From: Casey Schaufler <[email protected]>
This patch assumes "Smack unlabeled outgoing ambient packets - v4"
which is one reason it's RFC.
Update the Smack LSM to allow the registration of the capability
"module" as a secondary LSM. Integrate the new hooks required for
file based capabilities.
Signed-off-by: Casey Schaufler <[email protected]>
---
security/smack/smack_lsm.c | 63 +++++++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 3 deletions(-)
diff -uprN -X linux-2.6.25-g0216-precap//Documentation/dontdiff linux-2.6.25-g0216-precap/security/smack/smack_lsm.c linux-2.6.25-g0216/security/smack/smack_lsm.c
--- linux-2.6.25-g0216-precap/security/smack/smack_lsm.c 2008-02-18 10:53:45.000000000 -0800
+++ linux-2.6.25-g0216/security/smack/smack_lsm.c 2008-02-18 14:15:25.000000000 -0800
@@ -584,6 +584,12 @@ static int smack_inode_getattr(struct vf
static int smack_inode_setxattr(struct dentry *dentry, char *name,
void *value, size_t size, int flags)
{
+ int rc;
+
+ rc = cap_inode_setxattr(dentry, name, value, size, flags);
+ if (rc != 0)
+ return rc;
+
if (!capable(CAP_MAC_ADMIN)) {
if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
@@ -658,6 +664,12 @@ static int smack_inode_getxattr(struct d
*/
static int smack_inode_removexattr(struct dentry *dentry, char *name)
{
+ int rc;
+
+ rc = cap_inode_removexattr(dentry, name);
+ if (rc != 0)
+ return rc;
+
if (strcmp(name, XATTR_NAME_SMACK) == 0 && !capable(CAP_MAC_ADMIN))
return -EPERM;
@@ -1016,7 +1028,12 @@ static void smack_task_getsecid(struct t
*/
static int smack_task_setnice(struct task_struct *p, int nice)
{
- return smk_curacc(p->security, MAY_WRITE);
+ int rc;
+
+ rc = cap_task_setnice(p, nice);
+ if (rc == 0)
+ rc = smk_curacc(p->security, MAY_WRITE);
+ return rc;
}
/**
@@ -1028,7 +1045,12 @@ static int smack_task_setnice(struct tas
*/
static int smack_task_setioprio(struct task_struct *p, int ioprio)
{
- return smk_curacc(p->security, MAY_WRITE);
+ int rc;
+
+ rc = cap_task_setioprio(p, ioprio);
+ if (rc == 0)
+ rc = smk_curacc(p->security, MAY_WRITE);
+ return rc;
}
/**
@@ -1053,7 +1075,12 @@ static int smack_task_getioprio(struct t
static int smack_task_setscheduler(struct task_struct *p, int policy,
struct sched_param *lp)
{
- return smk_curacc(p->security, MAY_WRITE);
+ int rc;
+
+ rc = cap_task_setscheduler(p, policy, lp);
+ if (rc == 0)
+ rc = smk_curacc(p->security, MAY_WRITE);
+ return rc;
}
/**
@@ -1093,6 +1120,11 @@ static int smack_task_movememory(struct
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
+ int rc;
+
+ rc = cap_task_kill(p, info, sig, secid);
+ if (rc != 0)
+ return rc;
/*
* Special cases where signals really ought to go through
* in spite of policy. Stephen Smalley suggests it may
@@ -1778,6 +1810,27 @@ static int smack_ipc_permission(struct k
return smk_curacc(isp, may);
}
+/* module stacking operations */
+
+/**
+ * smack_register_security - stack capability module
+ * @name: module name
+ * @ops: module operations - ignored
+ *
+ * Allow the capability module to register.
+ */
+static int smack_register_security(const char *name,
+ struct security_operations *ops)
+{
+ if (strcmp(name, "capability") != 0)
+ return -EINVAL;
+
+ printk(KERN_INFO "%s: Registering secondary module %s\n",
+ __func__, name);
+
+ return 0;
+}
+
/**
* smack_d_instantiate - Make sure the blob is correct on an inode
* @opt_dentry: unused
@@ -2412,6 +2465,8 @@ static struct security_operations smack_
.inode_post_setxattr = smack_inode_post_setxattr,
.inode_getxattr = smack_inode_getxattr,
.inode_removexattr = smack_inode_removexattr,
+ .inode_need_killpriv = cap_inode_need_killpriv,
+ .inode_killpriv = cap_inode_killpriv,
.inode_getsecurity = smack_inode_getsecurity,
.inode_setsecurity = smack_inode_setsecurity,
.inode_listsecurity = smack_inode_listsecurity,
@@ -2471,6 +2526,8 @@ static struct security_operations smack_
.netlink_send = cap_netlink_send,
.netlink_recv = cap_netlink_recv,
+ .register_security = smack_register_security,
+
.d_instantiate = smack_d_instantiate,
.getprocattr = smack_getprocattr,
On Mon, 2008-02-18 at 15:58 -0800, Casey Schaufler wrote:
> From: Casey Schaufler <[email protected]>
>
> This patch assumes "Smack unlabeled outgoing ambient packets - v4"
> which is one reason it's RFC.
>
> Update the Smack LSM to allow the registration of the capability
> "module" as a secondary LSM. Integrate the new hooks required for
> file based capabilities.
>
> Signed-off-by: Casey Schaufler <[email protected]>
>
> ---
>
> security/smack/smack_lsm.c | 63 +++++++++++++++++++++++++++++++++--
> 1 file changed, 60 insertions(+), 3 deletions(-)
>
> diff -uprN -X linux-2.6.25-g0216-precap//Documentation/dontdiff linux-2.6.25-g0216-precap/security/smack/smack_lsm.c linux-2.6.25-g0216/security/smack/smack_lsm.c
> --- linux-2.6.25-g0216-precap/security/smack/smack_lsm.c 2008-02-18 10:53:45.000000000 -0800
> +++ linux-2.6.25-g0216/security/smack/smack_lsm.c 2008-02-18 14:15:25.000000000 -0800
> @@ -584,6 +584,12 @@ static int smack_inode_getattr(struct vf
> static int smack_inode_setxattr(struct dentry *dentry, char *name,
> void *value, size_t size, int flags)
> {
> + int rc;
> +
> + rc = cap_inode_setxattr(dentry, name, value, size, flags);
> + if (rc != 0)
> + return rc;
You only want to do that if the attribute isn't one of the Smack
attributes. Otherwise, the capability module will apply a CAP_SYS_ADMIN
check on setting anything in the security namespace, including the Smack
attributes.
> +
> if (!capable(CAP_MAC_ADMIN)) {
> if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
> strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
> @@ -658,6 +664,12 @@ static int smack_inode_getxattr(struct d
> */
> static int smack_inode_removexattr(struct dentry *dentry, char *name)
> {
> + int rc;
> +
> + rc = cap_inode_removexattr(dentry, name);
> + if (rc != 0)
> + return rc;
Ditto.
> +
> if (strcmp(name, XATTR_NAME_SMACK) == 0 && !capable(CAP_MAC_ADMIN))
> return -EPERM;
>
> @@ -1016,7 +1028,12 @@ static void smack_task_getsecid(struct t
> */
> static int smack_task_setnice(struct task_struct *p, int nice)
> {
> - return smk_curacc(p->security, MAY_WRITE);
> + int rc;
> +
> + rc = cap_task_setnice(p, nice);
> + if (rc == 0)
> + rc = smk_curacc(p->security, MAY_WRITE);
> + return rc;
> }
>
> /**
> @@ -1028,7 +1045,12 @@ static int smack_task_setnice(struct tas
> */
> static int smack_task_setioprio(struct task_struct *p, int ioprio)
> {
> - return smk_curacc(p->security, MAY_WRITE);
> + int rc;
> +
> + rc = cap_task_setioprio(p, ioprio);
> + if (rc == 0)
> + rc = smk_curacc(p->security, MAY_WRITE);
> + return rc;
> }
>
> /**
> @@ -1053,7 +1075,12 @@ static int smack_task_getioprio(struct t
> static int smack_task_setscheduler(struct task_struct *p, int policy,
> struct sched_param *lp)
> {
> - return smk_curacc(p->security, MAY_WRITE);
> + int rc;
> +
> + rc = cap_task_setscheduler(p, policy, lp);
> + if (rc == 0)
> + rc = smk_curacc(p->security, MAY_WRITE);
> + return rc;
> }
>
> /**
> @@ -1093,6 +1120,11 @@ static int smack_task_movememory(struct
> static int smack_task_kill(struct task_struct *p, struct siginfo *info,
> int sig, u32 secid)
> {
> + int rc;
> +
> + rc = cap_task_kill(p, info, sig, secid);
> + if (rc != 0)
> + return rc;
> /*
> * Special cases where signals really ought to go through
> * in spite of policy. Stephen Smalley suggests it may
> @@ -1778,6 +1810,27 @@ static int smack_ipc_permission(struct k
> return smk_curacc(isp, may);
> }
>
> +/* module stacking operations */
> +
> +/**
> + * smack_register_security - stack capability module
> + * @name: module name
> + * @ops: module operations - ignored
> + *
> + * Allow the capability module to register.
> + */
> +static int smack_register_security(const char *name,
> + struct security_operations *ops)
> +{
> + if (strcmp(name, "capability") != 0)
> + return -EINVAL;
> +
> + printk(KERN_INFO "%s: Registering secondary module %s\n",
> + __func__, name);
> +
> + return 0;
> +}
> +
> /**
> * smack_d_instantiate - Make sure the blob is correct on an inode
> * @opt_dentry: unused
> @@ -2412,6 +2465,8 @@ static struct security_operations smack_
> .inode_post_setxattr = smack_inode_post_setxattr,
> .inode_getxattr = smack_inode_getxattr,
> .inode_removexattr = smack_inode_removexattr,
> + .inode_need_killpriv = cap_inode_need_killpriv,
> + .inode_killpriv = cap_inode_killpriv,
> .inode_getsecurity = smack_inode_getsecurity,
> .inode_setsecurity = smack_inode_setsecurity,
> .inode_listsecurity = smack_inode_listsecurity,
> @@ -2471,6 +2526,8 @@ static struct security_operations smack_
> .netlink_send = cap_netlink_send,
> .netlink_recv = cap_netlink_recv,
>
> + .register_security = smack_register_security,
> +
> .d_instantiate = smack_d_instantiate,
>
> .getprocattr = smack_getprocattr,
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Stephen Smalley
National Security Agency