Commit c4371d90 authored by Georgia Garcia's avatar Georgia Garcia Committed by John Johansen
Browse files

apparmor: add io_uring mediation 



For now, the io_uring mediation is limited to sqpoll and
override_creds.

Signed-off-by: default avatarGeorgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent fa9b63ad

security/apparmor/apparmorfs.c

+7 −0
Original line number Diff line number Diff line
@@ -2390,6 +2390,12 @@ static struct aa_sfs_entry aa_sfs_entry_query[] = { 
	AA_SFS_DIR("label",			aa_sfs_entry_query_label),

	{ }

};



static struct aa_sfs_entry aa_sfs_entry_io_uring[] = {

	AA_SFS_FILE_STRING("mask", "sqpoll override_creds"),

	{ }

};



static struct aa_sfs_entry aa_sfs_entry_features[] = {

	AA_SFS_DIR("policy",			aa_sfs_entry_policy),

	AA_SFS_DIR("domain",			aa_sfs_entry_domain),
@@ -2403,6 +2409,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = { 
	AA_SFS_DIR("ptrace",			aa_sfs_entry_ptrace),

	AA_SFS_DIR("signal",			aa_sfs_entry_signal),

	AA_SFS_DIR("query",			aa_sfs_entry_query),

	AA_SFS_DIR("io_uring",			aa_sfs_entry_io_uring),

	{ }

};

security/apparmor/audit.c

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ static const char *const aa_class_names[] = { 
	"module",

	"lsm",

	"namespace",

	"unknown",

	"io_uring",

	"unknown",

	"unknown",

	"unknown",

security/apparmor/include/apparmor.h

+1 −1
Original line number Diff line number Diff line
@@ -30,10 +30,10 @@ 
#define AA_CLASS_NET		14

#define AA_CLASS_LABEL		16

#define AA_CLASS_POSIX_MQUEUE	17

#define AA_CLASS_IO_URING	18

#define AA_CLASS_MODULE		19

#define AA_CLASS_DISPLAY_LSM	20

#define AA_CLASS_NS		21

#define AA_CLASS_IO_URING	22



#define AA_CLASS_X		31

#define AA_CLASS_DBUS		32

security/apparmor/include/audit.h

+6 −0
Original line number Diff line number Diff line
@@ -105,6 +105,9 @@ enum audit_type { 


#define OP_USERNS_CREATE "userns_create"



#define OP_URING_OVERRIDE "uring_override"

#define OP_URING_SQPOLL "uring_sqpoll"



struct apparmor_audit_data {

	int error;

	int type;
@@ -153,6 +156,9 @@ struct apparmor_audit_data { 
			const char *data;

			unsigned long flags;

		} mnt;

		struct {

			struct aa_label *target;

		} uring;

	};



	struct common_audit_data common;

security/apparmor/include/perms.h

+3 −0
Original line number Diff line number Diff line
@@ -48,6 +48,9 @@ 


#define AA_LINK_SUBSET		AA_MAY_LOCK	/* overlaid */



#define AA_MAY_CREATE_SQPOLL   AA_MAY_CREATE

#define AA_MAY_OVERRIDE_CRED   AA_MAY_APPEND

#define AA_URING_PERM_MASK     (AA_MAY_OVERRIDE_CRED | AA_MAY_CREATE_SQPOLL)



#define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE |		\

			 AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK |	\