themselves
is handled via the normal file/inode labeling and sharing mechanisms.
The io_uring { override_creds } permission restricts which domains
the subject domain can use to override it's own credentials.
Granting a domain the io_uring { override_creds } permission allows
it to impersonate another domain in io_uring operations.
The io_uring { sqpoll } permission restricts which domains can create
asynchronous io_uring polling threads. This is important from a
security perspective as operations queued by this asynchronous thread
inherit the credentials of the thread creator by default; if an
io_uring is shared across process/domain boundaries this could result
in one domain impersonating another. Controlling the creation of
sqpoll threads, and the sharing of io_urings across processes, allow
policy authors to restrict the ability of one domain to impersonate
another via io_uring.
As a quick summary, this patch adds a new object class with two
permissions:
io_uring { override_creds sqpoll }
These permissions can be seen in the two simple policy statements
below:
allow domA_t domB_t : io_uring { override_creds };
allow domA_t self : io_uring { sqpoll };
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/smack')
0 files changed, 0 insertions, 0 deletions