From patchwork Tue Nov 17 16:39:10 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7639261
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id A71A9BF90C
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 16:41:03 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C27CF20412
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 16:41:02 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id AD27D203ED
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue, 17 Nov 2015 16:41:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932225AbbKQQkp (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Tue, 17 Nov 2015 11:40:45 -0500
Received: from mail-io0-f176.google.com ([209.85.223.176]:35126 "EHLO
	mail-io0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932157AbbKQQkO (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 17 Nov 2015 11:40:14 -0500
Received: by ioc74 with SMTP id 74so24216653ioc.2
	for <linux-fsdevel@vger.kernel.org>;
	Tue, 17 Nov 2015 08:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical_com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=Amu3/+eFuRXQvhlOFh5FdtHR2vhFSXVVUy1dumlNPkE=;
	b=vzL1hGeIT/+VOSluA4aP7XouPsYLkMM3Tw9a7ag6zmrgLqbIDAVCVGhhfEZi8BQYy/
	kWjidFS0IZTZobrswPN9IBakUCj7HSy7HQB0/kYBf2o5PNTEXT1pMUHcCcywgxLJMcVk
	8tWsjwjLfzMy+NoviCcVdGnlMwagJY461OwZp/osuUFdWMzNCU+Kb49EJ1aaRUATDGqS
	ldh05fBxaBkDzZ3HqyU/FdZVRH5IGzvUVT//1ppqhulpwhiAUoJiFK8l/MsMJ0WfS3fm
	RqAADTcssUsVUy+Sp60rvPemP12sqVDw2uO1kMSwrom1M25hZkC527nNg+t8I6x3khwu
	NXGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=Amu3/+eFuRXQvhlOFh5FdtHR2vhFSXVVUy1dumlNPkE=;
	b=gBGJkK8Ve/1m47X80eKJMYkCfE1yjxgs44jojNq+KddHDoZDWceD/hKF+2d5q8eOy7
	bZ2eKn04NgBK8Y4FS7Jd4JlDFmBW0FxdKSCAvx5hyw47iM08qScIcahalZI+6KZ2HflT
	1xF+UI0rstGX+037jDlRwupOtPYp6eFY609FZI0jcFFEtZWV/Dkj+6eesDIS90s/LjQf
	x9vlxcGSaGURpPOHffv9mr7i9ww5okq4zm9f/3/VJLDnJ551IyJR+C1hpDLDPhsrLsG2
	0zYl8yhPg+o91Ncibz8D4osp/TdI/etpvtrbBoWS1SlrK65nccIDDG7h/OmnKlSyhJ9D
	bDmQ==
X-Gm-Message-State: 
 ALoCoQnilHCTzjzgbfP9DuAduWe1hzETYtD53JBT/Jw21w77rEWz5xcwU7w0PSaIoDWTWUbZmMwj
X-Received: by 10.107.19.12 with SMTP id b12mr44773124ioj.11.1447778413468;
	Tue, 17 Nov 2015 08:40:13 -0800 (PST)
Received: from localhost (199-87-125-144.dyn.kc.surewest.net.
	[199.87.125.144]) by smtp.gmail.com with ESMTPSA id
	n9sm8336255ige.16.2015.11.17.08.40.12
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Tue, 17 Nov 2015 08:40:12 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andy Lutomirski <luto@amacapital.net>,
	linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
	dm-devel@redhat.com, linux-raid@vger.kernel.org,
	linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH v3 7/7] Smack: Handle labels consistently in untrusted mounts
Date: Tue, 17 Nov 2015 10:39:10 -0600
Message-Id: <1447778351-118699-8-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com>
References: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
differently in untrusted mounts. This is confusing and
potentically problematic. Change this to handle them all the same
way that SMACK64 is currently handled; that is, read the label
from disk and check it at use time. For SMACK64 and SMACK64MMAP
access is denied if the label does not match smk_root. To be
consistent with suid, a SMACK64EXEC label which does not match
smk_root will still allow execution of the file but will not run
with the label supplied in the xattr.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack_lsm.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 621200f86b56..9b7ff781df9a 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -891,6 +891,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
 	struct inode *inode = file_inode(bprm->file);
 	struct task_smack *bsp = bprm->cred->security;
 	struct inode_smack *isp;
+	struct superblock_smack *sbsp;
 	int rc;
 
 	if (bprm->cred_prepared)
@@ -900,6 +901,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
 	if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
 		return 0;
 
+	sbsp = inode->i_sb->s_security;
+	if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
+	    isp->smk_task != sbsp->smk_root)
+		return 0;
+
 	if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
 		struct task_struct *tracer;
 		rc = 0;
@@ -1703,6 +1709,7 @@ static int smack_mmap_file(struct file *file,
 	struct task_smack *tsp;
 	struct smack_known *okp;
 	struct inode_smack *isp;
+	struct superblock_smack *sbsp;
 	int may;
 	int mmay;
 	int tmay;
@@ -1714,6 +1721,10 @@ static int smack_mmap_file(struct file *file,
 	isp = file_inode(file)->i_security;
 	if (isp->smk_mmap == NULL)
 		return 0;
+	sbsp = file_inode(file)->i_sb->s_security;
+	if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
+	    isp->smk_mmap != sbsp->smk_root)
+		return -EACCES;
 	mkp = isp->smk_mmap;
 
 	tsp = current_security();
@@ -3492,16 +3503,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
 			if (rc >= 0)
 				transflag = SMK_INODE_TRANSMUTE;
 		}
-		if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) {
-			/*
-			 * Don't let the exec or mmap label be "*" or "@".
-			 */
-			skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
-			if (IS_ERR(skp) || skp == &smack_known_star ||
-			    skp == &smack_known_web)
-				skp = NULL;
-			isp->smk_task = skp;
-		}
+		/*
+		 * Don't let the exec or mmap label be "*" or "@".
+		 */
+		skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
+		if (IS_ERR(skp) || skp == &smack_known_star ||
+		    skp == &smack_known_web)
+			skp = NULL;
+		isp->smk_task = skp;
 
 		skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
 		if (IS_ERR(skp) || skp == &smack_known_star ||