From patchwork Fri Apr 22 15:38:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8913581 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D28319F39A for ; Fri, 22 Apr 2016 15:54:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 1BAB920131 for ; Fri, 22 Apr 2016 15:54:20 +0000 (UTC) Received: from emvm-gh1-uea09.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C136720121 for ; Fri, 22 Apr 2016 15:54:18 +0000 (UTC) X-TM-IMSS-Message-ID: Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by nsa.gov ([10.208.42.194]) with ESMTP (TREND IMSS SMTP Service 7.1) id ad9fbdd200000a46 ; Fri, 22 Apr 2016 11:51:08 -0400 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3MFpXok008926; Fri, 22 Apr 2016 11:51:33 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3MFdmwD105317 for ; Fri, 22 Apr 2016 11:39:48 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3MFdlDW004476 for ; Fri, 22 Apr 2016 11:39:47 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0CqBABlRRpX/yUp0ApeHYJwgXu3d4QQhg4CgXQBAQEBAQFmJ4RCAQEBAxIVGQEBNwEPUTQBBQEcBgESIogIAaBwgTE+MYpPhSgBBIxcAQEBAQEBAQMCARcGCoQNggqOYAGHcwWGUz6JCoFVjEGBZIdFMYU0jXEwgQ5igXgNG4FpTgGIegEBAQ X-IPAS-Result: A0CqBABlRRpX/yUp0ApeHYJwgXu3d4QQhg4CgXQBAQEBAQFmJ4RCAQEBAxIVGQEBNwEPUTQBBQEcBgESIogIAaBwgTE+MYpPhSgBBIxcAQEBAQEBAQMCARcGCoQNggqOYAGHcwWGUz6JCoFVjEGBZIdFMYU0jXEwgQ5igXgNG4FpTgGIegEBAQ X-IronPort-AV: E=Sophos;i="5.24,517,1454994000"; d="scan'208";a="5402618" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 22 Apr 2016 11:39:13 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AJ8wdFBVVNLYEdP2GoQ5D3UQWLpbV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZxeFt8tkgFKBZ4jH8fUM07OQ6PCwHzNYqsbd+Fk5M7VyFDY9wf?= =?us-ascii?q?0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5?= =?us-ascii?q?K6zPF5LIiIzvjqbpq82VPF0D1Gb1SIgxBSv1hD2ZjtMRj4pmJ/R54TryiVwMRd?= =?us-ascii?q?5rw3h1L0mYhRf265T41pdi9yNNp6BprJYYAu3SNp41Rr1ADTkgL3t9pIiy7UGC?= =?us-ascii?q?HkOz4S5Wf38XmVJ3RUDv7Rz2U430uy2w/r5w0iiXMcDsSJgkXDW59KZsTlnjjy?= =?us-ascii?q?JRc3YS+Xram4RLh6JSvRylqgY3l4Xde4yEHOF1fqrAc9cXXy9KV4BaUCkXUa2m?= =?us-ascii?q?aI5aNOcdPa52qJPmp1YD5U+lCBWsQu3o0CRIi3Le1qQ81OIgGgjCmgcnGoRd4z?= =?us-ascii?q?zvsNzpOfJKAqiOx67SwGCGNqsO1A=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1EiAQCfQhpXj6nWVdFeHAGCcIF7t3eEE?= =?us-ascii?q?IINhAECgXQBAQEBAQECAg8BAQEBBwsLCSGCXH1bPQEBAQMSFRkBATcBD1E0AQU?= =?us-ascii?q?BHAYBEiKICAGgbIExPjGKT4UoAQSMXQEBAQEBAQEDAgEXBgqEDYIKjmCHdAWGU?= =?us-ascii?q?z6JCoFVjEGBZIdFMYU0jXEwgQ6CWg0RCoFpTgGIegEBAQ?= X-IPAS-Result: =?us-ascii?q?A1EiAQCfQhpXj6nWVdFeHAGCcIF7t3eEEIINhAECgXQBAQE?= =?us-ascii?q?BAQECAg8BAQEBBwsLCSGCXH1bPQEBAQMSFRkBATcBD1E0AQUBHAYBEiKICAGgb?= =?us-ascii?q?IExPjGKT4UoAQSMXQEBAQEBAQEDAgEXBgqEDYIKjmCHdAWGUz6JCoFVjEGBZId?= =?us-ascii?q?FMYU0jXEwgQ6CWg0RCoFpTgGIegEBAQ?= X-IronPort-AV: E=Sophos;i="5.24,517,1454976000"; d="scan'208";a="15532481" Received: from emvm-gh1-uea08.nsa.gov ([10.208.42.193]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Apr 2016 15:39:12 +0000 X-TM-IMSS-Message-ID: <61b603e900000546@nsa.gov> Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by nsa.gov ([10.208.42.193]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 61b603e900000546 ; Fri, 22 Apr 2016 11:38:33 -0400 Received: by mail-ob0-f169.google.com with SMTP id bg3so50698016obb.1 for ; Fri, 22 Apr 2016 08:39:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=36DgMP9xykjToNGMRxDFDt0HT8ZL4loZod3TIH9QtAo=; b=O69kw5EPm0tUwOW3jzRtllLIx1xBqj1m88ADyXDWsx59bESG5xHwAO8SQcQaMJD2Tt iCrOS+BB0ukzZBRELzuFUWzBMniCLUm7xvT5TIaxfc9Doa1u7Ooy5BKpzFfvuHKKiP6y fImUQh7MRJ6gCYqbwcVT5c0TS2Lv720bHDVTM9Wl6qS/9Qz9L40lf/aeTJCK4W9n3T1B 9s9q5n8kAHRTJtuZxTP/rlPZCSH7b3YpQHkAbjWKajOuiTJSwAebYO0eKESg08kKDo4b 02QvlcZb1UWUNU48AHKcdRuE5M3eiHEaTd67tbwOjpmF0ZlQ1gbAXw89Eq7/ZCEYReuh /xoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=36DgMP9xykjToNGMRxDFDt0HT8ZL4loZod3TIH9QtAo=; b=S/k1GcnP7/XfaKEW4IkahCDpnGe6HoXFOpWHaen/6InFSYq2vko5YJW+b5Ikw/ukYC OnyN4AQYoqUGEOJJ+wa9kGlVXyXV6sXN1vC5vRIjWivsMVZFv9/8v0KrVYsDbCsfZHUG ZtQPgjS+jn1Y10Nx13QQpg1YEO2XhE6TasojMqCNWk1Cj1bL9FWzW/6EW5ghxjIkgZQ6 stagRdeD+b3Y5HFN+U3Ah74Rxfbw05InVv3/p6YZeLqSDFKY49dZ8SLE3Sy7djY7fN3q zKRJ70L/6LwZb9+yLobmplrt6pb0LuuS2HFxv5ElPvpBDcqXMcmjul1/Vw595s8JSbWC 2BRQ== X-Gm-Message-State: AOPr4FXkVXibTUUXXnDFChGy8/sdIA1sYHuUWHJ3bTUhsi2+AHXRifOwTbPlFv5XRccfRHoT X-Received: by 10.60.129.166 with SMTP id nx6mr9425888oeb.13.1461339551215; Fri, 22 Apr 2016 08:39:11 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:ad1c:41df:dcb1:a4a0]) by smtp.gmail.com with ESMTPSA id 20sm1989805oth.38.2016.04.22.08.39.10 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Fri, 22 Apr 2016 08:39:10 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Casey Schaufler Subject: [PATCH v3 09/21] Smack: Handle labels consistently in untrusted mounts Date: Fri, 22 Apr 2016 10:38:26 -0500 Message-Id: <1461339521-123191-10-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> References: <1461339521-123191-1-git-send-email-seth.forshee@canonical.com> X-TM-AS-MML: disable X-Mailman-Approved-At: Fri, 22 Apr 2016 11:40:27 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , James Morris , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The SMACK64, SMACK64EXEC, and SMACK64MMAP labels are all handled differently in untrusted mounts. This is confusing and potentically problematic. Change this to handle them all the same way that SMACK64 is currently handled; that is, read the label from disk and check it at use time. For SMACK64 and SMACK64MMAP access is denied if the label does not match smk_root. To be consistent with suid, a SMACK64EXEC label which does not match smk_root will still allow execution of the file but will not run with the label supplied in the xattr. Signed-off-by: Seth Forshee Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index aa17198cd5f2..ca564590cc1b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -919,6 +919,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) struct inode *inode = file_inode(bprm->file); struct task_smack *bsp = bprm->cred->security; struct inode_smack *isp; + struct superblock_smack *sbsp; int rc; if (bprm->cred_prepared) @@ -928,6 +929,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; + sbsp = inode->i_sb->s_security; + if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && + isp->smk_task != sbsp->smk_root) + return 0; + if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { struct task_struct *tracer; rc = 0; @@ -1725,6 +1731,7 @@ static int smack_mmap_file(struct file *file, struct task_smack *tsp; struct smack_known *okp; struct inode_smack *isp; + struct superblock_smack *sbsp; int may; int mmay; int tmay; @@ -1736,6 +1743,10 @@ static int smack_mmap_file(struct file *file, isp = file_inode(file)->i_security; if (isp->smk_mmap == NULL) return 0; + sbsp = file_inode(file)->i_sb->s_security; + if (sbsp->smk_flags & SMK_SB_UNTRUSTED && + isp->smk_mmap != sbsp->smk_root) + return -EACCES; mkp = isp->smk_mmap; tsp = current_security(); @@ -3546,16 +3557,14 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (rc >= 0) transflag = SMK_INODE_TRANSMUTE; } - if (!(sbsp->smk_flags & SMK_SB_UNTRUSTED)) { - /* - * Don't let the exec or mmap label be "*" or "@". - */ - skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); - if (IS_ERR(skp) || skp == &smack_known_star || - skp == &smack_known_web) - skp = NULL; - isp->smk_task = skp; - } + /* + * Don't let the exec or mmap label be "*" or "@". + */ + skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); + if (IS_ERR(skp) || skp == &smack_known_star || + skp == &smack_known_web) + skp = NULL; + isp->smk_task = skp; skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); if (IS_ERR(skp) || skp == &smack_known_star ||