io_uring,lsm,selinux: add LSM hooks for io_uring_setup()

It is desirable to allow LSM to configure accessibility to io_uring because it is a coarse yet very simple way to restrict access to it. So, add an LSM for io_uring_allowed() to guard access to io_uring. Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> Acked-by: Jens Axboe <axboe@kernel.dk> [PM: merge fuzz due to changes in preceding patches, subj tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> 2025-01-27 10:57:18 -0500
committer: Paul Moore <paul@paul-moore.com> 2025-02-07 17:17:49 -0500
commit: c6ad9fdbd44b78f51fa50138247694774ab99e97 (patch)
tree: e28a1056a83be8177af5db7c75959d431267bd1c /security/selinux/include/classmap.h
parent: b8a468e0b0604a10e72ab7f55af0f931aac1d477 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 03e82477dce9..8a8f3908aac8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = {
 	{ "perf_event",
 	  { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
 	{ "anon_inode", { COMMON_FILE_PERMS, NULL } },
-	{ "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
+	{ "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } },
 	{ "user_namespace", { "create", NULL } },
 	/* last one */ { NULL, {} }
 };
author	Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>	2025-01-27 10:57:18 -0500
committer	Paul Moore <paul@paul-moore.com>	2025-02-07 17:17:49 -0500
commit	c6ad9fdbd44b78f51fa50138247694774ab99e97 (patch)
tree	e28a1056a83be8177af5db7c75959d431267bd1c /security/selinux/include/classmap.h
parent	b8a468e0b0604a10e72ab7f55af0f931aac1d477 (diff)