From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serge@hallyn.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: torvalds@osdl.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, akpm@osdl.org
Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel
Date: Sun, 30 Sep 2007 21:15:18 -0700 (PDT) [thread overview]
Message-ID: <527669.54986.qm@web36608.mail.mud.yahoo.com> (raw)
In-Reply-To: <20071001034724.GA28534@vino.hallyn.com>
--- "Serge E. Hallyn" <serge@hallyn.com> wrote:
> ...
> > +A process can see the smack label it is running with by
> > +reading /proc/self/attr/current. A privileged process can
> > +set the process smack by writing there.
>
> Ok, so to control smack label transitions, basically you would
> run with CAP_MAC_OVERRIDE (see my note later) so that you're
> allowed to change your smack label by writing to
> /proc/self/attr/current, then you drop CAP_MAC_OVERRIDE, then you're
> no longer able to change your label? I.e. no inherent label changing
> rules through smack itself?
That is correct. Smack task labels do not change spontaniously.
> Just making sure I have that right. If I do, then I think at least
> defining the word 'privileged' above, given that this is mac,
> would help.
Good idea.
> ...
> > --- linux-2.6.23-rc8-base/security/smack/Kconfig 1969-12-31
> 16:00:00.000000000 -0800
> > +++ linux-2.6.23-rc8-smack/security/smack/Kconfig 2007-09-25
> 15:30:38.000000000 -0700
> > @@ -0,0 +1,10 @@
> > +config SECURITY_SMACK
> > + bool "Simplified Mandatory Access Control Kernel Support"
> > + depends on NETLABEL && SECURITY_NETWORK
> > + default n
> > + help
> > + This selects the Simplified Mandatory Access Control Kernel.
> > + Smack is useful for sensitivity, integrity, and a variety
> > + of other mandatory security schemes.
> > + If you are unsure how to answer this question, answer N.
>
> Might point out that no other modules must be compiled in along with
> smack, and that smack will do posix capabilities.
Also a good idea.
> ...
> > +/**
> > + * smk_write_load - write() for /smack/load
> > + * @filp: file pointer, not actually used
> > + * @buf: where to get the data from
> > + * @count: bytes sent
> > + * @ppos: where to start
> > + *
> > + * Returns number of bytes written or error code, as appropriate
> > + */
> > +static ssize_t smk_write_load(struct file *file, const char __user *buf,
> > + size_t count, loff_t *ppos)
> > +{
> > + struct smack_rule rule;
> > + ssize_t rc = count;
> > + char *data = NULL;
> > + char subjectstr[SMK_LABELLEN];
> > + char objectstr[SMK_LABELLEN];
> > + char modestr[8];
> > + char *cp;
> > +
> > +
> > + if (!capable(CAP_MAC_OVERRIDE))
> > + return -EPERM;
> > + /*
> > + * No partial writes.
> > + */
> > + if (*ppos != 0)
> > + return -EINVAL;
> > +
> > + /*
> > + * 80 characters per line ought to be enough.
> > + */
> > + if (count > SMACK_LIST_MAX * 80)
> > + return -ENOMEM;
> > +
> > + data = kzalloc(count + 1, GFP_KERNEL);
> > + if (data == NULL)
> > + return -ENOMEM;
> > +
> > + if (copy_from_user(data, buf, count) != 0) {
> > + kfree(data);
> > + return -EFAULT;
> > + }
> > +
> > + *(data + count) = '\0';
> > +
> > + for (cp = data - 1; cp != NULL; cp = strchr(cp + 1, '\n')) {
> > + if (*++cp == '\0')
> > + break;
> > + if (sscanf(cp, "%23s %23s %7s\n", subjectstr, objectstr,
> > + modestr) != 3) {
> > + printk("%s:%d bad scan\n", __func__, __LINE__);
> > + break;
> > + }
> > + rule.smk_subject = smk_import(subjectstr, 0);
> > + if (rule.smk_subject == NULL)
> > + break;
> > + rule.smk_object = smk_import(objectstr, 0);
> > + if (rule.smk_object == NULL)
> > + break;
> > + rule.smk_access = 0;
> > + if (strpbrk(modestr, "rR") != NULL)
> > + rule.smk_access |= MAY_READ;
> > + if (strpbrk(modestr, "wW") != NULL)
> > + rule.smk_access |= MAY_WRITE;
> > + if (strpbrk(modestr, "xX") != NULL)
> > + rule.smk_access |= MAY_EXEC;
> > + if (strpbrk(modestr, "aA") != NULL)
> > + rule.smk_access |= MAY_APPEND;
> > + smk_set_access(&rule);
> > + printk("%s:%d rule %s %s 0x%x\n", __func__, __LINE__,
> > + (char *)rule.smk_subject, (char *)rule.smk_object,
> > + rule.smk_access);
>
> Are you sure this isn't something you'd like to really audit?
>
> (Sorry if that's been asked before)
There is work required to audit, SELinux, and LSM that will be
required before Smack or any other module can really use audit
properly. Smack using audit would be nice, but there are already
interesting cases that don't require it. I have fixing up audit
on my todo list, and have made some proposals. It will require
a group effort between audit, SELinux, Smack, and LSM.
> ...
> > +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE
>
> We're basically inevitably going to be switching to 64-bit caps
> "any day now". Should we just go ahead and do it here? Now
> maybe we should use a less contraversial name than 'mac override'
> like 'CAP_MAC_POLICY_ADMIN' :), but I guess CAP_MAC_OVERRIDE
> is honest.
>
> (I had started a 64-bit caps patch, but then got stuck trying to
> decide whether something needed to be done about
> task_capability_lock...)
>
> Well, I guess you wouldn't want to bog down your patch to
> that, but would you take your own bit once it was available,
> or are you happy just using CAP_LINUX_IMMUTABLE?
I would be delighted to have a bit of my very own. The granularity
advocates might suggest I use more than one.
Thank you for the comments.
Casey Schaufler
casey@schaufler-ca.com
prev parent reply other threads:[~2007-10-01 4:15 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-30 0:20 [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Casey Schaufler
2007-09-30 8:16 ` Andrew Morton
2007-09-30 8:42 ` Andi Kleen
2007-09-30 17:14 ` Casey Schaufler
2007-09-30 17:34 ` Andi Kleen
2007-09-30 23:24 ` david
2007-09-30 17:29 ` Joshua Brindle
2007-09-30 17:39 ` Andi Kleen
2007-09-30 19:07 ` Theodore Tso
2007-09-30 20:05 ` Andi Kleen
2007-09-30 20:22 ` Theodore Tso
2007-10-01 20:28 ` Casey Schaufler
2007-09-30 20:18 ` Paul Moore
2007-09-30 9:53 ` Christoph Hellwig
2007-09-30 17:19 ` Casey Schaufler
2007-10-02 8:36 ` Thomas Bleher
2007-09-30 17:02 ` Casey Schaufler
2007-09-30 20:30 ` Paul Moore
2007-10-01 11:33 ` James Morris
2007-10-01 15:07 ` Linus Torvalds
2007-10-01 15:40 ` Stephen Smalley
2007-10-01 16:04 ` Linus Torvalds
2007-10-01 17:54 ` Olivier Galibert
2007-10-02 21:02 ` Bill Davidsen
2007-10-02 21:20 ` Linus Torvalds
2007-10-02 23:25 ` Linus Torvalds
2007-10-03 0:12 ` Alan Cox
2007-10-04 22:56 ` Derek Fawcus
2007-10-04 23:18 ` Chuck Ebbert
2007-10-04 23:44 ` Derek Fawcus
2007-10-03 5:32 ` Crispin Cowan
2007-10-03 3:54 ` Bill Davidsen
2007-10-03 4:52 ` Linus Torvalds
2007-10-05 1:44 ` Eric W. Biederman
2007-10-05 3:04 ` Kyle Moffett
2007-10-05 4:45 ` Eric W. Biederman
2007-10-05 5:48 ` Kyle Moffett
2007-10-05 16:27 ` Casey Schaufler
2007-10-05 18:42 ` Stephen Smalley
2007-10-05 20:08 ` Casey Schaufler
2007-10-05 20:11 ` Eric W. Biederman
2007-10-08 17:50 ` Casey Schaufler
2007-10-08 18:47 ` Eric W. Biederman
2007-10-08 18:53 ` Serge E. Hallyn
2007-10-08 21:05 ` Casey Schaufler
2007-10-08 16:18 ` Serge E. Hallyn
2007-10-08 17:31 ` Casey Schaufler
2007-10-09 13:52 ` Stephen Smalley
2007-10-09 16:02 ` Casey Schaufler
2007-10-08 23:24 ` Bill Davidsen
2007-10-08 16:06 ` Serge E. Hallyn
2007-10-08 17:20 ` Eric W. Biederman
2007-10-08 18:00 ` Serge E. Hallyn
2007-10-08 19:29 ` Eric W. Biederman
2007-10-08 19:50 ` Eric W. Biederman
2007-10-08 20:39 ` Casey Schaufler
2007-10-08 21:02 ` Eric W. Biederman
2007-10-08 21:20 ` Alan Cox
2007-10-10 13:48 ` Eric W. Biederman
2007-10-10 15:45 ` Stephen Smalley
2007-10-10 17:57 ` Casey Schaufler
2007-10-11 10:46 ` Kyle Moffett
2007-10-11 15:41 ` Casey Schaufler
2007-10-11 18:53 ` Kyle Moffett
2007-10-11 20:09 ` Alan Cox
2007-10-08 21:51 ` Crispin Cowan
2007-10-30 4:01 ` Kazuki Omo(Company)
2007-10-30 15:07 ` Casey Schaufler
2007-10-08 20:25 ` Casey Schaufler
2007-10-08 20:57 ` Eric W. Biederman
2007-10-06 19:14 ` Bill Davidsen
2007-10-03 0:10 ` Alan Cox
2007-10-03 0:18 ` Linus Torvalds
2007-10-01 16:39 ` Casey Schaufler
2007-10-01 19:00 ` Theodore Tso
2007-10-01 15:38 ` Casey Schaufler
2007-10-01 20:49 ` Jan Engelhardt
2007-10-01 3:47 ` Serge E. Hallyn
2007-10-01 4:15 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=527669.54986.qm@web36608.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox