From: Casey Schaufler <casey@schaufler-ca.com>
To: Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
Sungbae Yoo <sungbae.yoo@samsung.com>
Cc: James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
Date: Sat, 25 Jul 2015 09:59:15 -0700 [thread overview]
Message-ID: <55B3C063.4090106@schaufler-ca.com> (raw)
In-Reply-To: <1437738032.2190.2.camel@samsung.com>
On 7/24/2015 4:40 AM, Lukasz Pawelczyk wrote:
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
>> If current task has capabilities, Smack operations (eg. Changing own
>> smack
>> label) should be available even inside of namespace.
>>
>> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
For the reasons Lukasz outlines below.
Nacked-by: Casey Schaufler <casey@schaufler-ca.com>
>>
>> diff --git a/security/smack/smack_access.c
>> b/security/smack/smack_access.c
>> index 00f6b38..f6b2c35 100644
>> --- a/security/smack/smack_access.c
>> +++ b/security/smack/smack_access.c
>> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
>> struct smack_known *skp = smk_of_current();
>> struct smack_onlycap *sop;
>>
>> - if (!capable(cap))
>> + if (!ns_capable(current_user_ns(), cap))
>> return 0;
> It's not that easy.
>
> With this change Smack becomes completely insecure. You can change
> rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this
> issue (e.g. changing own labels inside a namespace).
>
>>
>> rcu_read_lock();
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index a143328..7fdc3dd 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct
>> task_struct *tracer,
>> rc = 0;
>> else if (smack_ptrace_rule ==
>> SMACK_PTRACE_DRACONIAN)
>> rc = -EACCES;
>> - else if (capable(CAP_SYS_PTRACE))
>> + else if (ns_capable(__task_cred(tracer)->user_ns,
>> + CAP_SYS_PTRACE))
>> rc = 0;
>> else
>> rc = -EACCES;
next prev parent reply other threads:[~2015-07-25 16:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-24 11:26 [PATCH] Smack: replace capable() with ns_capable() Sungbae Yoo
2015-07-24 11:40 ` Lukasz Pawelczyk
2015-07-25 16:59 ` Casey Schaufler [this message]
2015-07-27 1:27 ` Sungbae Yoo
2015-07-27 8:52 ` Lukasz Pawelczyk
2015-07-28 14:36 ` Casey Schaufler
2015-07-28 15:06 ` Serge E. Hallyn
2015-07-28 16:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55B3C063.4090106@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=l.pawelczyk@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=sungbae.yoo@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.