Smack: Privilege check on key operations

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Smack: Privilege check on key operations

Operations on key objects are subjected to Smack policy
even if the process is privileged. This is inconsistent
with the general behavior of Smack and may cause issues
with authentication by privileged daemons. This patch
allows processes with CAP_MAC_OVERRIDE to access keys
even if the Smack rules indicate otherwise.

Reported-by: Jose Bollo <jobol@nonadev.net>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Casey Schaufler 8 years ago d19dfe58 da49b5da

+34 -11

3 changed files

expand all

security

smack

smack.h

smack_access.c

smack_lsm.c

security/smack/smack.h

··· 321 321 void smk_insert_entry(struct smack_known *skp); 322 322 struct smack_known *smk_find_entry(const char *); 323 323 bool smack_privileged(int cap); 324 + bool smack_privileged_cred(int cap, const struct cred *cred); 324 325 void smk_destroy_label_list(struct list_head *list); 325 326 326 327 /*

+29 -11

security/smack/smack_access.c

··· 623 623 LIST_HEAD(smack_onlycap_list); 624 624 DEFINE_MUTEX(smack_onlycap_lock); 625 625 626 - /* 626 + /** 627 + * smack_privileged_cred - are all privilege requirements met by cred 628 + * @cap: The requested capability 629 + * @cred: the credential to use 630 + * 627 631 * Is the task privileged and allowed to be privileged 628 632 * by the onlycap rule. 629 633 * 630 634 * Returns true if the task is allowed to be privileged, false if it's not. 631 635 */ 632 - bool smack_privileged(int cap) 636 + bool smack_privileged_cred(int cap, const struct cred *cred) 633 637 { 634 - struct smack_known *skp = smk_of_current(); 638 + struct task_smack *tsp = cred->security; 639 + struct smack_known *skp = tsp->smk_task; 635 640 struct smack_known_list_elem *sklep; 636 641 int rc; 637 642 638 - /* 639 - * All kernel tasks are privileged 640 - */ 641 - if (unlikely(current->flags & PF_KTHREAD)) 642 - return true; 643 - 644 - rc = cap_capable(current_cred(), &init_user_ns, cap, 645 - SECURITY_CAP_AUDIT); 643 + rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); 646 644 if (rc) 647 645 return false; 648 646 ··· 659 661 rcu_read_unlock(); 660 662 661 663 return false; 664 + } 665 + 666 + /** 667 + * smack_privileged - are all privilege requirements met 668 + * @cap: The requested capability 669 + * 670 + * Is the task privileged and allowed to be privileged 671 + * by the onlycap rule. 672 + * 673 + * Returns true if the task is allowed to be privileged, false if it's not. 674 + */ 675 + bool smack_privileged(int cap) 676 + { 677 + /* 678 + * All kernel tasks are privileged 679 + */ 680 + if (unlikely(current->flags & PF_KTHREAD)) 681 + return true; 682 + 683 + return smack_privileged_cred(cap, current_cred()); 662 684 }

security/smack/smack_lsm.c

··· 4369 4369 */ 4370 4370 if (tkp == NULL) 4371 4371 return -EACCES; 4372 + 4373 + if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4374 + return 0; 4375 + 4372 4376 #ifdef CONFIG_AUDIT 4373 4377 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4374 4378 ad.a.u.key_struct.key = keyp->serial;