apparmor: add io_uring mediation

For now, the io_uring mediation is limited to sqpoll and
override_creds.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

3 files changed, 10 insertions, 1 deletions

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index e2b759f24064..f83934913b0f 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -30,10 +30,10 @@
 #define AA_CLASS_NET		14
 #define AA_CLASS_LABEL		16
 #define AA_CLASS_POSIX_MQUEUE	17
-#define AA_CLASS_IO_URING	18
 #define AA_CLASS_MODULE		19
 #define AA_CLASS_DISPLAY_LSM	20
 #define AA_CLASS_NS		21
+#define AA_CLASS_IO_URING	22
 
 #define AA_CLASS_X		31
 #define AA_CLASS_DBUS		32
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 095707e05b70..acbb03b9bd25 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -105,6 +105,9 @@ enum audit_type {
 
 #define OP_USERNS_CREATE "userns_create"
 
+#define OP_URING_OVERRIDE "uring_override"
+#define OP_URING_SQPOLL "uring_sqpoll"
+
 struct apparmor_audit_data {
 	int error;
 	int type;
@@ -153,6 +156,9 @@ struct apparmor_audit_data {
 			const char *data;
 			unsigned long flags;
 		} mnt;
+		struct {
+			struct aa_label *target;
+		} uring;
 	};
 
 	struct common_audit_data common;
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 83534df8939f..0f7e913c3fc2 100644
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -48,6 +48,9 @@
 
 #define AA_LINK_SUBSET		AA_MAY_LOCK	/* overlaid */
 
+#define AA_MAY_CREATE_SQPOLL   AA_MAY_CREATE
+#define AA_MAY_OVERRIDE_CRED   AA_MAY_APPEND
+#define AA_URING_PERM_MASK     (AA_MAY_OVERRIDE_CRED | AA_MAY_CREATE_SQPOLL)
 
 #define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE |		\
 			 AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK |	\