Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753680AbbGOUnl (ORCPT ); Wed, 15 Jul 2015 16:43:41 -0400 Received: from smtp101.biz.mail.bf1.yahoo.com ([98.139.221.60]:23753 "EHLO smtp101.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752581AbbGOUnk (ORCPT ); Wed, 15 Jul 2015 16:43:40 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: ZA7k8PcVM1mnTPM12vLGT4LitI9GzrTSyruK3GqHUtmZHih 8IKC3Mzoj3jCTlBfxbnzLf4mZkvpGCeMQPSU2nzSOe1rOn.jAvMrdCO3LCGu cY6xYzq2BUj8BZ.954_ui88LBf.R0nL5puq2iiahL67PqMgfAi37DaVM3UAq FJ6OmluZOUX7ccuLIjI_Lz4EPYUSxBqoBNM0jf52Jlo8VlSSW5rvCiovvczQ lxTSp9BdOlrfMPH5MuYOtQx1iQJVkNxrpWSGSWHrS5LLpy3KVF0Dm9YK5eWq 1fqfTI4BVZ8Mvcle0SFNPKdPrJPHE645EmLgKKaFDPZ6KCMddIo2k2LO.SMW BfLgmiSaT4eY2_suxB3LvHHSOpr4BRLiM6Y24BwMHY9CIzP36I4W1RisGzNh puqJWQp6q.DBzoN9PhAiv42D6wHCvf_bP5WFH12bcxnFZ78LpJrZo5HZk2Yk 7fNh8MA627f4D4xTGtSZ8C.zrlwi8WqYHq8paOEo9jEjC.3dO40lonGRirSR 91dfwCJij_RnPnMdC5j3ekR7yLWSaV7..Sl.xIg-- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Message-ID: <55A6C5FD.4090503@schaufler-ca.com> Date: Wed, 15 Jul 2015 13:43:41 -0700 From: Casey Schaufler User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Seth Forshee , "Eric W. Biederman" , Alexander Viro CC: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, James Morris , "Serge E. Hallyn" Subject: Re: [PATCH 7/7] smack: Don't use security labels for user namespace mounts References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com> <1436989569-69582-8-git-send-email-seth.forshee@canonical.com> In-Reply-To: <1436989569-69582-8-git-send-email-seth.forshee@canonical.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2277 Lines: 64 On 7/15/2015 12:46 PM, Seth Forshee wrote: > Avoid use of untrusted security labels when s_user_ns != > init_user_ns: > - smk_fetch: refuse to read labels from disk > - smack_inode_init_security: return -ENOTSUPP > - smack_d_instantiate: don't use security xattrs from disk > > Signed-off-by: Seth Forshee I do not like this at all at all. Pretending that Smack doesn't exist in a user namespace can lead to all sorts of blatant security violations, both while the filesystem is mounted in the namespace and in the init namespace. > --- > security/smack/smack_lsm.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index a143328f75eb..6a849da94f47 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -255,6 +255,9 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, > char *buffer; > struct smack_known *skp = NULL; > > + if (ip->i_sb->s_user_ns != &init_user_ns) > + return NULL; > + > if (ip->i_op->getxattr == NULL) > return ERR_PTR(-EOPNOTSUPP); > > @@ -833,6 +836,9 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, > struct smack_known *dsp = smk_of_inode(dir); > int may; > > + if (inode->i_sb->s_user_ns != &init_user_ns) > + return -ENOTSUPP; > + > if (name) > *name = XATTR_SMACK_SUFFIX; > > @@ -3176,11 +3182,13 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) > } > /* > * No xattr support means, alas, no SMACK label. > - * Use the aforeapplied default. > + * Use the aforeapplied default. Also don't use > + * xattrs from userns mounts. > * It would be curious if the label of the task > * does not match that assigned. > */ > - if (inode->i_op->getxattr == NULL) > + if (inode->i_sb->s_user_ns != &init_user_ns || > + inode->i_op->getxattr == NULL) > break; > /* > * Get the dentry for xattr. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/