* [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33
@ 2007-11-25 5:53 Casey Schaufler
2007-11-25 16:33 ` Andrew Morgan
2007-11-26 16:28 ` Serge E. Hallyn
0 siblings, 2 replies; 4+ messages in thread
From: Casey Schaufler @ 2007-11-25 5:53 UTC (permalink / raw)
To: akpm, torvalds, Andrew Morgan; +Cc: linux-kernel, linux-security-module
[-- Attachment #1: Type: text/plain, Size: 6594 bytes --]
From: Casey Schaufler <casey@schaufler-ca.com>
This patch takes advantage of the increase in capability bits
to allocate capabilities for Mandatory Access Control. Whereas
Smack was overloading a previously allocated capability it is
now using a pair, one for overriding access control checks and
the other for changes to the MAC configuration.
The two capabilities allocated should be obvious in their intent.
The comments in capability.h are intended to make it clear that
there is no intention that implementations of MAC LSM modules
be any more constrained by the presence of these capabilities
than an implementation of DAC LSM modules are by the analogous
DAC capabilities.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
The companion patch for libcap-2.02 is provided as an attachment.
The attachment is not a kernel patch, although it would be easy to
mistake it for one.
Thank you.
include/linux/capability.h | 20 +++++++++++++++++++-
security/smack/smack.h | 8 --------
security/smack/smack_lsm.c | 8 ++++----
security/smack/smackfs.c | 12 ++++++------
4 files changed, 29 insertions(+), 19 deletions(-)
diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/include/linux/capability.h linux-2.6.24-rc3-mm1-smack/include/linux/capability.h
--- linux-2.6.24-rc3-mm1-base/include/linux/capability.h 2007-11-22 01:51:36.000000000 -0800
+++ linux-2.6.24-rc3-mm1-smack/include/linux/capability.h 2007-11-24 11:26:51.000000000 -0800
@@ -314,6 +314,23 @@ typedef struct kernel_cap_struct {
#define CAP_SETFCAP 31
+/* Override MAC access.
+ The base kernel enforces no MAC policy.
+ An LSM may enforce a MAC policy, and if it does and it chooses
+ to implement capability based overrides of that policy, this is
+ the capability it should use to do so. */
+
+#define CAP_MAC_OVERRIDE 32
+
+/* Allow MAC configuration or state changes.
+ The base kernel requires no MAC configuration.
+ An LSM may enforce a MAC policy, and if it does and it chooses
+ to implement capability based checks on modifications to that
+ policy or the data required to maintain it, this is the
+ capability it should use to do so. */
+
+#define CAP_MAC_ADMIN 33
+
/*
* Bit location of each capability (used by user-space library and kernel)
*/
@@ -334,7 +351,8 @@ typedef struct kernel_cap_struct {
| CAP_TO_MASK(CAP_DAC_OVERRIDE) \
| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
| CAP_TO_MASK(CAP_FOWNER) \
- | CAP_TO_MASK(CAP_FSETID))
+ | CAP_TO_MASK(CAP_FSETID) \
+ | CAP_TO_MASK(CAP_MAC_OVERRIDE))
#if _LINUX_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/security/smack/smackfs.c linux-2.6.24-rc3-mm1-smack/security/smack/smackfs.c
--- linux-2.6.24-rc3-mm1-base/security/smack/smackfs.c 2007-11-22 01:51:43.000000000 -0800
+++ linux-2.6.24-rc3-mm1-smack/security/smack/smackfs.c 2007-11-24 11:29:29.000000000 -0800
@@ -241,7 +241,7 @@ static ssize_t smk_write_load(struct fil
* No partial writes.
* Enough data must be present.
*/
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (*ppos != 0)
return -EINVAL;
@@ -474,7 +474,7 @@ static ssize_t smk_write_cipso(struct fi
* No partial writes.
* Enough data must be present.
*/
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (*ppos != 0)
return -EINVAL;
@@ -601,7 +601,7 @@ static ssize_t smk_write_doi(struct file
char temp[80];
int i;
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (count >= sizeof(temp) || count == 0)
@@ -666,7 +666,7 @@ static ssize_t smk_write_direct(struct f
char temp[80];
int i;
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (count >= sizeof(temp) || count == 0)
@@ -747,7 +747,7 @@ static ssize_t smk_write_ambient(struct
char in[SMK_LABELLEN];
char *smack;
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (count >= SMK_LABELLEN)
@@ -840,7 +840,7 @@ static ssize_t smk_write_nltype(struct f
char *cp;
int i;
- if (!capable(CAP_MAC_OVERRIDE))
+ if (!capable(CAP_MAC_ADMIN))
return -EPERM;
if (count >= 40)
diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/security/smack/smack.h linux-2.6.24-rc3-mm1-smack/security/smack/smack.h
--- linux-2.6.24-rc3-mm1-base/security/smack/smack.h 2007-11-22 01:51:43.000000000 -0800
+++ linux-2.6.24-rc3-mm1-smack/security/smack/smack.h 2007-11-22 03:03:19.000000000 -0800
@@ -162,14 +162,6 @@ struct smack_known {
#define MAY_NOT 0
/*
- * There are not enough CAP bits available to make this
- * real, so Casey borrowed the capability that looks to
- * him like it has the best balance of similarity amd
- * low use.
- */
-#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
-
-/*
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(char *);
diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/security/smack/smack_lsm.c linux-2.6.24-rc3-mm1-smack/security/smack/smack_lsm.c
--- linux-2.6.24-rc3-mm1-base/security/smack/smack_lsm.c 2007-11-22 01:51:43.000000000 -0800
+++ linux-2.6.24-rc3-mm1-smack/security/smack/smack_lsm.c 2007-11-24 11:31:43.000000000 -0800
@@ -585,7 +585,7 @@ static int smack_inode_setxattr(struct d
void *value, size_t size, int flags)
{
if (strcmp(name, XATTR_NAME_SMACK) == 0 &&
- !__capable(current, CAP_MAC_OVERRIDE))
+ !__capable(current, CAP_MAC_ADMIN))
return -EPERM;
return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
@@ -649,14 +649,14 @@ static int smack_inode_getxattr(struct d
* @dentry: the object
* @name: name of the attribute
*
- * Removing the Smack attribute requires CAP_MAC_OVERRIDE
+ * Removing the Smack attribute requires CAP_MAC_ADMIN
*
* Returns 0 if access is permitted, an error code otherwise
*/
static int smack_inode_removexattr(struct dentry *dentry, char *name)
{
if (strcmp(name, XATTR_NAME_SMACK) == 0 &&
- !__capable(current, CAP_MAC_OVERRIDE))
+ !__capable(current, CAP_MAC_ADMIN))
return -EPERM;
return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
@@ -1956,7 +1956,7 @@ static int smack_setprocattr(struct task
{
char *newsmack;
- if (!__capable(p, CAP_MAC_OVERRIDE))
+ if (!__capable(p, CAP_MAC_ADMIN))
return -EPERM;
/*
[-- Attachment #2: libcap-2.02.patch --]
[-- Type: text/plain, Size: 1522 bytes --]
diff -uprN libcap-2.02/libcap/include/linux/capability.h libcap-2.02-smack/libcap/include/linux/capability.h
--- libcap-2.02/libcap/include/linux/capability.h 2007-11-10 09:34:04.000000000 -0800
+++ libcap-2.02-smack/libcap/include/linux/capability.h 2007-11-24 13:35:38.000000000 -0800
@@ -314,6 +314,23 @@ typedef struct kernel_cap_struct {
#define CAP_SETFCAP 31
+/* Override MAC access.
+ The base kernel enforces no MAC policy.
+ An LSM may enforce a MAC policy, and if it does and it chooses
+ to implement capability based overrides of that policy, this is
+ the capability it should use to do so. */
+
+#define CAP_MAC_OVERRIDE 32
+
+/* Allow MAC configuration or state changes.
+ The base kernel requires no MAC configuration.
+ An LSM may enforce a MAC policy, and if it does and it chooses
+ to implement capability based checks on modifications to that
+ policy or the data required to maintain it, this is the
+ capability it should use to do so. */
+
+#define CAP_MAC_ADMIN 33
+
/*
* Bit location of each capability (used by user-space library and kernel)
*/
@@ -334,7 +351,8 @@ typedef struct kernel_cap_struct {
|CAP_TO_MASK(CAP_DAC_OVERRIDE) \
|CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
|CAP_TO_MASK(CAP_FOWNER) \
- |CAP_TO_MASK(CAP_FSETID))
+ |CAP_TO_MASK(CAP_FSETID) \
+ |CAP_TO_MASK(CAP_MAC_OVERRIDE))
#if _LINUX_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33
2007-11-25 5:53 [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33 Casey Schaufler
@ 2007-11-25 16:33 ` Andrew Morgan
2007-11-25 17:13 ` Casey Schaufler
2007-11-26 16:28 ` Serge E. Hallyn
1 sibling, 1 reply; 4+ messages in thread
From: Andrew Morgan @ 2007-11-25 16:33 UTC (permalink / raw)
To: casey; +Cc: akpm, torvalds, linux-kernel, linux-security-module
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Casey Schaufler wrote:
> diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/include/linux/capability.h linux-2.6.24-rc3-mm1-smack/include/linux/capability.h
> --- linux-2.6.24-rc3-mm1-base/include/linux/capability.h 2007-11-22 01:51:36.000000000 -0800
> +++ linux-2.6.24-rc3-mm1-smack/include/linux/capability.h 2007-11-24 11:26:51.000000000 -0800
> @@ -314,6 +314,23 @@ typedef struct kernel_cap_struct {
>
> #define CAP_SETFCAP 31
>
> +/* Override MAC access.
> + The base kernel enforces no MAC policy.
> + An LSM may enforce a MAC policy, and if it does and it chooses
> + to implement capability based overrides of that policy, this is
> + the capability it should use to do so. */
> +
> +#define CAP_MAC_OVERRIDE 32
> +
> +/* Allow MAC configuration or state changes.
> + The base kernel requires no MAC configuration.
> + An LSM may enforce a MAC policy, and if it does and it chooses
> + to implement capability based checks on modifications to that
> + policy or the data required to maintain it, this is the
> + capability it should use to do so. */
> +
> +#define CAP_MAC_ADMIN 33
> +
> /*
> * Bit location of each capability (used by user-space library and kernel)
> */
> @@ -334,7 +351,8 @@ typedef struct kernel_cap_struct {
> | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
> | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
> | CAP_TO_MASK(CAP_FOWNER) \
> - | CAP_TO_MASK(CAP_FSETID))
> + | CAP_TO_MASK(CAP_FSETID) \
The following looks a bit fishy:
> + | CAP_TO_MASK(CAP_MAC_OVERRIDE))
(1<<32) & 0xffffffff == 0
I think you need to define CAP_FS_MASK_B1.
Cheers
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHSaPvmwytjiwfWMwRAjC8AJ9V4pntMzw4ayK1lb5mgUdjKYlCPQCeLkkz
jas90SJYDo58pQ8Skw1IK60=
=5PUQ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33
2007-11-25 16:33 ` Andrew Morgan
@ 2007-11-25 17:13 ` Casey Schaufler
0 siblings, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2007-11-25 17:13 UTC (permalink / raw)
To: Andrew Morgan, casey; +Cc: akpm, torvalds, linux-kernel, linux-security-module
--- Andrew Morgan <morgan@kernel.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Casey Schaufler wrote:
> > diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff
> linux-2.6.24-rc3-mm1-base/include/linux/capability.h
> linux-2.6.24-rc3-mm1-smack/include/linux/capability.h
> > --- linux-2.6.24-rc3-mm1-base/include/linux/capability.h 2007-11-22
> 01:51:36.000000000 -0800
> > +++ linux-2.6.24-rc3-mm1-smack/include/linux/capability.h 2007-11-24
> 11:26:51.000000000 -0800
> > @@ -314,6 +314,23 @@ typedef struct kernel_cap_struct {
> >
> > #define CAP_SETFCAP 31
> >
> > +/* Override MAC access.
> > + The base kernel enforces no MAC policy.
> > + An LSM may enforce a MAC policy, and if it does and it chooses
> > + to implement capability based overrides of that policy, this is
> > + the capability it should use to do so. */
> > +
> > +#define CAP_MAC_OVERRIDE 32
> > +
> > +/* Allow MAC configuration or state changes.
> > + The base kernel requires no MAC configuration.
> > + An LSM may enforce a MAC policy, and if it does and it chooses
> > + to implement capability based checks on modifications to that
> > + policy or the data required to maintain it, this is the
> > + capability it should use to do so. */
> > +
> > +#define CAP_MAC_ADMIN 33
> > +
> > /*
> > * Bit location of each capability (used by user-space library and kernel)
> > */
> > @@ -334,7 +351,8 @@ typedef struct kernel_cap_struct {
> > | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
> > | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
> > | CAP_TO_MASK(CAP_FOWNER) \
> > - | CAP_TO_MASK(CAP_FSETID))
> > + | CAP_TO_MASK(CAP_FSETID) \
>
> The following looks a bit fishy:
> > + | CAP_TO_MASK(CAP_MAC_OVERRIDE))
>
> (1<<32) & 0xffffffff == 0
>
> I think you need to define CAP_FS_MASK_B1.
I think you're right, and I'll need to use it, too.
Casey Schaufler
casey@schaufler-ca.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33
2007-11-25 5:53 [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33 Casey Schaufler
2007-11-25 16:33 ` Andrew Morgan
@ 2007-11-26 16:28 ` Serge E. Hallyn
1 sibling, 0 replies; 4+ messages in thread
From: Serge E. Hallyn @ 2007-11-26 16:28 UTC (permalink / raw)
To: Casey Schaufler
Cc: akpm, torvalds, Andrew Morgan, linux-kernel,
linux-security-module
Quoting Casey Schaufler (casey@schaufler-ca.com):
> From: Casey Schaufler <casey@schaufler-ca.com>
>
> This patch takes advantage of the increase in capability bits
> to allocate capabilities for Mandatory Access Control. Whereas
> Smack was overloading a previously allocated capability it is
> now using a pair, one for overriding access control checks and
> the other for changes to the MAC configuration.
>
> The two capabilities allocated should be obvious in their intent.
> The comments in capability.h are intended to make it clear that
> there is no intention that implementations of MAC LSM modules
> be any more constrained by the presence of these capabilities
> than an implementation of DAC LSM modules are by the analogous
> DAC capabilities.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> ---
>
> The companion patch for libcap-2.02 is provided as an attachment.
> The attachment is not a kernel patch, although it would be easy to
> mistake it for one.
>
> Thank you.
>
> include/linux/capability.h | 20 +++++++++++++++++++-
> security/smack/smack.h | 8 --------
> security/smack/smack_lsm.c | 8 ++++----
> security/smack/smackfs.c | 12 ++++++------
> 4 files changed, 29 insertions(+), 19 deletions(-)
>
> diff -uprN -X linux-2.6.24-rc3-mm1-base/Documentation/dontdiff linux-2.6.24-rc3-mm1-base/include/linux/capability.h linux-2.6.24-rc3-mm1-smack/include/linux/capability.h
> --- linux-2.6.24-rc3-mm1-base/include/linux/capability.h 2007-11-22 01:51:36.000000000 -0800
> +++ linux-2.6.24-rc3-mm1-smack/include/linux/capability.h 2007-11-24 11:26:51.000000000 -0800
> @@ -314,6 +314,23 @@ typedef struct kernel_cap_struct {
>
> #define CAP_SETFCAP 31
>
> +/* Override MAC access.
> + The base kernel enforces no MAC policy.
> + An LSM may enforce a MAC policy, and if it does and it chooses
> + to implement capability based overrides of that policy, this is
> + the capability it should use to do so. */
> +
> +#define CAP_MAC_OVERRIDE 32
> +
> +/* Allow MAC configuration or state changes.
> + The base kernel requires no MAC configuration.
> + An LSM may enforce a MAC policy, and if it does and it chooses
> + to implement capability based checks on modifications to that
> + policy or the data required to maintain it, this is the
> + capability it should use to do so. */
> +
> +#define CAP_MAC_ADMIN 33
> +
I do like the descriptions.
(Will wait for Andrew's comments to be addressed before reviewing the
rest)
thanks,
-serge
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-11-26 16:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-25 5:53 [PATCH] -mm (2.6.24-rc3-mm1) Smack using capabilities 32 and 33 Casey Schaufler
2007-11-25 16:33 ` Andrew Morgan
2007-11-25 17:13 ` Casey Schaufler
2007-11-26 16:28 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox