From patchwork Wed Oct 14 12:41:59 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukasz Pawelczyk X-Patchwork-Id: 7394361 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id E80819F1B9 for ; Wed, 14 Oct 2015 12:58:58 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E0D53206DF for ; Wed, 14 Oct 2015 12:58:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BC28A206DD for ; Wed, 14 Oct 2015 12:58:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753563AbbJNM6k (ORCPT ); Wed, 14 Oct 2015 08:58:40 -0400 Received: from mailout2.w1.samsung.com ([210.118.77.12]:51516 "EHLO mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752228AbbJNMmf (ORCPT ); Wed, 14 Oct 2015 08:42:35 -0400 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout2.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NW7000NUNAVDS60@mailout2.w1.samsung.com>; Wed, 14 Oct 2015 13:42:31 +0100 (BST) X-AuditID: cbfec7f4-f79c56d0000012ee-0b-561e4db67ef1 Received: from eusync2.samsung.com ( [203.254.199.212]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id 49.C2.04846.6BD4E165; Wed, 14 Oct 2015 13:42:30 +0100 (BST) Received: from amdc2143.DIGITAL.local ([106.120.53.33]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NW700BB0NAK6E50@eusync2.samsung.com>; Wed, 14 Oct 2015 13:42:30 +0100 (BST) From: Lukasz Pawelczyk To: "David S. Miller" , "Eric W. Biederman" , "Serge E. Hallyn" , Al Viro , Alexey Dobriyan , Andrew Morton , Andy Lutomirski , Calvin Owens , Casey Schaufler , David Howells , Eric Dumazet , Eric Paris , Greg Kroah-Hartman , James Morris , Jann Horn , Jiri Slaby , Joe Perches , John Johansen , Jonathan Corbet , Kees Cook , Lukasz Pawelczyk , Mauro Carvalho Chehab , NeilBrown , Paul Moore , Serge Hallyn , Stephen Smalley , Tejun Heo , Tetsuo Handa , containers@lists.linuxfoundation.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Cc: Lukasz Pawelczyk Subject: [PATCH v4 05/11] smack: extend capability functions and fix 2 checks Date: Wed, 14 Oct 2015 14:41:59 +0200 Message-id: <1444826525-9758-6-git-send-email-l.pawelczyk@samsung.com> X-Mailer: git-send-email 2.4.3 In-reply-to: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com> References: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAAzWRa0hTcRjG+2//nR2Xo+O0OlpZLEowNY2Cl6gwAjtYRnRZKEhOPajl1DYv XT4005W3dGlguFnmksoLs2Gi02FuTmfmVBJLQysvZQSmYJSXtC3p2/M+z+/l+fCQXFEv9iIT klJZeZI0UUwIcM9K16B/Y5i3JLD4lQ+UZoaCVl9LgL5iO4w1LhLQs/KMD5Ov7iDQ9mVjmLm1 hGG1MZsPU53jfMj93MuFLJ2egNXvflA4cQZsX6Z4oPk4gcE2ryLgfv0sB97ky+BN8WMOPL79 BEOrqRvDW6OWgNmCcQL6jHU8qPlyFUyPlBg+FJdi0GTP8MDSouNCyaQZgz3zK4a+fjsfFp9a EfT96eIF72TKlHcJRqMcwEzD82EOcy9rhs80l43ymQpDGjPUEs4011VzGEN1LsHYHixhpq28 ls8s/S5BjK6whMfMTY04PoscfO/PiNNbIwSHYtnEhHRWvvdIlCDe+r4Ip2h8r1pNHViJ2sV5 iCRpaj+9UHUzD7k45Ca6f0xP5CEBKaKqEL1sa+KvHZkc2joyyXNSBBVI/+o3cZ2BB6UW0Nnq QcIZcCkfukqThZ3anQqjy16rsLMBU7vohfwTTltIhdDdegt3rc2btuvn/yEu1HG6QXXYaYsc SJt6FKuRsAKtq0Yb2bSYFEV0nCwoQCGVKdKS4gJikmUGtDbyfBPSdR40I4pEYldhfM02iYgn TVdck5kRTXLFHsLlQG+JSBgrvXadlSdflKclsgoz2kJi8WZhufHHOREVJ01lL7NsCiv/n3JI Fy8lChh66el/oN4eOd3uW5VT+W69paajNrkiNkTkZ9zwML/dIKP9pnfvWIgKlmR+O3/DaCFD 3aS2yjl7pdu4j+lkh+tEZMHpiJK5TyGrT0/BbOHw2SLhC/fos3v2Xsg4b903kGP1rGxJ31Gg HAzM0HqFXmm9d1/nfiw8ao/qqGXzup5LYqyIlwb5cuUK6V+oce1A4AIAAA== Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch extends smack capability functions to a full list to those equivalent in the kernel has_ns_capability -> smack_has_ns_privilege has_capability -> smack_has_privilege ns_capable -> smack_ns_privileged capable -> smack_privileged It also puts the smack related part to a common function: smack_capability_allowed() Those functions will be needed for capability checks in the upcoming Smack namespace patches. Additionally there were 2 smack capability checks that used generic capability functions instead of specific Smack ones effectively ignoring the onlycap rule. This has been fixed now with the introduction of those new functions. This has implications on the Smack namespace as well as the additional Smack checks in smack_capability_allowed() will be extended beyond the onlycap rule. Not using Smack specific checks in those 2 places could mean breaking the Smack label namespace separation. Signed-off-by: Lukasz Pawelczyk Reviewed-by: Casey Schaufler Acked-by: Serge Hallyn Acked-by: Casey Schaufler --- security/smack/smack.h | 5 ++++ security/smack/smack_access.c | 64 +++++++++++++++++++++++++++++++++++++++---- security/smack/smack_lsm.c | 4 +-- 3 files changed, 65 insertions(+), 8 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index fff0c61..ca8fb7c 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -300,6 +300,11 @@ int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int); struct smack_known *smk_import_entry(const char *, int); void smk_insert_entry(struct smack_known *skp); struct smack_known *smk_find_entry(const char *); +int smack_has_ns_privilege(struct task_struct *task, + struct user_namespace *user_ns, + int cap); +int smack_has_privilege(struct task_struct *task, int cap); +int smack_ns_privileged(struct user_namespace *user_ns, int cap); int smack_privileged(int cap); /* diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index bc1053f..72f848e 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -629,14 +629,16 @@ LIST_HEAD(smack_onlycap_list); DEFINE_MUTEX(smack_onlycap_lock); /* - * Is the task privileged and allowed to be privileged - * by the onlycap rule. + * Internal smack capability check complimentary to the + * set of kernel capable() and has_capability() functions * - * Returns 1 if the task is allowed to be privileged, 0 if it's not. + * For a capability in smack related checks to be effective it needs to: + * - be allowed to be privileged by the onlycap rule. + * - be in the initial user ns */ -int smack_privileged(int cap) +static int smack_capability_allowed(struct smack_known *skp, + struct user_namespace *user_ns) { - struct smack_known *skp = smk_of_current(); struct smack_onlycap *sop; /* @@ -645,7 +647,7 @@ int smack_privileged(int cap) if (unlikely(current->flags & PF_KTHREAD)) return 1; - if (!capable(cap)) + if (user_ns != &init_user_ns) return 0; rcu_read_lock(); @@ -664,3 +666,53 @@ int smack_privileged(int cap) return 0; } + +/* + * Is the task privileged in a namespace and allowed to be privileged + * by additional smack rules. + */ +int smack_has_ns_privilege(struct task_struct *task, + struct user_namespace *user_ns, + int cap) +{ + struct smack_known *skp = smk_of_task_struct(task); + + if (!has_ns_capability(task, user_ns, cap)) + return 0; + if (smack_capability_allowed(skp, user_ns)) + return 1; + return 0; +} + +/* + * Is the task privileged and allowed to be privileged + * by additional smack rules. + */ +int smack_has_privilege(struct task_struct *task, int cap) +{ + return smack_has_ns_privilege(task, &init_user_ns, cap); +} + +/* + * Is the current task privileged in a namespace and allowed to be privileged + * by additional smack rules. + */ +int smack_ns_privileged(struct user_namespace *user_ns, int cap) +{ + struct smack_known *skp = smk_of_current(); + + if (!ns_capable(user_ns, cap)) + return 0; + if (smack_capability_allowed(skp, user_ns)) + return 1; + return 0; +} + +/* + * Is the current task privileged and allowed to be privileged + * by additional smack rules. + */ +int smack_privileged(int cap) +{ + return smack_ns_privileged(&init_user_ns, cap); +} diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c439370..198d3d6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -413,7 +413,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, rc = 0; else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) rc = -EACCES; - else if (capable(CAP_SYS_PTRACE)) + else if (smack_has_privilege(tracer, CAP_SYS_PTRACE)) rc = 0; else rc = -EACCES; @@ -1809,7 +1809,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, skp = file->f_security; rc = smk_access(skp, tkp, MAY_WRITE, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); - if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) + if (rc != 0 && smack_has_privilege(tsk, CAP_MAC_OVERRIDE)) rc = 0; smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);