From patchwork Tue Apr 26 19:36:22 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 615130 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3qvYLR4y6Hz9t4h for ; Wed, 27 Apr 2016 05:38:55 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=dJVxu8Cv; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1av8no-0002Vg-UU; Tue, 26 Apr 2016 19:37:44 +0000 Received: from mail-ig0-x22e.google.com ([2607:f8b0:4001:c05::22e]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1av8nQ-0001ym-Dc for linux-mtd@lists.infradead.org; Tue, 26 Apr 2016 19:37:21 +0000 Received: by mail-ig0-x22e.google.com with SMTP id g8so25520992igr.0 for ; Tue, 26 Apr 2016 12:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=aeG73OW9Xy1CAYW4s8YPsK1DWTEX4M6k8ROnPiImiQM=; b=dJVxu8CvR2IOnLiMj+nVhBBC3n8eJq/E/4Y+nwv8uyMy2EYW4Hs1l1Fw4IqD9NtpV/ ARLRjLtZ6VjapiRvzdMChXO0glLFF6hR5Z6weArYdRmZSaG18ZKObaCBVKwxSf6RPmIu 4iH+xXI0RDmJSWFko93KB2GD3dpkCmn0oUKjAPYQKO3BtcsY62/Y0a4rbKSMppqOSRIj mabfPjmUdAGnqEkTvIlZ3/yyPBCEgEmrBNE2cknP40OefG9Eu1kuvcw5OrhrxFR+fQK2 N6b533hcp8qAZDyMDMS8ytioZnfDxvvqhPT5M/xsmiIfW6jO1e58XFNczXqc2f77yD+g Im2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=aeG73OW9Xy1CAYW4s8YPsK1DWTEX4M6k8ROnPiImiQM=; b=ODtkwctBJObiCJchyeRU6vcRCG2Ta1AzYQXcecM7uP3Y8RQhXpHxVWCxNGbj+jDMr7 AcZ5sWuCS0owPwyVOcQweb+4+fPJo0jzc0TrhwI3Bm3dr+Irw4jlI7otSiiVzXZyrrER Rj8oXs3YOqTPt/g9hZTGp1NGjkflmFeYIUW2Az8U3MnvMz4h//BX5eWUs/7gCI6w3ZPb 8B8J3VDsxq6187l6wrh50/21sjF6oARlucB8qSWypefaVfq9zW4lRr8LgePD6z/srnvP HDDCQAffNmgmALb8SiRjkw29SXuPnn3ZVaeCOBerol/kP6k0nvYAxcoux7JsXLu8RZPe kUMQ== X-Gm-Message-State: AOPr4FVpGspcjjYMtTBQKyDwNGYshS/5FV+N4mlSUPVm174mr3hfBXcQEKU69S6DtCAYniIh X-Received: by 10.50.90.193 with SMTP id by1mr6096716igb.53.1461699419567; Tue, 26 Apr 2016 12:36:59 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:39a1:5bcf:aa:5b00]) by smtp.gmail.com with ESMTPSA id uh3sm2375581igb.3.2016.04.26.12.36.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Apr 2016 12:36:58 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Casey Schaufler Subject: [PATCH v4 09/21] Smack: Handle labels consistently in untrusted mounts Date: Tue, 26 Apr 2016 14:36:22 -0500 Message-Id: <1461699396-33000-10-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> References: <1461699396-33000-1-git-send-email-seth.forshee@canonical.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160426_123720_535873_F226EE4B X-CRM114-Status: GOOD ( 14.56 ) X-Spam-Score: -0.9 (/) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-0.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c05:0:0:0:22e listed in] [list.dnswl.org] 0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist [URIs: schaufler-ca.com] 1.6 URIBL_SBL Contains an URL's NS IP listed in the SBL blocklist [URIs: schaufler-ca.com] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , James Morris , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov , "Serge E. Hallyn" MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled differently in untrusted mounts. This is confusing and potentically problematic. Change this to handle them all the same way that SMACK64 is currently handled; that is, read the label from disk and check it at use time. For SMACK64 and SMACK64MMAP access is denied if the label does not match smk_root. To be consistent with suid, a SMACK64EXEC label which does not match smk_root will still allow execution of the file but will not run with the label supplied in the xattr. Signed-off-by: Seth Forshee Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index aa17198cd5f2..ca564590cc1b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -919,6 +919,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) struct inode *inode = file_inode(bprm->file); struct task_smack *bsp = bprm->cred->security; struct inode_smack *isp; + struct superblock_smack *sbsp; int rc; if (bprm->cred_prepared) @@ -928,6 +929,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; + sbsp = inode->i_sb->s_security; + if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && + isp->smk_task != sbsp->smk_root) + return 0; + if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { struct task_struct *tracer; rc = 0; @@ -1725,6 +1731,7 @@ static int smack_mmap_file(struct file *file, struct task_smack *tsp; struct smack_known *okp; struct inode_smack *isp; + struct superblock_smack *sbsp; int may; int mmay; int tmay; @@ -1736,6 +1743,10 @@ static int smack_mmap_file(struct file *file, isp = file_inode(file)->i_security; if (isp->smk_mmap == NULL) return 0; + sbsp = file_inode(file)->i_sb->s_security; + if (sbsp->smk_flags & SMK_SB_UNTRUSTED && + isp->smk_mmap != sbsp->smk_root) + return -EACCES; mkp = isp->smk_mmap; tsp = current_security(); @@ -3546,16 +3557,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (rc >= 0) transflag = SMK_INODE_TRANSMUTE; } - if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) { - /* - * Don't let the exec or mmap label be "*" or "@". - */ - skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); - if (IS_ERR(skp) || skp == &smack_known_star || - skp == &smack_known_web) - skp = NULL; - isp->smk_task = skp; - } + /* + * Don't let the exec or mmap label be "*" or "@". + */ + skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); + if (IS_ERR(skp) || skp == &smack_known_star || + skp == &smack_known_web) + skp = NULL; + isp->smk_task = skp; skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); if (IS_ERR(skp) || skp == &smack_known_star ||