From patchwork Tue Oct 13 17:04:20 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7386951 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 33D02BEEA4 for ; Tue, 13 Oct 2015 17:05:58 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4315F20767 for ; Tue, 13 Oct 2015 17:05:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4E62520749 for ; Tue, 13 Oct 2015 17:05:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753318AbbJMRFk (ORCPT ); Tue, 13 Oct 2015 13:05:40 -0400 Received: from mail-io0-f176.google.com ([209.85.223.176]:35525 "EHLO mail-io0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753305AbbJMRFg (ORCPT ); Tue, 13 Oct 2015 13:05:36 -0400 Received: by iofl186 with SMTP id l186so28117730iof.2 for ; Tue, 13 Oct 2015 10:05:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=T7aszRYLbZW4uIa9tzNCFeBgg3blD9zVKfmwMAbvxRY=; b=KMpRg/43QGadglp18oNLWfJf+nPon7QblGszIePMvSXsPacVHsUKh7oYOE+M+7qgZk v2hB8GnalZGhTCB9Cm62MnnxXto456pN3sw9w1M+SZ0CBov3ko5W7SzuNWCrsebthdem Wbh/0du+mmrSGzkl+H2vPBIX4vqn7ZrEOGZNXDM4cR0sIzaxccLNDZ5lKXIsUEkdXvgT v0ItqJe/B2RUjiSEfDJdl3tZTHyT+SmMKJwOZrwaxcFgrpESDUHOx5v4ZHyX8u9jxXBC doepzS/AM2PyFBwLMowuySxi4XPF0o3DytRR2Jg7p1XjskhM6kwaobT/RA795XnnLu3t aT7Q== X-Gm-Message-State: ALoCoQlf4PAh6fUaD6z8/qk5YnDgZwOfigRwJMaLb7hQRavzJXZp8ZL8kzPdYfgzQJwirXy6QpT0 X-Received: by 10.107.128.137 with SMTP id k9mr6781151ioi.162.1444755935415; Tue, 13 Oct 2015 10:05:35 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id o74sm1908668ioo.8.2015.10.13.10.05.34 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 13 Oct 2015 10:05:34 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Casey Schaufler Cc: Alexander Viro , Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v2 7/7] Smack: Handle labels consistently in untrusted mounts Date: Tue, 13 Oct 2015 12:04:20 -0500 Message-Id: <1444755861-54997-8-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com> References: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled differently in untrusted mounts. This is confusing and potentically problematic. Change this to handle them all the same way that SMACK64 is currently handled; that is, read the label from disk and check it at use time. For SMACK64 and SMACK64MMAP access is denied if the label does not match smk_root. To be consistent with suid, a SMACK64EXEC label which does not match smk_root will still allow execution of the file but will not run with the label supplied in the xattr. Signed-off-by: Seth Forshee --- security/smack/smack_lsm.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 621200f86b56..bee0b2652bf4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -891,6 +891,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) struct inode *inode = file_inode(bprm->file); struct task_smack *bsp = bprm->cred->security; struct inode_smack *isp; + struct superblock_smack *sbsp; int rc; if (bprm->cred_prepared) @@ -900,6 +901,10 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; + sbsp = inode->i_sb->s_security; + if (sbsp->smk_flags & SMK_SB_UNTRUSTED && isp->smk_task != sbsp->smk_root) + return 0; + if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { struct task_struct *tracer; rc = 0; @@ -1703,6 +1708,7 @@ static int smack_mmap_file(struct file *file, struct task_smack *tsp; struct smack_known *okp; struct inode_smack *isp; + struct superblock_smack *sbsp; int may; int mmay; int tmay; @@ -1714,6 +1720,10 @@ static int smack_mmap_file(struct file *file, isp = file_inode(file)->i_security; if (isp->smk_mmap == NULL) return 0; + sbsp = file_inode(file)->i_sb->s_security; + if (sbsp->smk_flags & SMK_SB_UNTRUSTED && + isp->smk_mmap != sbsp->smk_root) + return -EACCES; mkp = isp->smk_mmap; tsp = current_security(); @@ -3492,16 +3502,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (rc >= 0) transflag = SMK_INODE_TRANSMUTE; } - if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) { - /* - * Don't let the exec or mmap label be "*" or "@". - */ - skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); - if (IS_ERR(skp) || skp == &smack_known_star || - skp == &smack_known_web) - skp = NULL; - isp->smk_task = skp; - } + /* + * Don't let the exec or mmap label be "*" or "@". + */ + skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); + if (IS_ERR(skp) || skp == &smack_known_star || + skp == &smack_known_web) + skp = NULL; + isp->smk_task = skp; skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); if (IS_ERR(skp) || skp == &smack_known_star ||