Smack: ptrace capability use fixes

This fixes a pair of problems in the Smack ptrace checks related to checking capabilities. In both cases, as reported by Lukasz Pawelczyk, the raw capability calls are used rather than the Smack wrapper that check addition restrictions. In one case, as reported by Jann Horn, the wrong task is being checked for capabilities. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
author: Casey Schaufler <casey.schaufler@intel.com> 2018-09-18 19:09:16 -0400
committer: Casey Schaufler <casey.schaufler@intel.com> 2018-09-18 19:09:16 -0400
commit: dcb569cf6ac99ca899b8109c128b6ae52477a015 (patch)
tree: b14cf0aa118950016081ceed940f55269dc400db /security
parent: 76c9805b28557d0b6d439359350061ed0a9395e3 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 340fc30ad85d..70d3066e69fe 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -421,6 +421,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
        struct smk_audit_info ad, *saip = NULL;
        struct task_smack *tsp;
        struct smack_known *tracer_known;
+        const struct cred *tracercred;
        if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
                smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
@@ -429,7 +430,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
        }
        rcu_read_lock();
-        tsp = __task_cred(tracer)->security;
+        tracercred = __task_cred(tracer);
+        tsp = tracercred->security;
        tracer_known = smk_of_task(tsp);
        if ((mode & PTRACE_MODE_ATTACH) &&
@@ -439,7 +441,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
                        rc = 0;
                else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
                        rc = -EACCES;
-                else if (capable(CAP_SYS_PTRACE))
+                else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred))
                        rc = 0;
                else
                        rc = -EACCES;
@@ -1841,6 +1843,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
 {
        struct smack_known *skp;
        struct smack_known *tkp = smk_of_task(tsk->cred->security);
+        const struct cred *tcred;
        struct file *file;
        int rc;
        struct smk_audit_info ad;
@@ -1854,8 +1857,12 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
        skp = file->f_security;
        rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
        rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
-        if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
+        rcu_read_lock();
+        tcred = __task_cred(tsk);
+        if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred))
                rc = 0;
+        rcu_read_unlock();
        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
        smk_ad_setfield_u_tsk(&ad, tsk);
author	Casey Schaufler <casey.schaufler@intel.com>	2018-09-18 19:09:16 -0400
committer	Casey Schaufler <casey.schaufler@intel.com>	2018-09-18 19:09:16 -0400
commit	dcb569cf6ac99ca899b8109c128b6ae52477a015 (patch)
tree	b14cf0aa118950016081ceed940f55269dc400db /security
parent	76c9805b28557d0b6d439359350061ed0a9395e3 (diff)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 340fc30ad85d..70d3066e69fe 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -421,6 +421,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
421	struct smk_audit_info ad, *saip = NULL;	421	struct smk_audit_info ad, *saip = NULL;
422	struct task_smack *tsp;	422	struct task_smack *tsp;
423	struct smack_known *tracer_known;	423	struct smack_known *tracer_known;
		424	const struct cred *tracercred;
424		425
425	if ((mode & PTRACE_MODE_NOAUDIT) == 0) {	426	if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
426	smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);	427	smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
@@ -429,7 +430,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
429	}	430	}
430		431
431	rcu_read_lock();	432	rcu_read_lock();
432	tsp = __task_cred(tracer)->security;	433	tracercred = __task_cred(tracer);
		434	tsp = tracercred->security;
433	tracer_known = smk_of_task(tsp);	435	tracer_known = smk_of_task(tsp);
434		436
435	if ((mode & PTRACE_MODE_ATTACH) &&	437	if ((mode & PTRACE_MODE_ATTACH) &&
@@ -439,7 +441,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
439	rc = 0;	441	rc = 0;
440	else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)	442	else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
441	rc = -EACCES;	443	rc = -EACCES;
442	else if (capable(CAP_SYS_PTRACE))	444	else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred))
443	rc = 0;	445	rc = 0;
444	else	446	else
445	rc = -EACCES;	447	rc = -EACCES;
@@ -1841,6 +1843,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
1841	{	1843	{
1842	struct smack_known *skp;	1844	struct smack_known *skp;
1843	struct smack_known *tkp = smk_of_task(tsk->cred->security);	1845	struct smack_known *tkp = smk_of_task(tsk->cred->security);
		1846	const struct cred *tcred;
1844	struct file *file;	1847	struct file *file;
1845	int rc;	1848	int rc;
1846	struct smk_audit_info ad;	1849	struct smk_audit_info ad;
@@ -1854,8 +1857,12 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
1854	skp = file->f_security;	1857	skp = file->f_security;
1855	rc = smk_access(skp, tkp, MAY_DELIVER, NULL);	1858	rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
1856	rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);	1859	rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
1857	if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))	1860
		1861	rcu_read_lock();
		1862	tcred = __task_cred(tsk);
		1863	if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred))
1858	rc = 0;	1864	rc = 0;
		1865	rcu_read_unlock();
1859		1866
1860	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);	1867	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1861	smk_ad_setfield_u_tsk(&ad, tsk);	1868	smk_ad_setfield_u_tsk(&ad, tsk);