From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
Date: Fri, 24 Jul 2015 13:40:32 +0200 [thread overview]
Message-ID: <1437738032.2190.2.camel@samsung.com> (raw)
In-Reply-To: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> If current task has capabilities, Smack operations (eg. Changing own
> smack
> label) should be available even inside of namespace.
>
> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
>
> diff --git a/security/smack/smack_access.c
> b/security/smack/smack_access.c
> index 00f6b38..f6b2c35 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
> struct smack_known *skp = smk_of_current();
> struct smack_onlycap *sop;
>
> - if (!capable(cap))
> + if (!ns_capable(current_user_ns(), cap))
> return 0;
It's not that easy.
With this change Smack becomes completely insecure. You can change
rules as an unprivileged user without any problems now.
What you want is Smack namespace that was made to remedy exactly this
issue (e.g. changing own labels inside a namespace).
>
> rcu_read_lock();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a143328..7fdc3dd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct
> task_struct *tracer,
> rc = 0;
> else if (smack_ptrace_rule ==
> SMACK_PTRACE_DRACONIAN)
> rc = -EACCES;
> - else if (capable(CAP_SYS_PTRACE))
> + else if (ns_capable(__task_cred(tracer)->user_ns,
> + CAP_SYS_PTRACE))
> rc = 0;
> else
> rc = -EACCES;
--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics
next prev parent reply other threads:[~2015-07-24 11:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-24 11:26 [PATCH] Smack: replace capable() with ns_capable() Sungbae Yoo
2015-07-24 11:40 ` Lukasz Pawelczyk [this message]
2015-07-25 16:59 ` Casey Schaufler
2015-07-27 1:27 ` Sungbae Yoo
2015-07-27 8:52 ` Lukasz Pawelczyk
2015-07-28 14:36 ` Casey Schaufler
2015-07-28 15:06 ` Serge E. Hallyn
2015-07-28 16:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1437738032.2190.2.camel@samsung.com \
--to=l.pawelczyk@samsung.com \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=sungbae.yoo@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox