Re: [PATCH] Smack: replace capable() with ns_capable()

From: Lukasz Pawelczyk
Date: Mon Jul 27 2015 - 04:52:24 EST

Next message: Lee Jones: "Re: [PATCH v7 3/5] clk: Supply the critical clock {init, enable, disable} framework"
Previous message: Namhyung Kim: "Re: [PATCH v4 4/5] perf config: Add a option 'list-all' to perf-config"
In reply to: Sungbae Yoo: "RE: [PATCH] Smack: replace capable() with ns_capable()"
Next in thread: Casey Schaufler: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On pon, 2015-07-27 at 10:27 +0900, Sungbae Yoo wrote:
> So, Do you agree to allow the process to change its own labels?

Yes, by using a proper method as I mentioned below (e.g. Smack
namespace posted to this list).

> Now, init process(eg. systemd) can't be running in user namespace
> properly
> because it can't be assign smack label to service.
>
> If you agree, I'll upload another patch limited to this.

This won't help. Limiting this to init process will still allow every
process outside of a namespace to change its own label, still insecure.

> -----Original Message-----
> From: Lukasz Pawelczyk [mailto:l.pawelczyk@xxxxxxxxxxx]
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn;
> linux-security-module@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
>
> On piÄ, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> > If current task has capabilities, Smack operations (eg. Changing
> > own
> > smack
> > label) should be available even inside of namespace.
> >
> > Signed-off-by: Sungbae Yoo <sungbae.yoo@xxxxxxxxxxx>
> >
> > diff --git a/security/smack/smack_access.c
> > b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
> > --- a/security/smack/smack_access.c
> > +++ b/security/smack/smack_access.c
> > @@ -639,7 +639,7 @@ int smack_privileged(int cap)
> > struct smack_known *skp = smk_of_current();
> > struct smack_onlycap *sop;
> >
> > - if (!capable(cap))
> > + if (!ns_capable(current_user_ns(), cap))
> > return 0;
>
> It's not that easy.
>
> With this change Smack becomes completely insecure. You can change
> rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this
> issue (e.g. changing own labels inside a namespace).
>
> >
> > rcu_read_lock();
> > diff --git a/security/smack/smack_lsm.c
> > b/security/smack/smack_lsm.c
> > index a143328..7fdc3dd 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct
> > task_struct *tracer,
> > rc = 0;
> > else if (smack_ptrace_rule ==
> > SMACK_PTRACE_DRACONIAN)
> > rc = -EACCES;
> > - else if (capable(CAP_SYS_PTRACE))
> > + else if (ns_capable(__task_cred(tracer)->user_ns,
> > + CAP_SYS_PTRACE))
> > rc = 0;
> > else
> > rc = -EACCES;
> --
> Lukasz Pawelczyk
> Samsung R&D Institute Poland
> Samsung Electronics
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux
> -security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Lee Jones: "Re: [PATCH v7 3/5] clk: Supply the critical clock {init, enable, disable} framework"
Previous message: Namhyung Kim: "Re: [PATCH v4 4/5] perf config: Add a option 'list-all' to perf-config"
In reply to: Sungbae Yoo: "RE: [PATCH] Smack: replace capable() with ns_capable()"
Next in thread: Casey Schaufler: "Re: [PATCH] Smack: replace capable() with ns_capable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]