Systemd v254 LSM stacking issue - patch

Message ID	255cd7ad-332c-473f-8059-3258dad287a7@schaufler-ca.com (mailing list archive)
State	Not Applicable
Delegated to:	Paul Moore
Headers	show Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBB142C6A3 for <linux-security-module@vger.kernel.org>; Tue, 19 Mar 2024 17:59:04 +0000 (UTC) Message-ID: <255cd7ad-332c-473f-8059-3258dad287a7@schaufler-ca.com> Date: Tue, 19 Mar 2024 10:58:54 -0700 Precedence: bulk MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: LSM List <linux-security-module@vger.kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> Subject: Systemd v254 LSM stacking issue - patch Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit References: <255cd7ad-332c-473f-8059-3258dad287a7.ref@schaufler-ca.com>
Series	Systemd v254 LSM stacking issue - patch \| expand Systemd v254 LSM stacking issue - patch

Message ID

255cd7ad-332c-473f-8059-3258dad287a7@schaufler-ca.com (mailing list archive)

State

Not Applicable

Delegated to:

Paul Moore

Headers

Message-ID: <255cd7ad-332c-473f-8059-3258dad287a7@schaufler-ca.com>
Date: Tue, 19 Mar 2024 10:58:54 -0700
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: LSM List <linux-security-module@vger.kernel.org>
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: Systemd v254 LSM stacking issue - patch
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
References: <255cd7ad-332c-473f-8059-3258dad287a7.ref@schaufler-ca.com>

Series

Systemd v254 LSM stacking issue - patch | expand

Commit Message

Casey Schaufler March 19, 2024, 5:58 p.m. UTC

Systemd version 254 (included in Fedora 39) has an assertion that
only one of Smack and SELinux is active. This can make experimenting
with full LSM stacking frustrating. This patch adds multiple label
operation support and removes the pesky assertion. It's experimental.

---
 src/basic/label.c       | 48 ++++++++++++++++++++++++++++++++++--------------
 src/core/smack-setup.c  |  2 +-
 src/shared/label-util.c |  2 --
 src/shared/smack-util.c |  2 +-
 4 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/src/basic/label.c b/src/basic/label.c
index f134e77589..6827fbbd46 100644
--- a/src/basic/label.c
+++ b/src/basic/label.c
@@ -5,26 +5,46 @@ 
 
 #include "label.h"
 
-static const LabelOps *label_ops = NULL;
+#define POSSIBLE_LABEL_OPS 2 /* SELinux and Smack */
 
-int label_ops_set(const LabelOps *ops) {
-        if (label_ops)
-                return -EBUSY;
+static const LabelOps *label_ops[POSSIBLE_LABEL_OPS];
 
-        label_ops = ops;
-        return 0;
+int label_ops_set(const LabelOps *ops) {
+        int i;
+
+        for (i = 0; i < POSSIBLE_LABEL_OPS; i++) {
+                if (!label_ops[i]) {
+                        label_ops[i] = ops;
+                        return 0;
+                }
+        }
+        return -EBUSY;
 }
 
 int label_ops_pre(int dir_fd, const char *path, mode_t mode) {
-        if (!label_ops || !label_ops->pre)
-                return 0;
-
-        return label_ops->pre(dir_fd, path, mode);
+        int i;
+        int r;
+
+        for (i = 0; i < POSSIBLE_LABEL_OPS; i++) {
+                if (label_ops[i] && label_ops[i]->pre) {
+                        r = label_ops[i]->pre(dir_fd, path, mode);
+                        if (r)
+                                return r;
+                }
+        }
+        return 0;
 }
 
 int label_ops_post(int dir_fd, const char *path) {
-        if (!label_ops || !label_ops->post)
-                return 0;
-
-        return label_ops->post(dir_fd, path);
+        int i;
+        int r;
+
+        for (i = 0; i < POSSIBLE_LABEL_OPS; i++) {
+                if (label_ops[i] && label_ops[i]->post) {
+                        r = label_ops[i]->post(dir_fd, path);
+                        if (r)
+                                return r;
+                }
+        }
+        return 0;
 }
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index bcaa237c8d..b1dbbbc2e8 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -319,7 +319,7 @@  int mac_smack_setup(bool *loaded_policy) {
         }
 
 #if HAVE_SMACK_RUN_LABEL
-        r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
+        r = write_string_file("/proc/self/attr/smack/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
         if (r < 0)
                 log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
         r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
diff --git a/src/shared/label-util.c b/src/shared/label-util.c
index 3316c9ed37..3154818371 100644
--- a/src/shared/label-util.c
+++ b/src/shared/label-util.c
@@ -120,8 +120,6 @@  int btrfs_subvol_make_label(const char *path) {
 int mac_init(void) {
         int r;
 
-        assert(!(mac_selinux_use() && mac_smack_use()));
-
         r = mac_selinux_init();
         if (r < 0)
                 return r;
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 1f88e724d0..5661428f96 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -112,7 +112,7 @@  int mac_smack_apply_pid(pid_t pid, const char *label) {
         if (!mac_smack_use())
                 return 0;
 
-        p = procfs_file_alloca(pid, "attr/current");
+        p = procfs_file_alloca(pid, "attr/smack/current");
         r = write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER);
         if (r < 0)
                 return r;

Systemd v254 LSM stacking issue - patch

Commit Message

Patch