| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55B7936E.2080007@schaufler-ca.com> Date: Tue, 28 Jul 2015 07:36:30 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Sungbae Yoo <sungbae.yoo@...sung.com>, 'Lukasz Pawelczyk' <l.pawelczyk@...sung.com> Cc: 'James Morris' <james.l.morris@...cle.com>, "'Serge E. Hallyn'" <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [PATCH] Smack: replace capable() with ns_capable() On 7/26/2015 6:27 PM, Sungbae Yoo wrote: > So, Do you agree to allow the process to change its own labels? No. This requires CAP_MAC_ADMIN. Smack is mandatory access control. Being in a namespace (as they are implemented today) is not sufficient. > > Now, init process(eg. systemd) can't be running in user namespace properly > because it can't be assign smack label to service. > > If you agree, I'll upload another patch limited to this. > > > -----Original Message----- > From: Lukasz Pawelczyk [mailto:l.pawelczyk@...sung.com] > Sent: Friday, July 24, 2015 8:41 PM > To: Sungbae Yoo; Casey Schaufler > Cc: James Morris; Serge E. Hallyn; linux-security-module@...r.kernel.org; linux-kernel@...r.kernel.org > Subject: Re: [PATCH] Smack: replace capable() with ns_capable() > > On piÄ…, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote: >> If current task has capabilities, Smack operations (eg. Changing own >> smack >> label) should be available even inside of namespace. >> >> Signed-off-by: Sungbae Yoo <sungbae.yoo@...sung.com> >> >> diff --git a/security/smack/smack_access.c >> b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644 >> --- a/security/smack/smack_access.c >> +++ b/security/smack/smack_access.c >> @@ -639,7 +639,7 @@ int smack_privileged(int cap) >> struct smack_known *skp = smk_of_current(); >> struct smack_onlycap *sop; >> >> - if (!capable(cap)) >> + if (!ns_capable(current_user_ns(), cap)) >> return 0; > It's not that easy. > > With this change Smack becomes completely insecure. You can change rules as an unprivileged user without any problems now. > What you want is Smack namespace that was made to remedy exactly this issue (e.g. changing own labels inside a namespace). > >> >> rcu_read_lock(); >> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c >> index a143328..7fdc3dd 100644 >> --- a/security/smack/smack_lsm.c >> +++ b/security/smack/smack_lsm.c >> @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct >> task_struct *tracer, >> rc = 0; >> else if (smack_ptrace_rule == >> SMACK_PTRACE_DRACONIAN) >> rc = -EACCES; >> - else if (capable(CAP_SYS_PTRACE)) >> + else if (ns_capable(__task_cred(tracer)->user_ns, >> + CAP_SYS_PTRACE)) >> rc = 0; >> else >> rc = -EACCES; > -- > Lukasz Pawelczyk > Samsung R&D Institute Poland > Samsung Electronics > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists