Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932157AbbGYQ7D (ORCPT ); Sat, 25 Jul 2015 12:59:03 -0400 Received: from smtp104.biz.mail.bf1.yahoo.com ([98.139.221.63]:28230 "EHLO smtp104.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932099AbbGYQ7A (ORCPT ); Sat, 25 Jul 2015 12:59:00 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: jDTw6ukVM1kPNdg5jkfcd.tR.MIaj4RtwMsv8v3Q7Sonu6W C_ZzJBc1fERzT728lkeiquN4_CnyLMeN7uxRY.oM9rp4aiKxhlq7IUcbk8vJ GGKFj1Eg9vDwns6LafYWu4FrMwrGoB5CwIKqSt9m1tvwl1mTCKSqf5uv3REw fBvHbjKXc5SQT2GetsQIj8zrfbFQq2fj8y_WQa12QtAHQI_LuaRmb7.D7VxI 4qa51KR41EIa.o_6LlzxTmRQC641HSsQnJurz4ABeVXoCZa7oFunUJbVirUj V5_1PjmUzNWpWZCACA0gYC2Kyk1l__vusSz469HDH3TJ22bQtfmhcJ6W8bIG dHI8X03Fn3pWbD5VGY02PQ.scS6UKADwWHm02YKeekCIxGiZXPKJSFOP9Nv3 JXbV2X9q6NRhUZ9NHPxgtuxdP.t6v5pdu8NoiJLGLizcmIAU7w6XDuwiXCYR MTXur6yxhcKPpWVOUxE2IkxrA37njxQOl8OTugBbZa.QMVFfTHgM5u7kmJLo 6aP6VaOUrpXjWe.c_tg8IQ8w1.oqwwhHV2h0S X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH] Smack: replace capable() with ns_capable() To: Lukasz Pawelczyk , Sungbae Yoo References: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com> <1437738032.2190.2.camel@samsung.com> Cc: James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler From: Casey Schaufler Message-ID: <55B3C063.4090106@schaufler-ca.com> Date: Sat, 25 Jul 2015 09:59:15 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <1437738032.2190.2.camel@samsung.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1905 Lines: 56 On 7/24/2015 4:40 AM, Lukasz Pawelczyk wrote: > On piÄ…, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote: >> If current task has capabilities, Smack operations (eg. Changing own >> smack >> label) should be available even inside of namespace. >> >> Signed-off-by: Sungbae Yoo For the reasons Lukasz outlines below. Nacked-by: Casey Schaufler >> >> diff --git a/security/smack/smack_access.c >> b/security/smack/smack_access.c >> index 00f6b38..f6b2c35 100644 >> --- a/security/smack/smack_access.c >> +++ b/security/smack/smack_access.c >> @@ -639,7 +639,7 @@ int smack_privileged(int cap) >> struct smack_known *skp = smk_of_current(); >> struct smack_onlycap *sop; >> >> - if (!capable(cap)) >> + if (!ns_capable(current_user_ns(), cap)) >> return 0; > It's not that easy. > > With this change Smack becomes completely insecure. You can change > rules as an unprivileged user without any problems now. > What you want is Smack namespace that was made to remedy exactly this > issue (e.g. changing own labels inside a namespace). > >> >> rcu_read_lock(); >> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c >> index a143328..7fdc3dd 100644 >> --- a/security/smack/smack_lsm.c >> +++ b/security/smack/smack_lsm.c >> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct >> task_struct *tracer, >> rc = 0; >> else if (smack_ptrace_rule == >> SMACK_PTRACE_DRACONIAN) >> rc = -EACCES; >> - else if (capable(CAP_SYS_PTRACE)) >> + else if (ns_capable(__task_cred(tracer)->user_ns, >> + CAP_SYS_PTRACE)) >> rc = 0; >> else >> rc = -EACCES; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/