selinux: distinguish non-init user namespace capability checks

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Distinguish capability checks against a target associated
with the init user namespace versus capability checks against
a target associated with a non-init user namespace by defining
and using separate security classes for the latter.

This is needed to support e.g. Chrome usage of user namespaces
for the Chrome sandbox without needing to allow Chrome to also
exercise capabilities on targets in the init user namespace.

Suggested-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Stephen Smalley and committed by

Paul Moore 10 years ago 8e4ff6f2 1ac42476

+25 -17

2 changed files

expand all

security

selinux

hooks.c

include

classmap.h

+7 -7

security/selinux/hooks.c

··· 1631 1631 1632 1632 /* Check whether a task is allowed to use a capability. */ 1633 1633 static int cred_has_capability(const struct cred *cred, 1634 - int cap, int audit) 1634 + int cap, int audit, bool initns) 1635 1635 { 1636 1636 struct common_audit_data ad; 1637 1637 struct av_decision avd; ··· 1645 1645 1646 1646 switch (CAP_TO_INDEX(cap)) { 1647 1647 case 0: 1648 - sclass = SECCLASS_CAPABILITY; 1648 + sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1649 1649 break; 1650 1650 case 1: 1651 - sclass = SECCLASS_CAPABILITY2; 1651 + sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1652 1652 break; 1653 1653 default: 1654 1654 printk(KERN_ERR ··· 2152 2152 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2153 2153 int cap, int audit) 2154 2154 { 2155 - return cred_has_capability(cred, cap, audit); 2155 + return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2156 2156 } 2157 2157 2158 2158 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) ··· 2230 2230 int rc, cap_sys_admin = 0; 2231 2231 2232 2232 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2233 - SECURITY_CAP_NOAUDIT); 2233 + SECURITY_CAP_NOAUDIT, true); 2234 2234 if (rc == 0) 2235 2235 cap_sys_admin = 1; 2236 2236 ··· 3213 3213 SECURITY_CAP_NOAUDIT); 3214 3214 if (!error) 3215 3215 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, 3216 - SECURITY_CAP_NOAUDIT); 3216 + SECURITY_CAP_NOAUDIT, true); 3217 3217 isec = inode_security(inode); 3218 3218 if (!error) 3219 3219 error = security_sid_to_context_force(isec->sid, &context, ··· 3390 3390 case KDSKBENT: 3391 3391 case KDSKBSENT: 3392 3392 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3393 - SECURITY_CAP_AUDIT); 3393 + SECURITY_CAP_AUDIT, true); 3394 3394 break; 3395 3395 3396 3396 /* default case assumes that the command will go

+18 -10

security/selinux/include/classmap.h

··· 12 12 #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 13 13 "write", "associate", "unix_read", "unix_write" 14 14 15 + #define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 16 + "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 17 + "linux_immutable", "net_bind_service", "net_broadcast", \ 18 + "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 19 + "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 20 + "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 21 + "sys_tty_config", "mknod", "lease", "audit_write", \ 22 + "audit_control", "setfcap" 23 + 24 + #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 25 + "wake_alarm", "block_suspend", "audit_read" 26 + 15 27 /* 16 28 * Note: The name for any socket class should be suffixed by "socket", 17 29 * and doesn't contain more than one substr of "socket". ··· 46 34 { "ipc_info", "syslog_read", "syslog_mod", 47 35 "syslog_console", "module_request", "module_load", NULL } }, 48 36 { "capability", 49 - { "chown", "dac_override", "dac_read_search", 50 - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", 51 - "linux_immutable", "net_bind_service", "net_broadcast", 52 - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", 53 - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", 54 - "sys_boot", "sys_nice", "sys_resource", "sys_time", 55 - "sys_tty_config", "mknod", "lease", "audit_write", 56 - "audit_control", "setfcap", NULL } }, 37 + { COMMON_CAP_PERMS, NULL } }, 57 38 { "filesystem", 58 39 { "mount", "remount", "unmount", "getattr", 59 40 "relabelfrom", "relabelto", "associate", "quotamod", ··· 155 150 { "memprotect", { "mmap_zero", NULL } }, 156 151 { "peer", { "recv", NULL } }, 157 152 { "capability2", 158 - { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", 159 - "audit_read", NULL } }, 153 + { COMMON_CAP2_PERMS, NULL } }, 160 154 { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 161 155 { "tun_socket", 162 156 { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 163 157 { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 164 158 NULL } }, 159 + { "cap_userns", 160 + { COMMON_CAP_PERMS, NULL } }, 161 + { "cap2_userns", 162 + { COMMON_CAP2_PERMS, NULL } }, 165 163 { NULL } 166 164 };