From: Casey Schaufler <casey@schaufler-ca.com>
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
"'Lukasz Pawelczyk'" <l.pawelczyk@samsung.com>
Cc: "'James Morris'" <james.l.morris@oracle.com>,
"'Serge E. Hallyn'" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
Date: Tue, 28 Jul 2015 07:36:30 -0700 [thread overview]
Message-ID: <55B7936E.2080007@schaufler-ca.com> (raw)
In-Reply-To: <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
On 7/26/2015 6:27 PM, Sungbae Yoo wrote:
> So, Do you agree to allow the process to change its own labels?
No. This requires CAP_MAC_ADMIN. Smack is mandatory access control.
Being in a namespace (as they are implemented today) is not sufficient.
>
> Now, init process(eg. systemd) can't be running in user namespace properly
> because it can't be assign smack label to service.
>
> If you agree, I'll upload another patch limited to this.
>
>
> -----Original Message-----
> From: Lukasz Pawelczyk [mailto:l.pawelczyk@samsung.com]
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn; linux-security-module@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
>
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
>> If current task has capabilities, Smack operations (eg. Changing own
>> smack
>> label) should be available even inside of namespace.
>>
>> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
>>
>> diff --git a/security/smack/smack_access.c
>> b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
>> --- a/security/smack/smack_access.c
>> +++ b/security/smack/smack_access.c
>> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
>> struct smack_known *skp = smk_of_current();
>> struct smack_onlycap *sop;
>>
>> - if (!capable(cap))
>> + if (!ns_capable(current_user_ns(), cap))
>> return 0;
> It's not that easy.
>
> With this change Smack becomes completely insecure. You can change rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this issue (e.g. changing own labels inside a namespace).
>
>>
>> rcu_read_lock();
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index a143328..7fdc3dd 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct
>> task_struct *tracer,
>> rc = 0;
>> else if (smack_ptrace_rule ==
>> SMACK_PTRACE_DRACONIAN)
>> rc = -EACCES;
>> - else if (capable(CAP_SYS_PTRACE))
>> + else if (ns_capable(__task_cred(tracer)->user_ns,
>> + CAP_SYS_PTRACE))
>> rc = 0;
>> else
>> rc = -EACCES;
> --
> Lukasz Pawelczyk
> Samsung R&D Institute Poland
> Samsung Electronics
>
>
>
>
next prev parent reply other threads:[~2015-07-28 14:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-24 11:26 [PATCH] Smack: replace capable() with ns_capable() Sungbae Yoo
2015-07-24 11:40 ` Lukasz Pawelczyk
2015-07-25 16:59 ` Casey Schaufler
2015-07-27 1:27 ` Sungbae Yoo
2015-07-27 8:52 ` Lukasz Pawelczyk
2015-07-28 14:36 ` Casey Schaufler [this message]
2015-07-28 15:06 ` Serge E. Hallyn
2015-07-28 16:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55B7936E.2080007@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=l.pawelczyk@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=sungbae.yoo@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.