From patchwork Wed Sep 16 20:02:42 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7199011 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D65A19F380 for ; Wed, 16 Sep 2015 20:04:28 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id CE75B20592 for ; Wed, 16 Sep 2015 20:04:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BE9A5203F7 for ; Wed, 16 Sep 2015 20:04:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753841AbbIPUEA (ORCPT ); Wed, 16 Sep 2015 16:04:00 -0400 Received: from mail-ig0-f170.google.com ([209.85.213.170]:34836 "EHLO mail-ig0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753784AbbIPUD4 (ORCPT ); Wed, 16 Sep 2015 16:03:56 -0400 Received: by igbkq10 with SMTP id kq10so41973104igb.0 for ; Wed, 16 Sep 2015 13:03:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=GUOireblLcs8RAEo9eF1gsdbRmEIcCPW7jEywfN0igI=; b=KIKNM7I32heBKVyTdU1pftFUTomgS80g6xn3xx2e9chypPchwKQPFgnsdQLaFQFWq8 BYptu/kJgPX9SdnJ9uJUbZqLl4fZqQp9WLSL9CCrWv74NOGF43h0vpJkWUGQlDKUi74Y l6oZxfwd2SuTW5wKBWw7MCSVqxd2x8GrlA7SeSNOlNOp7PM9umkORiybyQwRrzMT7Pm0 nzlMVOa4nGMsdp/Q5qoyCMsa3HnjDfVkYYLABZSdUPMOND0Rq6g1UjIKkPFdtsiDnmBt q80ewwMnHxoUOIhHWL0/Qh4aDjb1ZJlNQL3u0GS2mpmQGhb871oBZMhIo91El7ie0Hpc h78A== X-Gm-Message-State: ALoCoQk2fdfZU382Qh+H7mHAekXKf2tUTke/3kBoqPeBtRByC9c3ITcELlJkd6+LEhT+Zncc4lOp X-Received: by 10.50.142.98 with SMTP id rv2mr15083igb.39.1442433835590; Wed, 16 Sep 2015 13:03:55 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id o74sm104431ioo.8.2015.09.16.13.03.54 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 16 Sep 2015 13:03:54 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Casey Schaufler Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Seth Forshee , James Morris , "Serge E. Hallyn" Subject: [PATCH v3 6/7] Smack: Add support for unprivileged mounts from user namespaces Date: Wed, 16 Sep 2015 15:02:42 -0500 Message-Id: <1442433764-80826-7-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> References: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Security labels from unprivileged mounts cannot be trusted. Ideally for these mounts we would assign the objects in the filesystem the same label as the inode for the backing device passed to mount. Unfortunately it's currently impossible to determine which inode this is from the LSM mount hooks, so we settle for the label of the process doing the mount. This label is assigned to s_root, and also to smk_default to ensure that new inodes receive this label. The transmute property is also set on s_root to make this behavior more explicit, even though it is technically not necessary. If a filesystem has existing security labels, access to inodes is permitted if the label is the same as smk_root, otherwise access is denied. The SMACK64EXEC xattr is completely ignored. Explicit setting of security labels continues to require CAP_MAC_ADMIN in init_user_ns. Altogether, this ensures that filesystem objects are not accessible to subjects which cannot already access the backing store, that MAC is not violated for any objects in the fileystem which are already labeled, and that a user cannot use an unprivileged mount to gain elevated MAC privileges. sysfs, tmpfs, and ramfs are already mountable from user namespaces and support security labels. We can't rule out the possibility that these filesystems may already be used in mounts from user namespaces with security lables set from the init namespace, so failing to trust lables in these filesystems may introduce regressions. It is safe to trust labels from these filesystems, since the unprivileged user does not control the backing store and thus cannot supply security labels, so an explicit exception is made to trust labels from these filesystems. Signed-off-by: Seth Forshee --- security/smack/smack.h | 6 ++++++ security/smack/smack_lsm.c | 35 +++++++++++++++++++++++++++-------- 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index fff0c612bbb7..070223960a2c 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -91,8 +91,14 @@ struct superblock_smack { struct smack_known *smk_hat; struct smack_known *smk_default; int smk_initialized; + int smk_flags; }; +/* + * Superblock flags + */ +#define SMK_SB_UNTRUSTED 0x01 + struct socket_smack { struct smack_known *smk_out; /* outbound label */ struct smack_known *smk_in; /* inbound label */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 996c88956438..cdfd67b61534 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -793,6 +793,17 @@ static int smack_set_mnt_opts(struct super_block *sb, skp = smk_of_current(); sp->smk_root = skp; sp->smk_default = skp; + /* + * For a handful of fs types with no user-controlled + * backing store it's okay to trust security labels + * in the filesystem. The rest are untrusted. + */ + if (sb->s_user_ns != &init_user_ns && + sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && + sb->s_magic != RAMFS_MAGIC) { + transmute = 1; + sp->smk_flags |= SMK_SB_UNTRUSTED; + } } /* @@ -1175,6 +1186,7 @@ static int smack_inode_rename(struct inode *old_inode, */ static int smack_inode_permission(struct inode *inode, int mask) { + struct superblock_smack *sbsp = inode->i_sb->s_security; struct smk_audit_info ad; int no_block = mask & MAY_NOT_BLOCK; int rc; @@ -1186,6 +1198,11 @@ static int smack_inode_permission(struct inode *inode, int mask) if (mask == 0) return 0; + if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { + if (smk_of_inode(inode) != sbsp->smk_root) + return -EACCES; + } + /* May be droppable after audit */ if (no_block) return -ECHILD; @@ -3475,14 +3492,16 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (rc >= 0) transflag = SMK_INODE_TRANSMUTE; } - /* - * Don't let the exec or mmap label be "*" or "@". - */ - skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); - if (IS_ERR(skp) || skp == &smack_known_star || - skp == &smack_known_web) - skp = NULL; - isp->smk_task = skp; + if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) { + /* + * Don't let the exec or mmap label be "*" or "@". + */ + skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); + if (IS_ERR(skp) || skp == &smack_known_star || + skp == &smack_known_web) + skp = NULL; + isp->smk_task = skp; + } skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); if (IS_ERR(skp) || skp == &smack_known_star ||