| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2015 10:52:16 +0200 From: Lukasz Pawelczyk <l.pawelczyk@...sung.com> To: Sungbae Yoo <sungbae.yoo@...sung.com>, 'Casey Schaufler' <casey@...aufler-ca.com> Cc: 'James Morris' <james.l.morris@...cle.com>, "'Serge E. Hallyn'" <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] Smack: replace capable() with ns_capable() On pon, 2015-07-27 at 10:27 +0900, Sungbae Yoo wrote: > So, Do you agree to allow the process to change its own labels? Yes, by using a proper method as I mentioned below (e.g. Smack namespace posted to this list). > Now, init process(eg. systemd) can't be running in user namespace > properly > because it can't be assign smack label to service. > > If you agree, I'll upload another patch limited to this. This won't help. Limiting this to init process will still allow every process outside of a namespace to change its own label, still insecure. > -----Original Message----- > From: Lukasz Pawelczyk [mailto:l.pawelczyk@...sung.com] > Sent: Friday, July 24, 2015 8:41 PM > To: Sungbae Yoo; Casey Schaufler > Cc: James Morris; Serge E. Hallyn; > linux-security-module@...r.kernel.org; linux-kernel@...r.kernel.org > Subject: Re: [PATCH] Smack: replace capable() with ns_capable() > > On piÄ…, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote: > > If current task has capabilities, Smack operations (eg. Changing > > own > > smack > > label) should be available even inside of namespace. > > > > Signed-off-by: Sungbae Yoo <sungbae.yoo@...sung.com> > > > > diff --git a/security/smack/smack_access.c > > b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644 > > --- a/security/smack/smack_access.c > > +++ b/security/smack/smack_access.c > > @@ -639,7 +639,7 @@ int smack_privileged(int cap) > > struct smack_known *skp = smk_of_current(); > > struct smack_onlycap *sop; > > > > - if (!capable(cap)) > > + if (!ns_capable(current_user_ns(), cap)) > > return 0; > > It's not that easy. > > With this change Smack becomes completely insecure. You can change > rules as an unprivileged user without any problems now. > What you want is Smack namespace that was made to remedy exactly this > issue (e.g. changing own labels inside a namespace). > > > > > rcu_read_lock(); > > diff --git a/security/smack/smack_lsm.c > > b/security/smack/smack_lsm.c > > index a143328..7fdc3dd 100644 > > --- a/security/smack/smack_lsm.c > > +++ b/security/smack/smack_lsm.c > > @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct > > task_struct *tracer, > > rc = 0; > > else if (smack_ptrace_rule == > > SMACK_PTRACE_DRACONIAN) > > rc = -EACCES; > > - else if (capable(CAP_SYS_PTRACE)) > > + else if (ns_capable(__task_cred(tracer)->user_ns, > > + CAP_SYS_PTRACE)) > > rc = 0; > > else > > rc = -EACCES; > -- > Lukasz Pawelczyk > Samsung R&D Institute Poland > Samsung Electronics > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux > -security-module" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists