On pon, 2015-07-27 at 10:27 +0900, Sungbae Yoo wrote: > So, Do you agree to allow the process to change its own labels?
Yes, by using a proper method as I mentioned below (e.g. Smack namespace posted to this list). > Now, init process(eg. systemd) can't be running in user namespace > properly > because it can't be assign smack label to service. > > If you agree, I'll upload another patch limited to this. This won't help. Limiting this to init process will still allow every process outside of a namespace to change its own label, still insecure. > -----Original Message----- > From: Lukasz Pawelczyk [mailto:l.pawelc...@samsung.com] > Sent: Friday, July 24, 2015 8:41 PM > To: Sungbae Yoo; Casey Schaufler > Cc: James Morris; Serge E. Hallyn; > linux-security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: [PATCH] Smack: replace capable() with ns_capable() > > On piÄ…, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote: > > If current task has capabilities, Smack operations (eg. Changing > > own > > smack > > label) should be available even inside of namespace. > > > > Signed-off-by: Sungbae Yoo <sungbae....@samsung.com> > > > > diff --git a/security/smack/smack_access.c > > b/security/smack/smack_access.c index 00f6b38..f6b2c35 100644 > > --- a/security/smack/smack_access.c > > +++ b/security/smack/smack_access.c > > @@ -639,7 +639,7 @@ int smack_privileged(int cap) > > struct smack_known *skp = smk_of_current(); > > struct smack_onlycap *sop; > > > > - if (!capable(cap)) > > + if (!ns_capable(current_user_ns(), cap)) > > return 0; > > It's not that easy. > > With this change Smack becomes completely insecure. You can change > rules as an unprivileged user without any problems now. > What you want is Smack namespace that was made to remedy exactly this > issue (e.g. changing own labels inside a namespace). > > > > > rcu_read_lock(); > > diff --git a/security/smack/smack_lsm.c > > b/security/smack/smack_lsm.c > > index a143328..7fdc3dd 100644 > > --- a/security/smack/smack_lsm.c > > +++ b/security/smack/smack_lsm.c > > @@ -403,7 +403,8 @@ static int smk_ptrace_rule_check(struct > > task_struct *tracer, > > rc = 0; > > else if (smack_ptrace_rule == > > SMACK_PTRACE_DRACONIAN) > > rc = -EACCES; > > - else if (capable(CAP_SYS_PTRACE)) > > + else if (ns_capable(__task_cred(tracer)->user_ns, > > + CAP_SYS_PTRACE)) > > rc = 0; > > else > > rc = -EACCES; > -- > Lukasz Pawelczyk > Samsung R&D Institute Poland > Samsung Electronics > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux > -security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Lukasz Pawelczyk Samsung R&D Institute Poland Samsung Electronics -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
