[apparmor] AppArmor io_uring: uring_sqpoll implemented but uring_cmd is missing

[Sang-Hoon Choi]

Hi John,

I noticed that AppArmor implements two of the three io_uring LSM
hooks but not the third:

  security_uring_sqpoll       -> apparmor_uring_sqpoll       (implemented)
  security_uring_override_creds -> apparmor_uring_override_creds
(implemented)
  security_uring_cmd          -> (not implemented)

SELinux implements all three, including uring_cmd (selinux_uring_cmd,
added August 2022).

The missing uring_cmd hook means that URING_CMD operations (used by
ublk, NVMe passthrough, and the upcoming fuse-io-uring) are not
mediated by AppArmor. On Ubuntu/Debian systems, these operations go
through with no LSM check at all.

I ran into this while testing ublk in container environments. A
privileged container can create block devices via URING_CMD on
/dev/ublk-control, and AppArmor profiles that restrict device access
do not cover URING_CMD operations on already-open file descriptors.

For context, I previously discussed the SQPOLL credential caching
behavior with Jens Axboe, who confirmed it is by design and pointed
to the LSM hooks as the correct enforcement point. Since AppArmor
already handles sqpoll and credential override, adding uring_cmd
seems like a natural extension.

Is there a reason uring_cmd was left out when the other two hooks
were added, or is this just something that hasn't been gotten to yet?

I am writing a paper analyzing ublk security in containers and want
to accurately describe AppArmor's coverage. Any information about
plans for uring_cmd support would help me get the paper right.

Thanks.

Best regards
Sang-Hoon Choi

-- 
Sang-Hoon Choi, Ph.D.
Research Professor
SysCore Lab, Sejong University

Email: csh0052 at gmail.com, security at sju.ac.kr
Phone: +82-10-9089-0052
Website: https://koreasecurity.github.io
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20260316/3b04004c/attachment.html>