Re: [PATCH] Smack: replace capable() with ns_capable()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
	"'Casey Schaufler'" <casey@schaufler-ca.com>
Cc: "'James Morris'" <james.l.morris@oracle.com>,
	"'Serge E. Hallyn'" <serge@hallyn.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
Date: Mon, 27 Jul 2015 10:52:16 +0200	[thread overview]
Message-ID: <1437987136.3303.2.camel@samsung.com> (raw)
In-Reply-To: <000001d0c80b$55bdec50$0139c4f0$@samsung.com>

On pon, 2015-07-27 at 10:27 +0900, Sungbae Yoo wrote:
> So, Do you agree to allow the process to change its own labels?

Yes, by using a proper method as I mentioned below (e.g. Smack
namespace posted to this list).

> Now, init process(eg. systemd) can't be running in user namespace 
> properly
> because it can't be assign smack label to service.
> 
> If you agree, I'll upload another patch limited to this.

This won't help. Limiting this to init process will still allow every
process outside of a namespace to change its own label, still insecure.


> -----Original Message-----
> From: Lukasz Pawelczyk [mailto:l.pawelczyk@samsung.com] 
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn; 
> linux-security-module@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
> 
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> > If current task has capabilities, Smack operations (eg. Changing 
> > own 
> > smack
> > label) should be available even inside of namespace.
> > 
> > Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
> > 
> > diff --git a/security/smack/smack_access.c 
> > b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
> > --- a/security/smack/smack_access.c
> > +++ b/security/smack/smack_access.c
> > @@ -639,7 +639,7 @@ int smack_privileged(int cap)
> >  	struct smack_known *skp = smk_of_current();
> >  	struct smack_onlycap *sop;
> >  
> > -	if (!capable(cap))
> > +	if (!ns_capable(current_user_ns(), cap))
> >  		return 0;
> 
> It's not that easy.
> 
> With this change Smack becomes completely insecure. You can change 
> rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this 
> issue (e.g. changing own labels inside a namespace).
> 
> >  
> >  	rcu_read_lock();
> > diff --git a/security/smack/smack_lsm.c 
> > b/security/smack/smack_lsm.c 
> > index a143328..7fdc3dd 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct 
> > task_struct *tracer,
> >  			rc = 0;
> >  		else if (smack_ptrace_rule ==
> > SMACK_PTRACE_DRACONIAN)
> >  			rc = -EACCES;
> > -		else if (capable(CAP_SYS_PTRACE))
> > +		else if (ns_capable(__task_cred(tracer)->user_ns,
> > +				    CAP_SYS_PTRACE))
> >  			rc = 0;
> >  		else
> >  			rc = -EACCES;
> --
> Lukasz Pawelczyk
> Samsung R&D Institute Poland
> Samsung Electronics
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux
> -security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics

next prev parent reply	other threads:[~2015-07-27  8:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-24 11:26 [PATCH] Smack: replace capable() with ns_capable() Sungbae Yoo
2015-07-24 11:40 ` Lukasz Pawelczyk
2015-07-25 16:59   ` Casey Schaufler
2015-07-27  1:27   ` Sungbae Yoo
2015-07-27  8:52     ` Lukasz Pawelczyk [this message]
2015-07-28 14:36     ` Casey Schaufler
2015-07-28 15:06       ` Serge E. Hallyn
2015-07-28 16:11         ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1437987136.3303.2.camel@samsung.com \
    --to=l.pawelczyk@samsung.com \
    --cc=casey@schaufler-ca.com \
    --cc=james.l.morris@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=sungbae.yoo@samsung.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox