[PATCH v3 00/11] Smack namespace

From: Lukasz Pawelczyk
Date: Fri Jul 24 2015 - 06:08:46 EST


Third version of Smack namespace. Changes here are mostly because of
Stephen Smalley's review:

https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg899383.html
https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg898638.html

1. the label map should be in /proc/.../attr/label_map and be handled
generically.
2. The proper file system label (unmapped) should be written only once
to remove a state where an incorrect label is on the filesystem.

Ad 1: Contrary to what Stephen said this unfortunately required LSM
modifications.

For reading: the map can be long, in principle longer than PAGE_SIZE to
which normal getprocattr hook is limited. So I invented a way for
getprocattr to be handled by seq operations. I think it is generic and
can be reused nicely by other LSMs. Also it doesn't break current LSM
code in any way. This created a new patch.

For writing: the default setprocattr arguments were not enough for me
to securely decide if the write access should be granted. To be in
parallel with user namespace I also needed credentials of the process
that actually opened the map (in addition to current). So I added a new
argument. This is also a new patch.

Ad 2: I really tried to make it work without introducing a new LSM
hook but changing a little semantics behind the current ones. Finally
I just added a simple inode_pre_setxattr hook that can swap the label
before it is written to the filesystem. Hopefully this is ok. I
couldn't do this in inode_setxattr hook as Stephen suggested as this
hook is called before __vfs_setxattr_noperm which is an exported
symbol and is used sometimes without setxattr hence the logic had to
be inside that one. This is also a new patch.

I also added a new patch that "fixes" smackfs/syslog. I've noticed that
inside a namespace when I cat the file it shows "*". Even when I
remapped the star. After looking at the code it had it implicitly
displayed when it's not set. There were few problems with it:

1. In a namespace we can see a label that is not mapped.
2. There was no way to actually reset the value to default (NULL)
3. It was inconsistent from user space point of view:

# cat /smack/syslog
*

After the reboot the syslog hook doesn't limit anything, the
smack_syslog_label is NULL, but it displays star.

# echo '*' > /smack/syslog
# cat /smack/syslog
*

>From user space POV this is the same, file has star inside, but now for
the hook to pass the current needs to be star as well. And there is no
way to reset it back to NULL. So I treated syslog file the same way
unconfined and onlycap are handled. If it's empty, there is no label
set, hook doesn't limit anything (except for the cap). When it's filled
current needs to be equal for the hook to pass (as was before). But now
it can be reset back to NULL by writing EINVAL value (e.g. -syslog).
The syslog hook itself was not modified, only the file handling.

Changes from v2:
- fix for config ifdefs in user_ns LSM hooks patch (CONFIG_USER_NS
should've been used instead of CONFIG_SECURITY in several places)
- new patch for "smack_map" -> "attr/label_map" and new related
getprocattr_seq lsm hook. With this change the code in further
patches for handling smack_map has been moved to this new method
- new patch for setprocattr hook new argument, file's opener creds
- new patch for inode_pre_setxattr LSM hook
- new patch related to handling smackfs/syslog

Changes from v1:
- "kernel/exit.c: make sure current's nsproxy != NULL while checking
caps" patch has been dropped
- fixed the title of the user_ns operations patch

Lukasz Pawelczyk (11):
user_ns: 3 new LSM hooks for user namespace operations
lsm: /proc/$PID/attr/label_map file and getprocattr_seq hook
lsm: add file opener's cred to a setprocattr arguments
lsm: inode_pre_setxattr hook
smack: extend capability functions and fix 2 checks
smack: don't use implicit star to display smackfs/syslog
smack: abstraction layer for 2 common Smack operations
smack: misc cleanups in preparation for a namespace patch
smack: namespace groundwork
smack: namespace implementation
smack: documentation for the Smack namespace

Documentation/security/00-INDEX | 2 +
Documentation/security/Smack-namespace.txt | 231 +++++++++++
MAINTAINERS | 1 +
fs/proc/base.c | 83 +++-
fs/xattr.c | 10 +
include/linux/lsm_hooks.h | 70 +++-
include/linux/security.h | 49 ++-
include/linux/user_namespace.h | 4 +
kernel/user.c | 3 +
kernel/user_namespace.c | 18 +
security/apparmor/lsm.c | 5 +-
security/security.c | 54 ++-
security/selinux/hooks.c | 2 +-
security/smack/Kconfig | 12 +
security/smack/Makefile | 1 +
security/smack/smack.h | 125 +++++-
security/smack/smack_access.c | 262 ++++++++++--
security/smack/smack_lsm.c | 615 +++++++++++++++++++++--------
security/smack/smack_ns.c | 443 +++++++++++++++++++++
security/smack/smackfs.c | 188 +++++----
20 files changed, 1892 insertions(+), 286 deletions(-)
create mode 100644 Documentation/security/Smack-namespace.txt
create mode 100644 security/smack/smack_ns.c

--
2.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/