Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753236AbbGXLkk (ORCPT <rfc822;w@1wt.eu>);
	Fri, 24 Jul 2015 07:40:40 -0400
Received: from mailout3.w1.samsung.com ([210.118.77.13]:43273 "EHLO
	mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751509AbbGXLkg (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 24 Jul 2015 07:40:36 -0400
MIME-version: 1.0
Content-type: text/plain; charset=UTF-8
X-AuditID: cbfec7f5-f794b6d000001495-d4-55b22431db02
Content-transfer-encoding: 8BIT
Message-id: <1437738032.2190.2.camel@samsung.com>
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
        Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Date: Fri, 24 Jul 2015 13:40:32 +0200
In-reply-to: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
References: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
X-Mailer: Evolution 3.16.4 (3.16.4-2.fc22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrMLMWRmVeSWpSXmKPExsVy+t/xy7qGKptCDZZMVbe4t+0Xm0Xf4yCL
	y7vmsFl86HnEZnH+wjl2i4fNPxkd2Dyu7Y70+Pj0FotH35ZVjB5H9y9i8/i8SS6ANYrLJiU1
	J7MstUjfLoEr4+j2XraCvTwVs45OYW9gbObqYuTkkBAwkXh6ZTUjhC0mceHeerYuRi4OIYGl
	jBLnli9nBknwCghK/Jh8j6WLkYODWUBe4silbJAws4C6xKR5i5gh6j8zSqy5upcRot5Q4sfF
	CSwgtrCAvcTqlTeZQGw2AQOJ7xf2gs0UEQiV2DtlGRNIM7PAbEaJRyevsYIkWARUJbpePgRr
	5hTwkNh59hFYXEjAXaLv6352kCMkBLQk2t5kTWAUmIXkvFkI581Cct4CRuZVjKKppckFxUnp
	uUZ6xYm5xaV56XrJ+bmbGCFB/XUH49JjVocYBTgYlXh4D0zaGCrEmlhWXJl7iFGCg1lJhJfh
	GFCINyWxsiq1KD++qDQntfgQozQHi5I478xd70OEBNITS1KzU1MLUotgskwcnFINjO0PT68s
	5NnsFfH1jPdL5QvMF+v1rt/hnmU58cclL6GIj7reizUe10wRrb2/QO1MUc86Afuy0JWiIUoq
	lTfOWRZrSe9nSGes70qR/fiZ5Tx/p+2DcL9Xq8S+7Q86a8z+9X7/vS9cYp6zGu40HpCuvCAq
	Yj1rK++R2qL0d3kJRVvUtt9ddilmhhJLcUaioRZzUXEiAHgUCedmAgAA
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1790
Lines: 57

On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> If current task has capabilities, Smack operations (eg. Changing own 
> smack
> label) should be available even inside of namespace.
> 
> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
> 
> diff --git a/security/smack/smack_access.c 
> b/security/smack/smack_access.c
> index 00f6b38..f6b2c35 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
>  	struct smack_known *skp = smk_of_current();
>  	struct smack_onlycap *sop;
>  
> -	if (!capable(cap))
> +	if (!ns_capable(current_user_ns(), cap))
>  		return 0;

It's not that easy.

With this change Smack becomes completely insecure. You can change
rules as an unprivileged user without any problems now.
What you want is Smack namespace that was made to remedy exactly this
issue (e.g. changing own labels inside a namespace).

>  
>  	rcu_read_lock();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a143328..7fdc3dd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct 
> task_struct *tracer,
>  			rc = 0;
>  		else if (smack_ptrace_rule == 
> SMACK_PTRACE_DRACONIAN)
>  			rc = -EACCES;
> -		else if (capable(CAP_SYS_PTRACE))
> +		else if (ns_capable(__task_cred(tracer)->user_ns,
> +				    CAP_SYS_PTRACE))
>  			rc = 0;
>  		else
>  			rc = -EACCES;
-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/