From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752191AbbJOHtC (ORCPT ); Thu, 15 Oct 2015 03:49:02 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:32907 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750752AbbJOHs6 (ORCPT ); Thu, 15 Oct 2015 03:48:58 -0400 X-AuditID: cbfec7f4-f79c56d0000012ee-64-561f5a6639c9 Message-id: <561F5A65.8070502@samsung.com> Date: Thu, 15 Oct 2015 09:48:53 +0200 From: =?UTF-8?B?UmFmYcWCIEtyeXBh?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-version: 1.0 To: Casey Schaufler Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Zbigniew Jasinski , Tomasz Swierczek Subject: Re: [PATCH v4] Smack: limited capability for changing process label References: <1444838083-890-1-git-send-email-r.krypa@samsung.com> In-reply-to: <1444838083-890-1-git-send-email-r.krypa@samsung.com> Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKLMWRmVeSWpSXmKPExsVy+t/xK7ppUfJhBsfuaVvc2/aLzeLyrjls Fh96HrFZ/Lo9hdXi+8n/rA6sHn1bVjF6HN2/iM3j8ya5AOYoLpuU1JzMstQifbsErozvVxYw F+ySqNi5q5W9gfG2cBcjJ4eEgInEvM0nmSFsMYkL99azgdhCAksZJc4tZIGwG5kk9rRbgti8 AloSS0//YQexWQRUJX7fm8EKYrMJWEgcn/IRbI6oQIjE7Kmz2SHqBSV+TL4HNkdEQEdi357n QHEuDmaBxYwSOy7sBCsSFvCR2PbsAzvEMkeJRf0HwIZyCjhJ7Or9ATSUA6hBXWLKlFyQMLOA vMTmNW+ZJzAKzEKyYhZC1SwkVQsYmVcxiqaWJhcUJ6XnGuoVJ+YWl+al6yXn525ihATulx2M i49ZHWIU4GBU4uE98UAuTIg1say4MvcQowQHs5II77Uw+TAh3pTEyqrUovz4otKc1OJDjNIc LErivHN3vQ8REkhPLEnNTk0tSC2CyTJxcEo1MEZ6z8j89v/juo1XmlY/cTjfr+x5q/pH60zb MpeP11bdmb/XtefP/Dt/ePcd5Ws7rMIWZJrdK6VamCd/JvDMi4adotc2TdlqwX9dLORTeaDD hpsLtntNCJohqbpkegLHe1se9pDTbCbcESwSEm90q9qlc5L5Llzhmj/L4Ggov7bszpxLRw9G rlViKc5INNRiLipOBACkAqcOWAIAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2015-10-14 17:54, Rafal Krypa wrote: > From: Zbigniew Jasinski > > This feature introduces new kernel interface: > > - /relabel-self - for setting transition labels list > > This list is used to control smack label transition mechanism. > List is set by, and per process. Process can transit to new label only if > label is on the list. Only process with CAP_MAC_ADMIN capability can add > labels to this list. With this list, process can change it's label without > CAP_MAC_ADMIN but only once. After label changing, list is unset. > > Changes in v2: > * use list_for_each_entry instead of _rcu during label write > * added missing description in security/Smack.txt > > Changes in v3: > * squashed into one commit > > Changes in v4: > * switch from global list to per-task list > * since the per-task list is accessed only by the task itself > there is no need to use synchronization mechanisms on it > > Signed-off-by: Zbigniew Jasinski > Signed-off-by: Rafal Krypa > --- > Documentation/security/Smack.txt | 14 ++++ > security/smack/smack.h | 3 +- > security/smack/smack_access.c | 6 +- > security/smack/smack_lsm.c | 73 ++++++++++++++++- > security/smack/smackfs.c | 167 ++++++++++++++++++++++++++++++++++++--- > 5 files changed, 246 insertions(+), 17 deletions(-) > > diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt > index 5e6d07f..d9ace08 100644 > --- a/Documentation/security/Smack.txt > +++ b/Documentation/security/Smack.txt > @@ -255,6 +255,20 @@ unconfined > the access permitted if it wouldn't be otherwise. Note that this > is dangerous and can ruin the proper labeling of your system. > It should never be used in production. > +relabel-self > + This interface contains a list of labels to which the process can > + transition to, by writing to /proc/self/attr/current. > + Normally a process can change its own label to any legal value, but only > + if it has CAP_MAC_ADMIN. This interface allows a process without > + CAP_MAC_ADMIN to relabel itself to one of labels from predefined list. > + A process without CAP_MAC_ADMIN can change its label only once. When it > + does, this list will be cleared. > + > + The format accepted on write is: > + "%s" > + for adding label, and: > + "-%s" > + for removing label from list. I have one concern here, let me make some self-criticism. The interface described here for relabel-self is convenient and suiting actual needs of user space parts that are going to use it. But it is inconsistent with other existing interfaces in smackfs. Recently I submitted a patch (merged into v4.2) that extended onlycap to allow multiple labels in it. The smackfs interface for onlycap always takes the full list of labels that replaces the list that was previously set. Now relabel-self is also going to contain a list of labels. But smackfs interface gets one label at a time and performs add/remove operations. Are you OK. with such inconsistency?