RE: [PATCH] Smack: replace capable() with ns_capable()

From: Sungbae Yoo
Date: Sun Jul 26 2015 - 21:27:10 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH v2] power: max17042_battery: add HEALTH and TEMP_* properties support"
Previous message: Dongsheng Yang: "Re: [PATCH] ubifs: Kill unneeded locking in ubifs_init_security"
In reply to: Casey Schaufler: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Next in thread: Lukasz Pawelczyk: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So, Do you agree to allow the process to change its own labels?

Now, init process(eg. systemd) can't be running in user namespace properly
because it can't be assign smack label to service.

If you agree, I'll upload another patch limited to this.

-----Original Message-----
From: Lukasz Pawelczyk [mailto:l.pawelczyk@xxxxxxxxxxx]
Sent: Friday, July 24, 2015 8:41 PM
To: Sungbae Yoo; Casey Schaufler
Cc: James Morris; Serge E. Hallyn; linux-security-module@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()

On piÄ, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> If current task has capabilities, Smack operations (eg. Changing own
> smack
> label) should be available even inside of namespace.
>
> Signed-off-by: Sungbae Yoo <sungbae.yoo@xxxxxxxxxxx>
>
> diff --git a/security/smack/smack_access.c
> b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
> struct smack_known *skp = smk_of_current();
> struct smack_onlycap *sop;
>
> - if (!capable(cap))
> + if (!ns_capable(current_user_ns(), cap))
> return 0;

It's not that easy.

With this change Smack becomes completely insecure. You can change rules as an unprivileged user without any problems now.
What you want is Smack namespace that was made to remedy exactly this issue (e.g. changing own labels inside a namespace).

>
> rcu_read_lock();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a143328..7fdc3dd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct
> task_struct *tracer,
> rc = 0;
> else if (smack_ptrace_rule ==
> SMACK_PTRACE_DRACONIAN)
> rc = -EACCES;
> - else if (capable(CAP_SYS_PTRACE))
> + else if (ns_capable(__task_cred(tracer)->user_ns,
> + CAP_SYS_PTRACE))
> rc = 0;
> else
> rc = -EACCES;
--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Krzysztof Kozlowski: "Re: [PATCH v2] power: max17042_battery: add HEALTH and TEMP_* properties support"
Previous message: Dongsheng Yang: "Re: [PATCH] ubifs: Kill unneeded locking in ubifs_init_security"
In reply to: Casey Schaufler: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Next in thread: Lukasz Pawelczyk: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]