Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
To: Sungbae Yoo <sungbae.yoo@samsung.com>,
        "'Lukasz Pawelczyk'" <l.pawelczyk@samsung.com>
References: <1437737174-29451-1-git-send-email-sungbae.yoo@samsung.com>
 <1437738032.2190.2.camel@samsung.com>
 <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
Cc: "'James Morris'" <james.l.morris@oracle.com>,
        "'Serge E. Hallyn'" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
        Casey Schaufler <casey@schaufler-ca.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <55B7936E.2080007@schaufler-ca.com>
Date: Tue, 28 Jul 2015 07:36:30 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <000001d0c80b$55bdec50$0139c4f0$@samsung.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2623
Lines: 75

On 7/26/2015 6:27 PM, Sungbae Yoo wrote:
> So, Do you agree to allow the process to change its own labels?

No. This requires CAP_MAC_ADMIN. Smack is mandatory access control.
Being in a namespace (as they are implemented today) is not sufficient.

>
> Now, init process(eg. systemd) can't be running in user namespace properly
> because it can't be assign smack label to service.
>
> If you agree, I'll upload another patch limited to this.
>
>
> -----Original Message-----
> From: Lukasz Pawelczyk [mailto:l.pawelczyk@samsung.com] 
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn; linux-security-module@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
>
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
>> If current task has capabilities, Smack operations (eg. Changing own 
>> smack
>> label) should be available even inside of namespace.
>>
>> Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>
>>
>> diff --git a/security/smack/smack_access.c 
>> b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644
>> --- a/security/smack/smack_access.c
>> +++ b/security/smack/smack_access.c
>> @@ -639,7 +639,7 @@ int smack_privileged(int cap)
>>  	struct smack_known *skp = smk_of_current();
>>  	struct smack_onlycap *sop;
>>  
>> -	if (!capable(cap))
>> +	if (!ns_capable(current_user_ns(), cap))
>>  		return 0;
> It's not that easy.
>
> With this change Smack becomes completely insecure. You can change rules as an unprivileged user without any problems now.
> What you want is Smack namespace that was made to remedy exactly this issue (e.g. changing own labels inside a namespace).
>
>>  
>>  	rcu_read_lock();
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c 
>> index a143328..7fdc3dd 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct 
>> task_struct *tracer,
>>  			rc = 0;
>>  		else if (smack_ptrace_rule ==
>> SMACK_PTRACE_DRACONIAN)
>>  			rc = -EACCES;
>> -		else if (capable(CAP_SYS_PTRACE))
>> +		else if (ns_capable(__task_cred(tracer)->user_ns,
>> +				    CAP_SYS_PTRACE))
>>  			rc = 0;
>>  		else
>>  			rc = -EACCES;
> --
> Lukasz Pawelczyk
> Samsung R&D Institute Poland
> Samsung Electronics
>
>
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/