Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753680AbbGOUnl (ORCPT <rfc822;w@1wt.eu>);
	Wed, 15 Jul 2015 16:43:41 -0400
Received: from smtp101.biz.mail.bf1.yahoo.com ([98.139.221.60]:23753 "EHLO
	smtp101.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752581AbbGOUnk (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 15 Jul 2015 16:43:40 -0400
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ZA7k8PcVM1mnTPM12vLGT4LitI9GzrTSyruK3GqHUtmZHih
 8IKC3Mzoj3jCTlBfxbnzLf4mZkvpGCeMQPSU2nzSOe1rOn.jAvMrdCO3LCGu
 cY6xYzq2BUj8BZ.954_ui88LBf.R0nL5puq2iiahL67PqMgfAi37DaVM3UAq
 FJ6OmluZOUX7ccuLIjI_Lz4EPYUSxBqoBNM0jf52Jlo8VlSSW5rvCiovvczQ
 lxTSp9BdOlrfMPH5MuYOtQx1iQJVkNxrpWSGSWHrS5LLpy3KVF0Dm9YK5eWq
 1fqfTI4BVZ8Mvcle0SFNPKdPrJPHE645EmLgKKaFDPZ6KCMddIo2k2LO.SMW
 BfLgmiSaT4eY2_suxB3LvHHSOpr4BRLiM6Y24BwMHY9CIzP36I4W1RisGzNh
 puqJWQp6q.DBzoN9PhAiv42D6wHCvf_bP5WFH12bcxnFZ78LpJrZo5HZk2Yk
 7fNh8MA627f4D4xTGtSZ8C.zrlwi8WqYHq8paOEo9jEjC.3dO40lonGRirSR
 91dfwCJij_RnPnMdC5j3ekR7yLWSaV7..Sl.xIg--
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Message-ID: <55A6C5FD.4090503@schaufler-ca.com>
Date: Wed, 15 Jul 2015 13:43:41 -0700
From: Casey Schaufler <casey@schaufler-ca.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Seth Forshee <seth.forshee@canonical.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>
CC: Serge Hallyn <serge.hallyn@canonical.com>,
        Andy Lutomirski <luto@amacapital.net>, linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
        linux-kernel@vger.kernel.org, James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH 7/7] smack: Don't use security labels for user namespace
 mounts
References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-8-git-send-email-seth.forshee@canonical.com>
In-Reply-To: <1436989569-69582-8-git-send-email-seth.forshee@canonical.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2277
Lines: 64

On 7/15/2015 12:46 PM, Seth Forshee wrote:
> Avoid use of untrusted security labels when s_user_ns !=
> init_user_ns:
>  - smk_fetch: refuse to read labels from disk
>  - smack_inode_init_security: return -ENOTSUPP
>  - smack_d_instantiate: don't use security xattrs from disk
>
> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

I do not like this at all at all. Pretending that Smack
doesn't exist in a user namespace can lead to all sorts
of blatant security violations, both while the filesystem
is mounted in the namespace and in the init namespace.

> ---
>  security/smack/smack_lsm.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a143328f75eb..6a849da94f47 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -255,6 +255,9 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
>  	char *buffer;
>  	struct smack_known *skp = NULL;
>  
> +	if (ip->i_sb->s_user_ns != &init_user_ns)
> +		return NULL;
> +
>  	if (ip->i_op->getxattr == NULL)
>  		return ERR_PTR(-EOPNOTSUPP);
>  
> @@ -833,6 +836,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
>  	struct smack_known *dsp = smk_of_inode(dir);
>  	int may;
>  
> +	if (inode->i_sb->s_user_ns != &init_user_ns)
> +		return -ENOTSUPP;
> +
>  	if (name)
>  		*name = XATTR_SMACK_SUFFIX;
>  
> @@ -3176,11 +3182,13 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
>  		}
>  		/*
>  		 * No xattr support means, alas, no SMACK label.
> -		 * Use the aforeapplied default.
> +		 * Use the aforeapplied default. Also don't use
> +		 * xattrs from userns mounts.
>  		 * It would be curious if the label of the task
>  		 * does not match that assigned.
>  		 */
> -		if (inode->i_op->getxattr == NULL)
> +		if (inode->i_sb->s_user_ns != &init_user_ns ||
> +		    inode->i_op->getxattr == NULL)
>  			break;
>  		/*
>  		 * Get the dentry for xattr.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/