diff options
author | Paul Moore <paul@paul-moore.com> | 2022-08-10 21:55:36 +0200 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2022-08-26 17:19:43 +0200 |
commit | f4d653dcaa4e4056e1630423e6a8ece4869b544f (patch) | |
tree | 36943975de28bc16aceaade7c51c2988cc6f71e6 /security/selinux/include | |
parent | lsm,io_uring: add LSM hooks for the new uring_cmd file op (diff) | |
download | linux-f4d653dcaa4e4056e1630423e6a8ece4869b544f.tar.xz linux-f4d653dcaa4e4056e1630423e6a8ece4869b544f.zip |
selinux: implement the security_uring_cmd() LSM hook
Add a SELinux access control for the iouring IORING_OP_URING_CMD
command. This includes the addition of a new permission in the
existing "io_uring" object class: "cmd". The subject of the new
permission check is the domain of the process requesting access, the
object is the open file which points to the device/file that is the
target of the IORING_OP_URING_CMD operation. A sample policy rule
is shown below:
allow <domain> <file>:io_uring { cmd };
Cc: stable@vger.kernel.org
Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/classmap.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index ff757ae5f253..1c2f41ff4e55 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -253,7 +253,7 @@ const struct security_class_mapping secclass_map[] = { { "anon_inode", { COMMON_FILE_PERMS, NULL } }, { "io_uring", - { "override_creds", "sqpoll", NULL } }, + { "override_creds", "sqpoll", "cmd", NULL } }, { NULL } }; |