apparmor: add io_uring mediation

For now, the io_uring mediation is limited to sqpoll and override_creds. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-04-25 00:52:45 -04:00 · 2023-03-20 14:43:41 -03:00
parent fa9b63adab
commit c4371d9063
6 changed files with 131 additions and 2 deletions
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -30,10 +30,10 @@
 #define AA_CLASS_NET		14
 #define AA_CLASS_LABEL		16
 #define AA_CLASS_POSIX_MQUEUE	17
-#define AA_CLASS_IO_URING	18
 #define AA_CLASS_MODULE		19
 #define AA_CLASS_DISPLAY_LSM	20
 #define AA_CLASS_NS		21
+#define AA_CLASS_IO_URING	22

 #define AA_CLASS_X		31
 #define AA_CLASS_DBUS		32
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -105,6 +105,9 @@ enum audit_type {

 #define OP_USERNS_CREATE "userns_create"

+#define OP_URING_OVERRIDE "uring_override"
+#define OP_URING_SQPOLL "uring_sqpoll"
+
 struct apparmor_audit_data {
 	int error;
 	int type;
@@ -153,6 +156,9 @@ struct apparmor_audit_data {
 			const char *data;
 			unsigned long flags;
 		} mnt;
+		struct {
+			struct aa_label *target;
+		} uring;
 	};

 	struct common_audit_data common;
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -48,6 +48,9 @@

 #define AA_LINK_SUBSET		AA_MAY_LOCK	/* overlaid */

+#define AA_MAY_CREATE_SQPOLL   AA_MAY_CREATE
+#define AA_MAY_OVERRIDE_CRED   AA_MAY_APPEND
+#define AA_URING_PERM_MASK     (AA_MAY_OVERRIDE_CRED | AA_MAY_CREATE_SQPOLL)

 #define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE |		\
 			 AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK |	\