From patchwork Thu Nov 10 10:49:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Himanshu Shukla X-Patchwork-Id: 9420927 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8FA1460484 for ; Thu, 10 Nov 2016 10:53:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8209429637 for ; Thu, 10 Nov 2016 10:53:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 745A329639; Thu, 10 Nov 2016 10:53:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C05F29637 for ; Thu, 10 Nov 2016 10:53:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754551AbcKJKxr (ORCPT ); Thu, 10 Nov 2016 05:53:47 -0500 Received: from mailout4.samsung.com ([203.254.224.34]:42348 "EHLO mailout4.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753743AbcKJKxq (ORCPT ); Thu, 10 Nov 2016 05:53:46 -0500 Received: from epcpsbgm2new.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout4.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OGF02CVNA9KRCE0@mailout4.samsung.com> for linux-security-module@vger.kernel.org; Thu, 10 Nov 2016 19:53:44 +0900 (KST) X-AuditID: cbfee61b-f796f6d000004092-d3-582451b80dfd Received: from epmmp2 ( [203.254.227.17]) by epcpsbgm2new.samsung.com (EPCPMTA) with SMTP id CD.F3.16530.8B154285; Thu, 10 Nov 2016 19:53:44 +0900 (KST) Received: from localhost.localdomain ([107.108.92.210]) by mmp2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OGF00KL1A9EA380@mmp2.samsung.com>; Thu, 10 Nov 2016 19:53:43 +0900 (KST) From: Himanshu Shukla To: casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: himanshu.sh@samsung.com Subject: [PATCH] smack: parse mnt opts after privileges check Date: Thu, 10 Nov 2016 16:19:52 +0530 Message-id: <1478774992-13222-1-git-send-email-himanshu.sh@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsVy+t9jQd0dgSoRBnP+Cljc2/aLzWLvkxZW iw89j9gcmD36tqxi9Di6fxGbx+dNcgHMUW42GamJKalFCql5yfkpmXnptkqhIW66FkoKeYm5 qbZKEbq+IUFKCmWJOaVAnpEBGnBwDnAPVtK3S3DL+Lj5NlvBatGKD/O/MzcwXhHoYuTkkBAw kTgy5QwzhC0mceHeerYuRi4OIYFZjBJTD2xmBEkICfxklDi2QwfEZhPQl2jpmMQGYosIOEo0 nlrO1MXIwcEsIC3xda4tSFhYwFZi9eKbYDNZBFQl+r99ArN5Bdwlev8eZYXYJSdx8thk1gmM 3AsYGVYxSqQWJBcUJ6XnGuWllusVJ+YWl+al6yXn525iBAfZM+kdjId3uR9iFOBgVOLhtahU jhBiTSwrrsw9xCjBwawkwnvbVSVCiDclsbIqtSg/vqg0J7X4EKMp0AETmaVEk/OBEZBXEm9o Ym5ibmxgYW5paWKkJM7bOPtZuJBAemJJanZqakFqEUwfEwenVAMj4/w1xf/Md264p8WlnJn3 TOtem5RbamazTFVZ9ozFKmpcx6Vv3br+j1HV6IOEstzrRRtWmPp6n+GZeza/K/5hFsv5253f dxhrblSw3y9yUMjYWm5a7DaJyl3uK6Y/3GEv07IksupO31UxwSUFmsrip9bamC8tYLxYP5Nz m42WDH/hM06ny+xKLMUZiYZazEXFiQAOqu9OSAIAAA== X-MTR: 20000000000000000@CPGS Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP In smack_set_mnt_opts()first the SMACK mount options are being parsed and later it is being checked whether the user calling mount has CAP_MAC_ADMIN capability. This sequence of operationis will allow unauthorized user to add SMACK labels in label list and may cause denial of security attack by adding many labels by allocating kernel memory by unauthorized user. Superblock smack flag is also being set as initialized though function may return with EPERM error. First check the capability of calling user then set the SMACK attributes and smk_flags. Signed-off-by: Himanshu Shukla Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 50 +++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb0602..a793872 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -769,6 +769,31 @@ static int smack_set_mnt_opts(struct super_block *sb, if (sp->smk_flags & SMK_SB_INITIALIZED) return 0; + if (!smack_privileged(CAP_MAC_ADMIN)) { + /* + * Unprivileged mounts don't get to specify Smack values. + */ + if (num_opts) + return -EPERM; + /* + * Unprivileged mounts get root and default from the caller. + */ + skp = smk_of_current(); + sp->smk_root = skp; + sp->smk_default = skp; + /* + * For a handful of fs types with no user-controlled + * backing store it's okay to trust security labels + * in the filesystem. The rest are untrusted. + */ + if (sb->s_user_ns != &init_user_ns && + sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && + sb->s_magic != RAMFS_MAGIC) { + transmute = 1; + sp->smk_flags |= SMK_SB_UNTRUSTED; + } + } + sp->smk_flags |= SMK_SB_INITIALIZED; for (i = 0; i < num_opts; i++) { @@ -809,31 +834,6 @@ static int smack_set_mnt_opts(struct super_block *sb, } } - if (!smack_privileged(CAP_MAC_ADMIN)) { - /* - * Unprivileged mounts don't get to specify Smack values. - */ - if (num_opts) - return -EPERM; - /* - * Unprivileged mounts get root and default from the caller. - */ - skp = smk_of_current(); - sp->smk_root = skp; - sp->smk_default = skp; - /* - * For a handful of fs types with no user-controlled - * backing store it's okay to trust security labels - * in the filesystem. The rest are untrusted. - */ - if (sb->s_user_ns != &init_user_ns && - sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && - sb->s_magic != RAMFS_MAGIC) { - transmute = 1; - sp->smk_flags |= SMK_SB_UNTRUSTED; - } - } - /* * Initialize the root inode. */