Hi John, I noticed that AppArmor implements two of the three io_uring LSM hooks but not the third:
security_uring_sqpoll -> apparmor_uring_sqpoll (implemented) security_uring_override_creds -> apparmor_uring_override_creds (implemented) security_uring_cmd -> (not implemented) SELinux implements all three, including uring_cmd (selinux_uring_cmd, added August 2022). The missing uring_cmd hook means that URING_CMD operations (used by ublk, NVMe passthrough, and the upcoming fuse-io-uring) are not mediated by AppArmor. On Ubuntu/Debian systems, these operations go through with no LSM check at all. I ran into this while testing ublk in container environments. A privileged container can create block devices via URING_CMD on /dev/ublk-control, and AppArmor profiles that restrict device access do not cover URING_CMD operations on already-open file descriptors. For context, I previously discussed the SQPOLL credential caching behavior with Jens Axboe, who confirmed it is by design and pointed to the LSM hooks as the correct enforcement point. Since AppArmor already handles sqpoll and credential override, adding uring_cmd seems like a natural extension. Is there a reason uring_cmd was left out when the other two hooks were added, or is this just something that hasn't been gotten to yet? I am writing a paper analyzing ublk security in containers and want to accurately describe AppArmor's coverage. Any information about plans for uring_cmd support would help me get the paper right. Thanks. Best regards Sang-Hoon Choi -- Sang-Hoon Choi, Ph.D. Research Professor SysCore Lab, Sejong University Email: [email protected], [email protected] Phone: +82-10-9089-0052 Website: https://koreasecurity.github.io
