Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755440AbbG0B1G (ORCPT <rfc822;w@1wt.eu>);
	Sun, 26 Jul 2015 21:27:06 -0400
Received: from mailout1.samsung.com ([203.254.224.24]:48253 "EHLO
	mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755374AbbG0B1E convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 26 Jul 2015 21:27:04 -0400
X-AuditID: cbfee690-f796f6d000005054-55-55b588e473f3
From: Sungbae Yoo <sungbae.yoo@samsung.com>
To: "'Lukasz Pawelczyk'" <l.pawelczyk@samsung.com>,
        "'Casey Schaufler'" <casey@schaufler-ca.com>
Cc: "'James Morris'" <james.l.morris@oracle.com>,
        "'Serge E. Hallyn'" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
References: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
 <1437738032.2190.2.camel@samsung.com>
In-reply-to: <1437738032.2190.2.camel@samsung.com>
Subject: RE: [PATCH] Smack: replace capable() with ns_capable()
Date: Mon, 27 Jul 2015 10:27:00 +0900
Message-id: <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8BIT
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQJlrXxj3kHOw9JvaJMXOc3jGqIKOwMGdRhnnKyH81A=
Content-language: ko
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLIsWRmVeSWpSXmKPExsWyRsSkUPdpx9ZQg6uFFve2/WKz6HscZHFm
	0kImi8u75rBZfOh5xGZx/sI5dgc2j2u7Iz0+Pr3F4tG3ZRWjx9H9i9g8Pm+SC2CN4rJJSc3J
	LEst0rdL4Mq4cf4aU8EmwYo1y24zNjDO4eti5OSQEDCRuPXxAxuELSZx4d56IJuLQ0hgBaPE
	17+vmbsYOcCK1k7ih4gvZZTYNLGbFcL5wChxbP8SVpBuNgFtiW27joBNEhGIk9jTMocFxGYW
	mM8oMeeyGogtJJAvsf3SdHYQm1PASKJt/UkwW1jAXuL92l5GEJtFQFXiaMcTMJtXwFLi+4Gp
	bBC2oMSPyfdYQA5iFlCXmDIlF2K8tsSTdxdYIR5QkNhx9jUjxAlWEsu23WCHqBGR2PfiHSPI
	zRICj9glPi09xgSxS0Di2+RDLBBPykpsOsAMMUdS4uCKGywTGCVmIdk8C2HzLCSbZyHZsICR
	ZRWjaGpBckFxUnqRiV5xYm5xaV66XnJ+7iZGYKye/vdswg7GewesDzEKcDAq8fBeUNkaKsSa
	WFZcmXuI0RTooInMUqLJ+cCEkFcSb2hsZmRhamJqbGRuaaYkzvta6mewkEB6YklqdmpqQWpR
	fFFpTmrxIUYmDk6pBsZZJxrU6nmFDi7/vuZqTvAUlf3SonoNygYvDCPVpugtM/a7xfjW9frr
	A7tSjeZIuArILvgzWUrVO9XW6faNw5dvv5zobs7x8M+3EAvW3ZKL/x+7bmmVIMlmtUl99V6Z
	Z8oKN9dbf1nxW+HK27uXd67mF/eR1V5UabNLy/je5gbXx/Jy1TlfPwsosRRnJBpqMRcVJwIA
	LTyMs9ACAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42I5/e+xgO6Tjq2hBlfPWljc2/aLzaLvcZDF
	mUkLmSwu75rDZvGh5xGbxfkL59gd2Dyu7Y70+Pj0FotH35ZVjB5H9y9i8/i8SS6ANaqB0SYj
	NTEltUghNS85PyUzL91WyTs43jne1MzAUNfQ0sJcSSEvMTfVVsnFJ0DXLTMH6AAlhbLEnFKg
	UEBicbGSvh2mCaEhbroWMI0Rur4hQXA9RgZoIGENY8aN89eYCjYJVqxZdpuxgXEOXxcjB4eE
	gInE2kn8XYycQKaYxIV769m6GLk4hASWMkpsmtjNCuF8YJQ4tn8JK0gVm4C2xLZdR9hAbBGB
	OIk9LXNYQGxmgfmMEnMuq4HYQgL5EtsvTWcHsTkFjCTa1p8Es4UF7CXer+1lBLFZBFQljnY8
	AbN5BSwlvh+YygZhC0r8mHyPBeQ4ZgF1iSlTciHGa0s8eXeBFeJQBYkdZ18zQpxgJbFs2w12
	iBoRiX0v3jFOYBSahWTSLIRJs5BMmoWkYwEjyypGidSC5ILipPRco7zUcr3ixNzi0rx0veT8
	3E2M4ITwTHoH4+Fd7ocYBTgYlXh4L6hsDRViTSwrrsw9xCjBwawkwvs4CijEm5JYWZValB9f
	VJqTWnyI0RTo1YnMUqLJ+cBklVcSb2hsYmZkaWRuaGFkbK4kzqtvsilUSCA9sSQ1OzW1ILUI
	po+Jg1OqgTFAf0EF1+FdMW73+I88OlE3adOi7e6nypMUdR6Z/FCWba4MNlaoFal6Vl9w+jS3
	5f/8P4ZtdesWlEm+drqVE99gcO3mpPxC83J7lS/TJE+3W+9WPxrovjdudtYaqS2FXB93f2xm
	s4mewGw9Tdxhr0nl4yXu24umb9DXyVgdN7mYJ/qk+1NZGyWW4oxEQy3mouJEAJvbE4seAwAA
DLP-Filter: Pass
X-MTR: 20000000000000000@CPGS
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2359
Lines: 69

So, Do you agree to allow the process to change its own labels?

Now, init process(eg. systemd) can't be running in user namespace properly
because it can't be assign smack label to service.

If you agree, I'll upload another patch limited to this.


-----Original Message-----
From: Lukasz Pawelczyk [mailto:l.pawelczyk@samsung.com] 
Sent: Friday, July 24, 2015 8:41 PM
To: Sungbae Yoo; Casey Schaufler
Cc: James Morris; Serge E. Hallyn; linux-security-module@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()

On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> If current task has capabilities, Smack operations (eg. Changing own 
> smack
> label) should be available even inside of namespace.
> 
> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
> 
> diff --git a/security/smack/smack_access.c 
> b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
>  	struct smack_known *skp = smk_of_current();
>  	struct smack_onlycap *sop;
>  
> -	if (!capable(cap))
> +	if (!ns_capable(current_user_ns(), cap))
>  		return 0;

It's not that easy.

With this change Smack becomes completely insecure. You can change rules as an unprivileged user without any problems now.
What you want is Smack namespace that was made to remedy exactly this issue (e.g. changing own labels inside a namespace).

>  
>  	rcu_read_lock();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c 
> index a143328..7fdc3dd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct 
> task_struct *tracer,
>  			rc = 0;
>  		else if (smack_ptrace_rule ==
> SMACK_PTRACE_DRACONIAN)
>  			rc = -EACCES;
> -		else if (capable(CAP_SYS_PTRACE))
> +		else if (ns_capable(__task_cred(tracer)->user_ns,
> +				    CAP_SYS_PTRACE))
>  			rc = 0;
>  		else
>  			rc = -EACCES;
--
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/