MIME-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8BIT
Message-id: <1437987136.3303.2.camel@samsung.com>
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
        "'Casey Schaufler'" <casey@schaufler-ca.com>
Cc: "'James Morris'" <james.l.morris@oracle.com>,
        "'Serge E. Hallyn'" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Date: Mon, 27 Jul 2015 10:52:16 +0200
In-reply-to: <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
References: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
 <1437738032.2190.2.camel@samsung.com>
 <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 3085
Lines: 94

On pon, 2015-07-27 at 10:27 +0900, Sungbae Yoo wrote:
> So, Do you agree to allow the process to change its own labels?

Yes, by using a proper method as I mentioned below (e.g. Smack
namespace posted to this list).

> Now, init process(eg. systemd) can't be running in user namespace 
> properly
> because it can't be assign smack label to service.
> 
> If you agree, I'll upload another patch limited to this.

This won't help. Limiting this to init process will still allow every
process outside of a namespace to change its own label, still insecure.


> -----Original Message-----
> From: Lukasz Pawelczyk [mailto:l.pawelczyk@samsung.com] 
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn; 
> linux-security-module@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
> 
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> > If current task has capabilities, Smack operations (eg. Changing 
> > own 
> > smack
> > label) should be available even inside of namespace.
> > 
> > Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
> > 
> > diff --git a/security/smack/smack_access.c 
> > b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
> > --- a/security/smack/smack_access.c
> > +++ b/security/smack/smack_access.c
> > @@ -639,7 +639,7 @@ int smack_privileged(int cap)
> >  	struct smack_known *skp = smk_of_current();
> >  	struct smack_onlycap *sop;
> >  
> > -	if (!capable(cap))
> > +	if (!ns_capable(current_user_ns(), cap))
> >  		return 0;
> 
> It's not that easy.
> 
> With this change Smack becomes completely insecure. You can change 
> rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this 
> issue (e.g. changing own labels inside a namespace).
> 
> >  
> >  	rcu_read_lock();
> > diff --git a/security/smack/smack_lsm.c 
> > b/security/smack/smack_lsm.c 
> > index a143328..7fdc3dd 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct 
> > task_struct *tracer,
> >  			rc = 0;
> >  		else if (smack_ptrace_rule ==
> > SMACK_PTRACE_DRACONIAN)
> >  			rc = -EACCES;
> > -		else if (capable(CAP_SYS_PTRACE))
> > +		else if (ns_capable(__task_cred(tracer)->user_ns,
> > +				    CAP_SYS_PTRACE))
> >  			rc = 0;
> >  		else
> >  			rc = -EACCES;
> --
> Lukasz Pawelczyk
> Samsung R&D Institute Poland
> Samsung Electronics
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux
> -security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/