Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753207AbbH0B6j (ORCPT <rfc822;w@1wt.eu>);
	Wed, 26 Aug 2015 21:58:39 -0400
Received: from mailout1.samsung.com ([203.254.224.24]:45906 "EHLO
	mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751744AbbH0B6f (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 26 Aug 2015 21:58:35 -0400
X-AuditID: cbfee690-f796f6d000005054-56-55de6ec7590c
From: Jonghwa Lee <jonghwa3.lee@samsung.com>
To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: casey@schaufler-ca.com, james.l.morris@oracle.com, serge@hallyn.com,
        sangbae90.lee@samsung.com, inki.dae@samsung.com,
        Jonghwa Lee <jonghwa3.lee@samsung.com>
Subject: [PATCH] [RFC] security: smack: Add support automatic Smack labeling
Date: Thu, 27 Aug 2015 10:58:23 +0900
Message-id: <1440640704-21730-1-git-send-email-jonghwa3.lee@samsung.com>
X-Mailer: git-send-email 1.7.9.5
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrGLMWRmVeSWpSXmKPExsWyRsSkUPd43r1QgxOzuSzubfvFZjHp/gQW
	i77HQRadZ58wW1zeNYfN4kPPIzaL458Oslicv3CO3YHD49ruSI+PT2+xePRtWcXocXT/IjaP
	z5vkAlijuGxSUnMyy1KL9O0SuDKuHHrIUnBBtKJryXK2BsaTgl2MnBwSAiYSU/c8YIOwxSQu
	3FsPZHNxCAmsYJT4vuITO0zRgcZWqMQsRokVz++wQzg/GCWufD/FAlLFJqAj8X/fTaAEB4eI
	gLvEjTuKIDXMAksYJVovbwKrERbwkWg7dx5sKouAqsTOvQuZQWxeAQ+Ja0c/soD0SggoSMyZ
	ZAPSKyHQzS7x5/dJJoh6AYlvkw9B1chKbDrADHGcpMTBFTdYJjAKLmBkWMUomlqQXFCclF5k
	olecmFtcmpeul5yfu4kRGLyn/z2bsIPx3gHrQ4wCHIxKPLwSGfdChVgTy4orcw8xmgJtmMgs
	JZqcD4yRvJJ4Q2MzIwtTE1NjI3NLMyVx3tdSP4OFBNITS1KzU1MLUovii0pzUosPMTJxcEo1
	ME7Zte1mo+8fFk3BORPuLys89rw5SVdX4Y1gVrxptL6L8JXyT60eSgaa7ZUXA06U5ylnBC1v
	jPYWK0l1LmftM6uQOK2+4cucmIoLMtPOBCb926AfaX+5WN6Nt/zr96DpZ5fdFa8vKSxbH5c7
	YbfFb+bDN75cmpv1wdYjU0Lkec95xyWntuaKKbEUZyQaajEXFScCAM3KRudZAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsVy+t9jQd3jefdCDb5sZbG4t+0Xm8Wk+xNY
	LPoeB1l0nn3CbHF51xw2iw89j9gsjn86yGJx/sI5dgcOj2u7Iz0+Pr3F4tG3ZRWjx9H9i9g8
	Pm+SC2CNamC0yUhNTEktUkjNS85PycxLt1XyDo53jjc1MzDUNbS0MFdSyEvMTbVVcvEJ0HXL
	zAE6RUmhLDGnFCgUkFhcrKRvh2lCaIibrgVMY4Sub0gQXI+RARpIWMOYceXQQ5aCC6IVXUuW
	szUwnhTsYuTkkBAwkTjQ2MoGYYtJXLi3Hsjm4hASmMUoseL5HXYI5wejxJXvp1hAqtgEdCT+
	77sJlODgEBFwl7hxRxGkhllgCaNE6+VNYDXCAj4SbefOs4PYLAKqEjv3LmQGsXkFPCSuHf3I
	AtIrIaAgMWeSzQRG7gWMDKsYJVILkguKk9JzDfNSy/WKE3OLS/PS9ZLzczcxgiPkmdQOxoO7
	3A8xCnAwKvHwSmTcCxViTSwrrsw9xCjBwawkwsvNBRTiTUmsrEotyo8vKs1JLT7EaAq0fyKz
	lGhyPjB680riDY1NzIwsjcwNLYyMzZXEeWU3bA4VEkhPLEnNTk0tSC2C6WPi4JRqYAw+e6VD
	pXFRzPHZfDIxykUVnFF31lf1nr0UGaW44kOKfczD071PG9yyVJ3X252YOe3D42nvPI1Xec3s
	uHrTcU2IEnf1gxkKWjeS67oNHt7O+XdRIPLDa46JB74siTk8d9exC5v3mqfcO72X/em/TVxf
	/PdXrXqoF8Zu+ERte3XwSpk94o//qQsrsRRnJBpqMRcVJwIAaqx1faYCAAA=
DLP-Filter: Pass
X-MTR: 20000000000000000@CPGS
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2958
Lines: 60

Smack labeling is always done in user space, not in kernel space.
Because kernel can't know which node or preocess should has the certain label
and it shouldn't be neither. Therefore there is a distinct time gap between
file creation and the labeling which might be about few miliseconds or even
indefinite period. This unavoidable and imprecise time gap produces unintended
Smack denial time to time. If it guerantees that labeling is done before any
other access, the time gap doesn't make matter. However if not, the system
will suffer from false alarm.

I've already exeperienced the situation with specific cases.
Mostly, it happens with devtmpfs where udevd applies xattr with defined udev
rules. When kernel module is loaded, device node is newly created and it sends
uevent and notification to processes in wait. However, somtimes uevent may be
handled lately then other processes's access. So, Smack module checks the
authority with uninitialized label, and prohibits the access even the access
authority exists in Smack rule.

At the first time of encounting the problem, I tries to fix the system and user
process to prevent the accesses in ahead of labeling but it wasn't the solution.
Performance is degraded because of compulsory delay.

Another candidate of solution is given label from kernel side.
However, kernel should not be aware of the label, the string, and the
relationship between specific node and label. So I left it in user space.

Label is still given from user space. Kernel only checks there is a pre-assigned
labeling rule for the node. If so, the file will acquire the label as default at
the creation. A file is created with pre-assigend label as like it's done
automatically. So it's called 'Auto Smack labeling'

Pre-assigned label can be given via additional file, 'autolabel' in smackfs.

   echo '<File path> <Smack Label>' > /sys/fs/smackfs/autolabel

The label only activates when the file isn't created yet. If file already
exists, then just add the label relationship to table and deactivate it.
When the label is applied, it'll also be deactivated. The label turns to be
enabled again only when the file is removed.

This is a candidate of solution for the specific problem, and might be buggy or
hamful for system-wide security. So I gently request your opinion for more clear
and wise solution for the case that I faced.

Jonghwa Lee (1):
  security: smack: Add support automatic Smack labeling

 security/smack/Kconfig     |   11 ++++
 security/smack/smack.h     |   23 ++++++++
 security/smack/smack_lsm.c |   66 +++++++++++++++++++++
 security/smack/smackfs.c   |  136 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 236 insertions(+)

-- 
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/