From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754069AbbJPMb1 (ORCPT ); Fri, 16 Oct 2015 08:31:27 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:37167 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751514AbbJPMbZ (ORCPT ); Fri, 16 Oct 2015 08:31:25 -0400 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 X-AuditID: cbfec7f4-f79c56d0000012ee-ac-5620ee1aba53 Content-transfer-encoding: 8BIT Message-id: <5620EE18.2090705@samsung.com> Date: Fri, 16 Oct 2015 14:31:20 +0200 From: =?UTF-8?B?UmFmYcWCIEtyeXBh?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 To: Casey Schaufler Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Zbigniew Jasinski , Tomasz Swierczek Subject: Re: [PATCH v4] Smack: limited capability for changing process label References: <1444838083-890-1-git-send-email-r.krypa@samsung.com> <561F5A65.8070502@samsung.com> <561F5E02.1080505@schaufler-ca.com> In-reply-to: <561F5E02.1080505@schaufler-ca.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrELMWRmVeSWpSXmKPExsVy+t/xa7pS7xTCDLYsF7C4t+0Xm8XlXXPY LD70PGKz+HV7CqvF95P/WR1YPfq2rGL0OLp/EZvH501yAcxRXDYpqTmZZalF+nYJXBkvNi1k KVgmX/H/4H2mBsYtkl2MnBwSAiYSjfufsULYYhIX7q1nA7GFBJYyShxvYwexeQUEJX5MvsfS xcjBwSwgL3HkUjaEqS4xZUouRHUjk8TKj/4gYV4BLYkd15VBwiwCqhKHd5wEG84mYCFxfMpH ZhBbVCBEYvbU2WDDRQR0JPbteQ5kcwFNXMwosePCTrCEsICPxLZnH9gh5rcxSsy6HgticwoY SPRdW8A4gVFgFpLjZiEcNwvhuAWMzKsYRVNLkwuKk9JzDfWKE3OLS/PS9ZLzczcxQkL2yw7G xcesDjEKcDAq8fAy2CmECbEmlhVX5h5ilOBgVhLhtdkPFOJNSaysSi3Kjy8qzUktPsQozcGi JM47d9f7ECGB9MSS1OzU1ILUIpgsEwenVAPjpMDn0yISN2RvSZn/bqmk25nV713S8hev72Wp EbB5eF+FP10j42fRHOeUc7GOJit3XZ+aWvRinn6A5wpF6x8xHzfIuZ9OnfskgFGYOcLjZXGP 78J9ZgXq1yzvWYs4ed68f99YJWdd7WTzi74LGSJ38KpIc1ZGPirtlTxz1v2OSn5RaunDm6VK LMUZiYZazEXFiQDgSAIqVQIAAA== Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2015-10-15 10:04, Casey Schaufler wrote: > On 10/15/2015 12:48 AM, RafaƂ Krypa wrote: >> On 2015-10-14 17:54, Rafal Krypa wrote: >>> From: Zbigniew Jasinski >>> >>> This feature introduces new kernel interface: >>> >>> - /relabel-self - for setting transition labels list >>> >>> This list is used to control smack label transition mechanism. >>> List is set by, and per process. Process can transit to new label only if >>> label is on the list. Only process with CAP_MAC_ADMIN capability can add >>> labels to this list. With this list, process can change it's label without >>> CAP_MAC_ADMIN but only once. After label changing, list is unset. >>> >>> Changes in v2: >>> * use list_for_each_entry instead of _rcu during label write >>> * added missing description in security/Smack.txt >>> >>> Changes in v3: >>> * squashed into one commit >>> >>> Changes in v4: >>> * switch from global list to per-task list >>> * since the per-task list is accessed only by the task itself >>> there is no need to use synchronization mechanisms on it >>> >>> Signed-off-by: Zbigniew Jasinski >>> Signed-off-by: Rafal Krypa >>> --- >>> Documentation/security/Smack.txt | 14 ++++ >>> security/smack/smack.h | 3 +- >>> security/smack/smack_access.c | 6 +- >>> security/smack/smack_lsm.c | 73 ++++++++++++++++- >>> security/smack/smackfs.c | 167 ++++++++++++++++++++++++++++++++++++--- >>> 5 files changed, 246 insertions(+), 17 deletions(-) >>> >>> diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt >>> index 5e6d07f..d9ace08 100644 >>> --- a/Documentation/security/Smack.txt >>> +++ b/Documentation/security/Smack.txt >>> @@ -255,6 +255,20 @@ unconfined >>> the access permitted if it wouldn't be otherwise. Note that this >>> is dangerous and can ruin the proper labeling of your system. >>> It should never be used in production. >>> +relabel-self >>> + This interface contains a list of labels to which the process can >>> + transition to, by writing to /proc/self/attr/current. >>> + Normally a process can change its own label to any legal value, but only >>> + if it has CAP_MAC_ADMIN. This interface allows a process without >>> + CAP_MAC_ADMIN to relabel itself to one of labels from predefined list. >>> + A process without CAP_MAC_ADMIN can change its label only once. When it >>> + does, this list will be cleared. >>> + >>> + The format accepted on write is: >>> + "%s" >>> + for adding label, and: >>> + "-%s" >>> + for removing label from list. >> I have one concern here, let me make some self-criticism. >> The interface described here for relabel-self is convenient and suiting actual needs of user space parts that are going to use it. >> But it is inconsistent with other existing interfaces in smackfs. Recently I submitted a patch (merged into v4.2) that extended onlycap to allow multiple labels in it. >> The smackfs interface for onlycap always takes the full list of labels that replaces the list that was previously set. >> Now relabel-self is also going to contain a list of labels. But smackfs interface gets one label at a time and performs add/remove operations. >> >> Are you OK. with such inconsistency? >> > A foolish consistency is the hobgoblin of little minds. > > More directly, I am fine with it. Some of your previous work > made removing labels from lists practical where it had not been > before. I would rather have an inconsistent interface set > than one that is consistently bad. I am sorry forcausing confusion. I have reassessed the user space requirements and it seems that with per-task list, it will be always written in full. The ability for adding or removing labels was nice, but only useful when the list was global. So please let me update the patch one more time, with relabel-self having the same interface as onlycap.