From patchwork Fri Jul 24 10:04:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukasz Pawelczyk X-Patchwork-Id: 6858991 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id EF4939F380 for ; Fri, 24 Jul 2015 10:08:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id EB7282063D for ; Fri, 24 Jul 2015 10:08:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C119520631 for ; Fri, 24 Jul 2015 10:08:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752638AbbGXKIn (ORCPT ); Fri, 24 Jul 2015 06:08:43 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:38671 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752428AbbGXKFb (ORCPT ); Fri, 24 Jul 2015 06:05:31 -0400 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NRZ007EYLD5EN90@mailout3.w1.samsung.com>; Fri, 24 Jul 2015 11:05:29 +0100 (BST) X-AuditID: cbfec7f4-f79c56d0000012ee-86-55b20de966e5 Received: from eusync2.samsung.com ( [203.254.199.212]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id 7B.FE.04846.9ED02B55; Fri, 24 Jul 2015 11:05:29 +0100 (BST) Received: from amdc2143.DIGITAL.local ([106.120.53.33]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NRZ00EPNLC23A60@eusync2.samsung.com>; Fri, 24 Jul 2015 11:05:29 +0100 (BST) From: Lukasz Pawelczyk To: "Eric W. Biederman" , "Serge E. Hallyn" , Al Viro , Alexey Dobriyan , Andrew Morton , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , David Howells , Eric Dumazet , Eric Paris , Fabian Frederick , Greg KH , James Morris , Jiri Slaby , Joe Perches , John Johansen , Jonathan Corbet , Kees Cook , Lukasz Pawelczyk , Mauro Carvalho Chehab , NeilBrown , Oleg Nesterov , Paul Moore , Stephen Smalley , Tetsuo Handa , Zefan Li , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Cc: havner@gmail.com Subject: [PATCH v3 05/11] smack: extend capability functions and fix 2 checks Date: Fri, 24 Jul 2015 12:04:39 +0200 Message-id: <1437732285-11524-6-git-send-email-l.pawelczyk@samsung.com> X-Mailer: git-send-email 2.4.3 In-reply-to: <1437732285-11524-1-git-send-email-l.pawelczyk@samsung.com> References: <1437732285-11524-1-git-send-email-l.pawelczyk@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAAzWRa0hTYRjHe7d35xxHq+PUOhlJDSIzM6OMhwiJCHsJosiEDCqXHpbkVDYX zkBmatostZloXugyhfLC1DIzlWrFVLxN0j4kKd4T07IsL3Pa1ujLw//5/37wfHgYodSCvZno 2AReFSuPkVFi3LHa2rd3SlIXFpi6SENBykkoMVVRYDdYaBh8uUzB2NsMBLM3bRjWXqbRMG4Z oeH2cJcQ9LYlClKNJgrWpv0he/QsFA+NYmibT6fgfs0PAXRmKaHT8FgAj2+VYWhuacfw8XUJ BT/ujFBgyLxLQ2W1TgSVE4nQ8lCHof5NOoIBQwGG4rRZEbxvMgohb8yMocfaTUOPvVV0dAcZ +mbHxLZsQKRId5cixbpeTBqLvtDkUZ2GfGoKJ2kfZkSksbpCQNoKbZi8Ka2iiTE7T0Tmxj9j 8iLHoXb9vkCqW76iM1sviI9E8THR13nVvuAI8VVd5wyOn/VNLM1Mp3SofoceuTEce5B7l5ku cOVNnHXQROmRmJGy5YgzGwwi15Ii4PIbUv5ZFBvILVhbhE7gyda7cbk11cgJhKwntzI7R+sR w3iwpzjjyHZnjdmd3HiVHTuzhD3BNX4opFzXfLhu0/y/3o0lXMfHn7QzSx1OVlEJnYskj9C6 CuTFayLj1VcUyv0BarlSrYlVBETGKeuQ67vzr5DRctiMWAbJ1kveGmrDpCL5dbVWaUYcI5R5 StZZHJUkSq5N4lVxl1WaGF5tRlsZLNssKX39/ZyUVcgT+Gs8H8+r/lMB4+atc8w9U/Ytg5Mn dk+Gqx4wB7vKcjadV/AN7aHylfzp0/4XUXNH8hdtQFiYeWGDNWi179kZn7Um08R0xqttT7mQ 0Be+Bb21Uf33Vj2Om2sOHNNsnzs0xg/0x5uX/H65JzWGPN9Y73u63Cv4Z/LFG71B7s1PhnBE BoHU4T+XmHztrkUZVl+V7/cTqtTyv+c1PbDZAgAA Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch extends smack capability functions to a full list to those equivalent in the kernel has_ns_capability -> smack_has_ns_privilege has_capability -> smack_has_privilege ns_capable -> smack_ns_privileged capable -> smack_privileged It also puts the smack related part to a common function: smack_capability_allowed() Those functions will be needed for capability checks in the upcoming Smack namespace patches. Additionally there were 2 smack capability checks that used generic capability functions instead of specific Smack ones effectively ignoring the onlycap rule. This has been fixed now with the introduction of those new functions. This has implications on the Smack namespace as well as the additional Smack checks in smack_capability_allowed() will be extended beyond the onlycap rule. Not using Smack specific checks in those 2 places could mean breaking the Smack label namespace separation. Signed-off-by: Lukasz Pawelczyk Reviewed-by: Casey Schaufler Acked-by: Serge Hallyn --- security/smack/smack.h | 5 ++++ security/smack/smack_access.c | 64 +++++++++++++++++++++++++++++++++++++++---- security/smack/smack_lsm.c | 4 +-- 3 files changed, 65 insertions(+), 8 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 69ab9eb..e11cc13 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -272,6 +272,11 @@ int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int); struct smack_known *smk_import_entry(const char *, int); void smk_insert_entry(struct smack_known *skp); struct smack_known *smk_find_entry(const char *); +int smack_has_ns_privilege(struct task_struct *task, + struct user_namespace *user_ns, + int cap); +int smack_has_privilege(struct task_struct *task, int cap); +int smack_ns_privileged(struct user_namespace *user_ns, int cap); int smack_privileged(int cap); /* diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 00f6b38..188b354 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -629,17 +629,19 @@ LIST_HEAD(smack_onlycap_list); DEFINE_MUTEX(smack_onlycap_lock); /* - * Is the task privileged and allowed to be privileged - * by the onlycap rule. + * Internal smack capability check complimentary to the + * set of kernel capable() and has_capability() functions * - * Returns 1 if the task is allowed to be privileged, 0 if it's not. + * For a capability in smack related checks to be effective it needs to: + * - be allowed to be privileged by the onlycap rule. + * - be in the initial user ns */ -int smack_privileged(int cap) +static int smack_capability_allowed(struct smack_known *skp, + struct user_namespace *user_ns) { - struct smack_known *skp = smk_of_current(); struct smack_onlycap *sop; - if (!capable(cap)) + if (user_ns != &init_user_ns) return 0; rcu_read_lock(); @@ -658,3 +660,53 @@ int smack_privileged(int cap) return 0; } + +/* + * Is the task privileged in a namespace and allowed to be privileged + * by additional smack rules. + */ +int smack_has_ns_privilege(struct task_struct *task, + struct user_namespace *user_ns, + int cap) +{ + struct smack_known *skp = smk_of_task_struct(task); + + if (!has_ns_capability(task, user_ns, cap)) + return 0; + if (smack_capability_allowed(skp, user_ns)) + return 1; + return 0; +} + +/* + * Is the task privileged and allowed to be privileged + * by additional smack rules. + */ +int smack_has_privilege(struct task_struct *task, int cap) +{ + return smack_has_ns_privilege(task, &init_user_ns, cap); +} + +/* + * Is the current task privileged in a namespace and allowed to be privileged + * by additional smack rules. + */ +int smack_ns_privileged(struct user_namespace *user_ns, int cap) +{ + struct smack_known *skp = smk_of_current(); + + if (!ns_capable(user_ns, cap)) + return 0; + if (smack_capability_allowed(skp, user_ns)) + return 1; + return 0; +} + +/* + * Is the current task privileged and allowed to be privileged + * by additional smack rules. + */ +int smack_privileged(int cap) +{ + return smack_ns_privileged(&init_user_ns, cap); +} diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index cdcabf4..6098518 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -413,7 +413,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, rc = 0; else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) rc = -EACCES; - else if (capable(CAP_SYS_PTRACE)) + else if (smack_has_privilege(tracer, CAP_SYS_PTRACE)) rc = 0; else rc = -EACCES; @@ -1805,7 +1805,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, skp = file->f_security; rc = smk_access(skp, tkp, MAY_WRITE, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); - if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) + if (rc != 0 && smack_has_privilege(tsk, CAP_MAC_OVERRIDE)) rc = 0; smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);