Re: [PATCH] security: smack: Add support automatic Smack labeling

From: Lukasz Pawelczyk
Date: Mon Aug 31 2015 - 09:59:13 EST

Next message: Arnaldo Carvalho de Melo: "Re: [GIT PULL 00/32] perf tools: filtering events using eBPF programs"
Previous message: Guenter Roeck: "Re: ARCv2 testing exposure (Re: arc build failures in -next due to ARCv2 patch)"
In reply to: jonghwa3 . lee: "Re: [PATCH] security: smack: Add support automatic Smack labeling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On pon, 2015-08-31 at 15:13 +0900, jonghwa3.lee@xxxxxxxxxxx wrote:
> A rule is defined for a process, 'process A', in smack rule table.
>
> ...
> Process A device::A arwx-
> ...
>
> The object 'device::A' will be used to a device node that 'process A'
> will access.
> However when the target device node is created it's labeled with
> default label
> which is inherited from any of filesystem, ancestor, or creating
> process.
> Let's say the default object label for devtmpfs is '_' which allows
> only read and
> write access. So we need the specific labeling by the authorized
> process as like
> udevd for the devtmpfs.
>
> In normal, smack label and access control follow the sequences,
>
> 1. Kernel module driver loaded
> 2. New device node is created (/dev/aaa , '_')
> 3. Udevd gets uevent and appies udev rule (/dev/aaa, 'device::A')
> 4. 'Process A' accesses the device node ('Process A' --->
> 'device::A', MAY_WRITE)
> 5. Access is permitted.
>
> However, when labeling isn't done in proper time, result will be
> different,
>
> 1. Kernel module driver loaded
> 2. New device node is created (/dev/aaa , '_')
> 3. 'Process A' accesses the device node ('Process A' ---> '_',
> MAY_WRITE)
> 4. Access is prohibited
>
> Can this situation be handled in current Smack subsystem?
> If so, could you give me an idea how to handle it.

This doesn't seem to be a Smack problem. This isn't even a kernel
problem. It's userspace race. You should wait for a proper udev event
that notifies after all udev rules are applied.

I think there are 2 udev events. One that notifies that a device has
been added. Second that notifies where all the rules for the device has
been applied. You need to use the second one.

--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnaldo Carvalho de Melo: "Re: [GIT PULL 00/32] perf tools: filtering events using eBPF programs"
Previous message: Guenter Roeck: "Re: ARCv2 testing exposure (Re: arc build failures in -next due to ARCv2 patch)"
In reply to: jonghwa3 . lee: "Re: [PATCH] security: smack: Add support automatic Smack labeling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]