From patchwork Mon Jan 8 18:25:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10150273 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4841B601BE for ; Mon, 8 Jan 2018 18:25:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 59065284B5 for ; Mon, 8 Jan 2018 18:25:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4DE1128514; Mon, 8 Jan 2018 18:25:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9041F284B5 for ; Mon, 8 Jan 2018 18:25:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755459AbeAHSZm (ORCPT ); Mon, 8 Jan 2018 13:25:42 -0500 Received: from sonic303-29.consmr.mail.gq1.yahoo.com ([98.137.64.210]:44974 "EHLO sonic303-29.consmr.mail.gq1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755038AbeAHSZk (ORCPT ); Mon, 8 Jan 2018 13:25:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1515435939; bh=iCQmuZ24aMYzKjl1C8akr4A36TFjUUZjLjhmSF1laIE=; h=To:Cc:From:Subject:Date:From:Subject; b=O4l17MQWU33Bo/Wa2UqcZFYzcUPsqaG3a8TPAE0OAsvmpsgGMdWWPv0JWdoT+35fVCv5/c2y/MqGqqUc90AJPpUhyQAdmlmzcPpgR4E0XbH3vpNz8cRsrBBq3KMeW9/fY0XyZUEd7c6Skr2dbQ6mQGWpfGdDJHszyTKVdvpmUROpR1pNLRQ5aygEIQo7/J3QqUvrHSwFKWxsfe/gW9ZHLfxfsJdDxyduEnNv3kfNiI+AqFcqLuSzMMLYXStHxeVFjodOIFo5GKIi8nBitmhn+vpuW9uKSZddUxaakv/vlsAewkzZg1e3eILDDn7UMkAxBiV3aRBcHWZYtbtavPXYEQ== X-YMail-OSG: ZPq5MboVM1mNYiTDGzZOSO2qBG39bLfFuZ0tpkGZul0Jm2jUKwDBTDQkwB0GXdm 3T2OQFRJua0GB2z0dgS7AvZ.A9u.osZ3SEQKJpxWmUglLTICgjF2by8iAcfA11O6IizN15JfAeP. qpZdEnx_Nt0RGCKjrGqRirqbv4boRrQsZjdd2sfVo0FG.A8r_UnOaRlc7UhMl81DPIYNkYIDPXfl Q9PNyVb5ANt_RCEvBCvlxRwLA0E6HWvL0.499RL6q5mkiEjCqiaqFfDnr6KfLiYO1cUPf.Udq6_p mf.RRavSd47BbnCu0s_44ZtWmDnte1rTzPdxFW9srh45r2IGwg468wpXQzBKXHiBytPoyiZkmD7t dIx297_WHyHK5EtOP5JWwrg.robZbm2tFEJYV4zmPTL6G.tX.8TS_djvAqe0HADfzMpRdBf08q0a KMOZu3i6nAq09p8yySnSYFZ6lDZGo7WajPE0gCHvEMEGFJR_OKnd4cSpH0MTpekny5dOTchnDXBE KHS2wLCtzvJGgRcfr0vEfc7gWY.lOYtsVbMMD1orhBp7g Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.gq1.yahoo.com with HTTP; Mon, 8 Jan 2018 18:25:39 +0000 Received: from smtp105.rhel.mail.gq1.yahoo.com (EHLO [192.168.0.102]) ([68.180.227.8]) by smtp403.mail.gq1.yahoo.com (JAMES SMTP Server ) with ESMTPA ID 1d45df6bc46c68b0f8102eb628961d91; Mon, 08 Jan 2018 18:25:36 +0000 (UTC) To: =?UTF-8?Q?Jos=c3=a9_Bollo?= , "SMACK-discuss@lists.01.org" , LSM Cc: Casey Schaufler From: Casey Schaufler Subject: Smack: Privilege check on key operations Message-ID: <5ca74818-5aca-b10c-3bf5-90b3efa29539@schaufler-ca.com> Date: Mon, 8 Jan 2018 10:25:32 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Smack: Privilege check on key operations Operations on key objects are subjected to Smack policy even if the process is privileged. This is inconsistent with the general behavior of Smack and may cause issues with authentication by privileged daemons. This patch allows processes with CAP_MAC_OVERRIDE to access keys even if the Smack rules indicate otherwise. Reported-by: Jose Bollo Signed-off-by: Casey Schaufler --- security/smack/smack.h | 1 + security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++----------- security/smack/smack_lsm.c | 4 ++++ 3 files changed, 34 insertions(+), 11 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/smack/smack.h b/security/smack/smack.h index 6a71fc7..f7db791 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); void smk_insert_entry(struct smack_known *skp); struct smack_known *smk_find_entry(const char *); bool smack_privileged(int cap); +bool smack_privileged_cred(int cap, const struct cred *cred); void smk_destroy_label_list(struct list_head *list); /* diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 1a30041..141ffac 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) LIST_HEAD(smack_onlycap_list); DEFINE_MUTEX(smack_onlycap_lock); -/* +/** + * smack_privileged_cred - are all privilege requirements met by cred + * @cap: The requested capability + * @cred: the credential to use + * * Is the task privileged and allowed to be privileged * by the onlycap rule. * * Returns true if the task is allowed to be privileged, false if it's not. */ -bool smack_privileged(int cap) +bool smack_privileged_cred(int cap, const struct cred *cred) { - struct smack_known *skp = smk_of_current(); + struct task_smack *tsp = cred->security; + struct smack_known *skp = tsp->smk_task; struct smack_known_list_elem *sklep; int rc; - /* - * All kernel tasks are privileged - */ - if (unlikely(current->flags & PF_KTHREAD)) - return true; - - rc = cap_capable(current_cred(), &init_user_ns, cap, - SECURITY_CAP_AUDIT); + rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); if (rc) return false; @@ -662,3 +660,23 @@ bool smack_privileged(int cap) return false; } + +/** + * smack_privileged - are all privilege requirements met + * @cap: The requested capability + * + * Is the task privileged and allowed to be privileged + * by the onlycap rule. + * + * Returns true if the task is allowed to be privileged, false if it's not. + */ +bool smack_privileged(int cap) +{ + /* + * All kernel tasks are privileged + */ + if (unlikely(current->flags & PF_KTHREAD)) + return true; + + return smack_privileged_cred(cap, current_cred()); +} diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 30f2c3d..03fdecb 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, */ if (tkp == NULL) return -EACCES; + + if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) + return 0; + #ifdef CONFIG_AUDIT smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); ad.a.u.key_struct.key = keyp->serial;