From patchwork Wed Apr 6 15:57:01 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 8763601 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id EC4359F39A for ; Wed, 6 Apr 2016 16:03:26 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0C854201EC for ; Wed, 6 Apr 2016 16:03:26 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B9FB7201D3 for ; Wed, 6 Apr 2016 16:03:24 +0000 (UTC) X-TM-IMSS-Message-ID: <5b3ffdae00086c3b@nsa.gov> Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id 5b3ffdae00086c3b ; Wed, 6 Apr 2016 11:56:35 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36FvFrc010900; Wed, 6 Apr 2016 11:57:20 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u36FvDSa045663 for ; Wed, 6 Apr 2016 11:57:13 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u36Fv3Em010867; Wed, 6 Apr 2016 11:57:12 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1C4AwAsMQVXcq3AVdFcHAGEaq9OiG6ED4YNghcBAQEBAQETAQoLFB+EdQEVEQQLAQ0BGx0BAxIDDQ8CJgIlEQEFASIKCSKHbwEDEpIDj0GBMT4xizaBaoJXh0oKGScNUYRDAQEBAQEFAQEBARYBBQoFbYMcggmMCoJWBYdvhV50iUCBU4w4gWeHRDGFMAKNZC+BDoJZDRmBakyIcwEBAQ X-IPAS-Result: A1C4AwAsMQVXcq3AVdFcHAGEaq9OiG6ED4YNghcBAQEBAQETAQoLFB+EdQEVEQQLAQ0BGx0BAxIDDQ8CJgIlEQEFASIKCSKHbwEDEpIDj0GBMT4xizaBaoJXh0oKGScNUYRDAQEBAQEFAQEBARYBBQoFbYMcggmMCoJWBYdvhV50iUCBU4w4gWeHRDGFMAKNZC+BDoJZDRmBakyIcwEBAQ X-IronPort-AV: E=Sophos;i="5.24,447,1454994000"; d="scan'208";a="5355564" Received: from emvm-gh1-uea09.nsa.gov ([10.208.42.194]) by goalie.tycho.ncsc.mil with ESMTP; 06 Apr 2016 11:57:10 -0400 X-TM-IMSS-Message-ID: <5b3f9f6900086c21@nsa.gov> Received: from mail-pf0-f173.google.com (mail-pf0-f173.google.com [209.85.192.173]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 5b3f9f6900086c21 ; Wed, 6 Apr 2016 11:56:11 -0400 Received: by mail-pf0-f173.google.com with SMTP id n1so36315878pfn.2; Wed, 06 Apr 2016 08:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=evmYj2muzcorMjxkKC6fHkYHBjaOqOL30/sPrB5G3WI=; b=pIJcb0KQr1mCHVNHHqO9+QT7NB20Z+5zxDsNMDQJmnmtur60hXiuPR5Srd7vx57KHO fDd1fhMXUuM+agRxxKkxl/JMFcE8LfRwxNM5JS+unT+W/oJDcQKVLiOIji20LDmH2ima G+iRbqzrMm1DfAj7K8u4ANnz437zpR4AQ707MiuaAH3LDjNI3ioOzEASXcc3UVUKbocy RYftygNyGnecD9TrEmIkXieo1AWI9QHWg3lpav2VBdB/jkQXWNyySrimnAdufoOPsuS6 NqVYHKl4pFYP6WCkPWIjk2dvBmSjXsNS19uwZoHO1rX9i0SQVaidlNuX7GWePJ9xFZHJ D13A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=evmYj2muzcorMjxkKC6fHkYHBjaOqOL30/sPrB5G3WI=; b=IuAJfdg+13Q0rskERExHGBkc8o1MXs/ILezGpBLK7gPeK0bkhJPMSPnCCLmZzo7xY7 olc2mSlrPNP+DAzYOa7mNr7vWUVWGoxHQzVvBkk2XCKIgzBnydtbprJ85ggJrdX+nPOP cpqo1GoN5LMRtAI6tNhlU+KqiMqUpaJsnL+vKlNl/JIvQDaIGJuayPcCTa1TOqMO6bno bYVJkHBYsSj3u5/Ukdlz6UZdsckRHfWvHBKNfTDGQs88y0Cq9BLVjDA6pCDh1FwxOE6M t2KocWGYdaiM/RaaWnHjbIj4O264LKfAJ9ebDZGqg8Vy3wqha0T09wTAGrU5LOM2lpkp dxeQ== X-Gm-Message-State: AD7BkJJPSKJiohUUczscJvx/POzapI/VtZm2HJklgepHpubZ0ASsqPad5zwYwruNdN4g9Q== X-Received: by 10.98.16.93 with SMTP id y90mr48947007pfi.155.1459958227390; Wed, 06 Apr 2016 08:57:07 -0700 (PDT) Received: from moss-charon.infosec.tycho.ncsc.mil ([209.65.105.100]) by smtp.googlemail.com with ESMTPSA id 17sm5942070pfp.96.2016.04.06.08.57.04 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 06 Apr 2016 08:57:06 -0700 (PDT) Message-ID: <1459958221.7680.2.camel@gmail.com> Subject: [RFC][PATCH] selinux: distinguish non-init user namespace capability checks From: Stephen Smalley To: selinux Date: Wed, 06 Apr 2016 08:57:01 -0700 X-Mailer: Evolution 3.20.0 (3.20.0-1.fc25) Mime-Version: 1.0 X-TM-AS-MML: disable X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Distinguish capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This is needed to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Signed-off-by: Stephen Smalley ---  security/selinux/hooks.c            | 14 +++++++-------  security/selinux/include/classmap.h | 28 ++++++++++++++++++----------  2 files changed, 25 insertions(+), 17 deletions(-) --  2.8.0 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fce7dc8..a9ca5ee 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1622,7 +1622,7 @@ static int current_has_perm(const struct task_struct *tsk,    /* Check whether a task is allowed to use a capability. */  static int cred_has_capability(const struct cred *cred, -        int cap, int audit) +        int cap, int audit, bool initns)  {   struct common_audit_data ad;   struct av_decision avd; @@ -1636,10 +1636,10 @@ static int cred_has_capability(const struct cred *cred,     switch (CAP_TO_INDEX(cap)) {   case 0: - sclass = SECCLASS_CAPABILITY; + sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;   break;   case 1: - sclass = SECCLASS_CAPABILITY2; + sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;   break;   default:   printk(KERN_ERR @@ -2142,7 +2142,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,  static int selinux_capable(const struct cred *cred, struct user_namespace *ns,      int cap, int audit)  { - return cred_has_capability(cred, cap, audit); + return cred_has_capability(cred, cap, audit, ns == &init_user_ns);  }    static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) @@ -2220,7 +2220,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)   int rc, cap_sys_admin = 0;     rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, - SECURITY_CAP_NOAUDIT); +  SECURITY_CAP_NOAUDIT, true);   if (rc == 0)   cap_sys_admin = 1;   @@ -3201,7 +3201,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void       SECURITY_CAP_NOAUDIT);   if (!error)   error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, -     SECURITY_CAP_NOAUDIT); +     SECURITY_CAP_NOAUDIT, true);   if (!error)   error = security_sid_to_context_force(isec->sid, &context,         &size); @@ -3376,7 +3376,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,   case KDSKBENT:   case KDSKBSENT:   error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, -     SECURITY_CAP_AUDIT); +     SECURITY_CAP_AUDIT, true);   break;     /* default case assumes that the command will go diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 8fbd138..1f1f4b2 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -12,6 +12,18 @@  #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \       "write", "associate", "unix_read", "unix_write"   +#define COMMON_CAP_PERMS  "chown", "dac_override", "dac_read_search", \ +     "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ +     "linux_immutable", "net_bind_service", "net_broadcast", \ +     "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ +     "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ +     "sys_boot", "sys_nice", "sys_resource", "sys_time", \ +     "sys_tty_config", "mknod", "lease", "audit_write", \ +     "audit_control", "setfcap" + +#define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \ + "wake_alarm", "block_suspend", "audit_read" +  /*   * Note: The name for any socket class should be suffixed by "socket",   *  and doesn't contain more than one substr of "socket". @@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = {     { "ipc_info", "syslog_read", "syslog_mod",       "syslog_console", "module_request", "module_load", NULL } },   { "capability", -   { "chown", "dac_override", "dac_read_search", -     "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", -     "linux_immutable", "net_bind_service", "net_broadcast", -     "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", -     "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", -     "sys_boot", "sys_nice", "sys_resource", "sys_time", -     "sys_tty_config", "mknod", "lease", "audit_write", -     "audit_control", "setfcap", NULL } }, +   { COMMON_CAP_PERMS, NULL } },   { "filesystem",     { "mount", "remount", "unmount", "getattr",       "relabelfrom", "relabelto", "associate", "quotamod", @@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = {   { "memprotect", { "mmap_zero", NULL } },   { "peer", { "recv", NULL } },   { "capability2", -   { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", -     "audit_read", NULL } }, +   { COMMON_CAP2_PERMS, NULL } },   { "kernel_service", { "use_as_override", "create_files_as", NULL } },   { "tun_socket",     { COMMON_SOCK_PERMS, "attach_queue", NULL } },   { "binder", { "impersonate", "call", "set_context_mgr", "transfer",         NULL } }, + { "cap_userns", +   { COMMON_CAP_PERMS, NULL } }, + { "cap2_userns", +   { COMMON_CAP2_PERMS, NULL } },   { NULL }    };