From patchwork Mon Jan  4 18:03:45 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 7950081
Return-Path: <selinux-bounces@tycho.nsa.gov>
X-Original-To: patchwork-selinux@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id B0BB69F1C0
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:29:50 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 0538F201EF
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:29:50 +0000 (UTC)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 0D815201E4
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  4 Jan 2016 18:29:48 +0000 (UTC)
X-TM-IMSS-Message-ID: <75cc7e1f00103ed9@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov
	([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1) id
	75cc7e1f00103ed9 ; Mon, 4 Jan 2016 13:28:04 -0500
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04IR7Ks015897;
	Mon, 4 Jan 2016 13:27:11 -0500
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u04I4Msx225747 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 4 Jan 2016 13:04:22 -0500
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u04I4Beg013312
	for <selinux@tycho.nsa.gov>; Mon, 4 Jan 2016 13:04:22 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DxAAAys4pWlK7VVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEHCwsJH4RlAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEY47h14FhlI9iBmPLYc9MYUxjG41gReCaA0VB4F8UwGFDwEBAQ
X-IPAS-Result: 
 A1DxAAAys4pWlK7VVdFeGQEBAQEPAQEBAYRJiFm1aIYPAoFoAQEBAQEBEgEBAQEHCwsJH4RlAQEBAxIVGQEBNwEPUTQBBQEcBgESIogNok6BMT4xileFVAEFjB4BAQEBAQEBAwIBGgYKhDuCEY47h14FhlI9iBmPLYc9MYUxjG41gReCaA0VB4F8UwGFDwEBAQ
X-IronPort-AV: E=Sophos;i="5.20,521,1444708800"; d="scan'208";a="5070751"
Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193])
	by goalie.tycho.ncsc.mil with ESMTP; 04 Jan 2016 13:04:21 -0500
X-TM-IMSS-Message-ID: <75b663fa00103478@nsa.gov>
Received: from mail-ig0-f174.google.com (mail-ig0-f174.google.com
	[209.85.213.174]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS
	SMTP
	Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 75b663fa00103478 ;
	Mon, 4 Jan 2016 13:03:56 -0500
Received: by mail-ig0-f174.google.com with SMTP id ik10so187179igb.1
	for <selinux@tycho.nsa.gov>; Mon, 04 Jan 2016 10:04:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=canonical-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=frunC1mLI8jp4dUjS6IRw492nG5EQ5tIehtDLhukJjE=;
	b=wvWGYB/GgSnKUvHV4KbiKdXB4ahAKzN7C8YYX7TQ2Sn1/GUxoWUbE+B9ikvZ2kTvVl
	WFX6LWBEo9kkIUNEgJuFGfUHxWorbbbdfZ/l6cwqsSeRlCfRMN5tLiQ9aZ3KQS8fFpQ6
	L7kDltvXG6xwLcMNPZnofjX1s/ZVw9QzQmoPlXPptHAPAmve/l5+U8sHFvca5oNHiKbd
	0GR7HwPIjAVbvVcFxqTEgxRGAjsi6g2l/WlF/yWjcIr4qmRqhTCVo30ZDRpLYXrXBE/V
	uGs7rXxJAP+E+V0PG/yFYfys7xuUtA3hpB2BWhBZoHl09nXcQ4jLCw1KxmFOSQ8Ym6rM
	xokQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=frunC1mLI8jp4dUjS6IRw492nG5EQ5tIehtDLhukJjE=;
	b=LLOVQZwLtxnzpxJgiJ24JVGXbh/ah3lqaGbfioK7yBV2mf32/+k/9p0dXKyUviPeqb
	e8HT9OjObmZA9UYMeEJoNMXu43u5FYzpvXWbmYd7qh+vy+ea0nXTcS2447vH74/fBKwr
	iwWcm0b68K3N2rbf5C4siAOKnRsdkPqBinAX3lwVzf58pwmkz4WbdScVkb44Mfkx4hVF
	5m0g3SE8xJ9TZDrNniu4Wq6ua91aSECOsm73NEGQjHvtxmNdggUdm+hGk1g4yBsZ/bqm
	AEhZvXSfJYINsSi7p4JAYwbVhI67r3IZpInqDyg4rYK+bAgBM860LyGggW7Wlz05uu4u
	nhfQ==
X-Gm-Message-State: 
 ALoCoQlBabXkkYWbCvgDLmx9PyKdBMdKQlH00esPF/H3LKZQrXr7dMJH1JNg1jN2a4BMW9zOsGZ+D//HJgf4es+4tGr2r3Fbyw==
X-Received: by 10.50.141.161 with SMTP id rp1mr77258022igb.82.1451930659510;
	Mon, 04 Jan 2016 10:04:19 -0800 (PST)
Received: from localhost ([66.64.121.229]) by smtp.gmail.com with ESMTPSA id
	l5sm34847440ioa.17.2016.01.04.10.04.18
	(version=TLS1_2 cipher=AES128-SHA bits=128/128);
	Mon, 04 Jan 2016 10:04:18 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH RESEND v2 06/18] Smack: Handle labels consistently in
	untrusted mounts
Date: Mon,  4 Jan 2016 12:03:45 -0600
Message-Id: <1451930639-94331-7-git-send-email-seth.forshee@canonical.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
References: <1451930639-94331-1-git-send-email-seth.forshee@canonical.com>
X-TM-AS-MML: disable
X-Mailman-Approved-At: Mon, 04 Jan 2016 13:14:22 -0500
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: linux-bcache@vger.kernel.org, Serge Hallyn <serge.hallyn@canonical.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	James Morris <james.l.morris@oracle.com>, dm-devel@redhat.com,
	Miklos Szeredi <miklos@szeredi.hu>,
	Richard Weinberger <richard.weinberger@gmail.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-mtd@lists.infradead.org,
	Alexander Viro <viro@zeniv.linux.org.uk>, selinux@tycho.nsa.gov,
	linux-fsdevel@vger.kernel.org
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled
differently in untrusted mounts. This is confusing and
potentically problematic. Change this to handle them all the same
way that SMACK64 is currently handled; that is, read the label
from disk and check it at use time. For SMACK64 and SMACK64MMAP
access is denied if the label does not match smk_root. To be
consistent with suid, a SMACK64EXEC label which does not match
smk_root will still allow execution of the file but will not run
with the label supplied in the xattr.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack_lsm.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 16cac04214e2..0e555f64ded0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -921,6 +921,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
 	struct inode *inode = file_inode(bprm->file);
 	struct task_smack *bsp = bprm->cred->security;
 	struct inode_smack *isp;
+	struct superblock_smack *sbsp;
 	int rc;
 
 	if (bprm->cred_prepared)
@@ -930,6 +931,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
 	if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
 		return 0;
 
+	sbsp = inode->i_sb->s_security;
+	if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
+	    isp->smk_task != sbsp->smk_root)
+		return 0;
+
 	if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
 		struct task_struct *tracer;
 		rc = 0;
@@ -1733,6 +1739,7 @@ static int smack_mmap_file(struct file *file,
 	struct task_smack *tsp;
 	struct smack_known *okp;
 	struct inode_smack *isp;
+	struct superblock_smack *sbsp;
 	int may;
 	int mmay;
 	int tmay;
@@ -1744,6 +1751,10 @@ static int smack_mmap_file(struct file *file,
 	isp = file_inode(file)->i_security;
 	if (isp->smk_mmap == NULL)
 		return 0;
+	sbsp = file_inode(file)->i_sb->s_security;
+	if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
+	    isp->smk_mmap != sbsp->smk_root)
+		return -EACCES;
 	mkp = isp->smk_mmap;
 
 	tsp = current_security();
@@ -3532,16 +3543,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
 			if (rc >= 0)
 				transflag = SMK_INODE_TRANSMUTE;
 		}
-		if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) {
-			/*
-			 * Don't let the exec or mmap label be "*" or "@".
-			 */
-			skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
-			if (IS_ERR(skp) || skp == &smack_known_star ||
-			    skp == &smack_known_web)
-				skp = NULL;
-			isp->smk_task = skp;
-		}
+		/*
+		 * Don't let the exec or mmap label be "*" or "@".
+		 */
+		skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
+		if (IS_ERR(skp) || skp == &smack_known_star ||
+		    skp == &smack_known_web)
+			skp = NULL;
+		isp->smk_task = skp;
 
 		skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
 		if (IS_ERR(skp) || skp == &smack_known_star ||