From: Casey Schaufler <casey@schaufler-ca.com>
To: Seth Forshee <seth.forshee@canonical.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-kernel@vger.kernel.org, linux-bcache@vger.kernel.org,
dm-devel@redhat.com, linux-raid@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v3 7/7] Smack: Handle labels consistently in untrusted mounts
Date: Tue, 17 Nov 2015 10:24:10 -0800 [thread overview]
Message-ID: <564B70CA.6020106@schaufler-ca.com> (raw)
In-Reply-To: <1447778351-118699-8-git-send-email-seth.forshee@canonical.com>
On 11/17/2015 8:39 AM, Seth Forshee wrote:
> The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
> differently in untrusted mounts. This is confusing and
> potentically problematic. Change this to handle them all the same
> way that SMACK64 is currently handled; that is, read the label
> from disk and check it at use time. For SMACK64 and SMACK64MMAP
> access is denied if the label does not match smk_root. To be
> consistent with suid, a SMACK64EXEC label which does not match
> smk_root will still allow execution of the file but will not run
> with the label supplied in the xattr.
>
> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> security/smack/smack_lsm.c | 29 +++++++++++++++++++----------
> 1 file changed, 19 insertions(+), 10 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 621200f86b56..9b7ff781df9a 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -891,6 +891,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
> struct inode *inode = file_inode(bprm->file);
> struct task_smack *bsp = bprm->cred->security;
> struct inode_smack *isp;
> + struct superblock_smack *sbsp;
> int rc;
>
> if (bprm->cred_prepared)
> @@ -900,6 +901,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
> if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
> return 0;
>
> + sbsp = inode->i_sb->s_security;
> + if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
> + isp->smk_task != sbsp->smk_root)
> + return 0;
> +
> if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
> struct task_struct *tracer;
> rc = 0;
> @@ -1703,6 +1709,7 @@ static int smack_mmap_file(struct file *file,
> struct task_smack *tsp;
> struct smack_known *okp;
> struct inode_smack *isp;
> + struct superblock_smack *sbsp;
> int may;
> int mmay;
> int tmay;
> @@ -1714,6 +1721,10 @@ static int smack_mmap_file(struct file *file,
> isp = file_inode(file)->i_security;
> if (isp->smk_mmap == NULL)
> return 0;
> + sbsp = file_inode(file)->i_sb->s_security;
> + if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
> + isp->smk_mmap != sbsp->smk_root)
> + return -EACCES;
> mkp = isp->smk_mmap;
>
> tsp = current_security();
> @@ -3492,16 +3503,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
> if (rc >= 0)
> transflag = SMK_INODE_TRANSMUTE;
> }
> - if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) {
> - /*
> - * Don't let the exec or mmap label be "*" or "@".
> - */
> - skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
> - if (IS_ERR(skp) || skp == &smack_known_star ||
> - skp == &smack_known_web)
> - skp = NULL;
> - isp->smk_task = skp;
> - }
> + /*
> + * Don't let the exec or mmap label be "*" or "@".
> + */
> + skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
> + if (IS_ERR(skp) || skp == &smack_known_star ||
> + skp == &smack_known_web)
> + skp = NULL;
> + isp->smk_task = skp;
>
> skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
> if (IS_ERR(skp) || skp == &smack_known_star ||
next prev parent reply other threads:[~2015-11-17 18:30 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 16:39 [PATCH v3 0/7] User namespace mount updates Seth Forshee
2015-11-17 16:39 ` [PATCH v3 1/7] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2015-11-17 16:39 ` [PATCH v3 2/7] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2015-11-17 16:39 ` [PATCH v3 3/7] mtd: Check permissions towards mtd " Seth Forshee
2015-11-17 16:39 ` [PATCH v3 4/7] fs: Treat foreign mounts as nosuid Seth Forshee
2015-11-18 0:00 ` James Morris
2015-11-17 16:39 ` [PATCH v3 5/7] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2015-11-18 0:02 ` James Morris
2015-11-17 16:39 ` [PATCH v3 6/7] userns: Replace in_userns with current_in_userns Seth Forshee
2015-11-18 0:03 ` James Morris
2015-11-17 16:39 ` [PATCH v3 7/7] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2015-11-17 18:24 ` Casey Schaufler [this message]
2015-11-18 0:12 ` James Morris
2015-11-18 0:50 ` Seth Forshee
2015-11-17 17:05 ` [PATCH v3 0/7] User namespace mount updates Al Viro
2015-11-17 17:25 ` Seth Forshee
2015-11-17 17:45 ` Serge E. Hallyn
2015-11-17 17:55 ` Al Viro
2015-11-17 18:34 ` Seth Forshee
2015-11-17 19:12 ` Richard Weinberger
2015-11-17 19:21 ` Seth Forshee
2015-11-17 19:25 ` Octavian Purdila
2015-11-17 20:12 ` Richard Weinberger
2015-11-17 22:00 ` Octavian Purdila
2015-11-19 15:23 ` Seth Forshee
2015-11-19 16:19 ` Octavian Purdila
2015-11-19 16:31 ` Seth Forshee
2015-11-20 17:33 ` Serge E. Hallyn
2015-11-17 19:26 ` Richard Weinberger
2015-11-18 19:10 ` Theodore Ts'o
2015-11-18 19:28 ` Seth Forshee
2015-11-18 19:32 ` Serge Hallyn
2015-11-17 19:02 ` Austin S Hemmelgarn
2015-11-17 19:16 ` Seth Forshee
2015-11-17 20:54 ` Austin S Hemmelgarn
2015-11-17 21:32 ` Seth Forshee
2015-11-18 12:23 ` Austin S Hemmelgarn
2015-11-18 14:22 ` Seth Forshee
2015-11-18 14:58 ` Al Viro
2015-11-18 15:05 ` Seth Forshee
2015-11-18 15:13 ` Al Viro
2015-11-18 15:19 ` Richard Weinberger
2015-11-19 7:47 ` James Morris
2015-11-19 7:53 ` Richard Weinberger
2015-11-19 14:21 ` Serge E. Hallyn
2015-11-19 15:04 ` Richard Weinberger
2015-11-19 14:37 ` Colin Walters
2015-11-19 14:49 ` Richard Weinberger
2015-11-19 15:17 ` Richard W.M. Jones
2015-11-19 14:58 ` Serge E. Hallyn
2015-11-18 15:34 ` Austin S Hemmelgarn
2015-11-18 15:36 ` Nikolay Borisov
2015-11-17 19:30 ` Al Viro
2015-11-17 20:39 ` Austin S Hemmelgarn
2015-11-17 21:05 ` Al Viro
2015-11-17 22:01 ` Seth Forshee
2015-11-18 12:46 ` Austin S Hemmelgarn
2015-11-18 14:30 ` Seth Forshee
2015-11-18 15:38 ` Austin S Hemmelgarn
2015-11-18 18:44 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=564B70CA.6020106@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dm-devel@redhat.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox