aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2013-12-16 19:27:26 -0500
committerCasey Schaufler <casey@schaufler-ca.com>2013-12-19 16:05:24 -0500
commit19760ad03cc639d6f6f8e9beff0f8e6df654b677 (patch)
tree66f40219fd1a35b7d6bee6eab7aee0fa8405a287 /security/smack
parent398ce073700a2a3e86b5a0b1edecdddfa3996b27 (diff)
Smack: Prevent the * and @ labels from being used in SMACK64EXEC
Smack prohibits processes from using the star ("*") and web ("@") labels because we don't want files with those labels getting created implicitly. All setting of those labels should be done explicitly. The trouble is that there is no check for these labels in the processing of SMACK64EXEC. That is repaired. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack')
-rw-r--r--security/smack/smack_lsm.c53
1 files changed, 37 insertions, 16 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b0be893ad44d..62ebf4f8a6c7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -837,31 +837,43 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
837 const void *value, size_t size, int flags) 837 const void *value, size_t size, int flags)
838{ 838{
839 struct smk_audit_info ad; 839 struct smk_audit_info ad;
840 struct smack_known *skp;
841 int check_priv = 0;
842 int check_import = 0;
843 int check_star = 0;
840 int rc = 0; 844 int rc = 0;
841 845
846 /*
847 * Check label validity here so import won't fail in post_setxattr
848 */
842 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 849 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
843 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 850 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
844 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 851 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
845 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 852 check_priv = 1;
846 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 853 check_import = 1;
847 if (!smack_privileged(CAP_MAC_ADMIN)) 854 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
848 rc = -EPERM; 855 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
849 /* 856 check_priv = 1;
850 * check label validity here so import wont fail on 857 check_import = 1;
851 * post_setxattr 858 check_star = 1;
852 */
853 if (size == 0 || size >= SMK_LONGLABEL ||
854 smk_import(value, size) == NULL)
855 rc = -EINVAL;
856 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 859 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
857 if (!smack_privileged(CAP_MAC_ADMIN)) 860 check_priv = 1;
858 rc = -EPERM;
859 if (size != TRANS_TRUE_SIZE || 861 if (size != TRANS_TRUE_SIZE ||
860 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 862 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
861 rc = -EINVAL; 863 rc = -EINVAL;
862 } else 864 } else
863 rc = cap_inode_setxattr(dentry, name, value, size, flags); 865 rc = cap_inode_setxattr(dentry, name, value, size, flags);
864 866
867 if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
868 rc = -EPERM;
869
870 if (rc == 0 && check_import) {
871 skp = smk_import_entry(value, size);
872 if (skp == NULL || (check_star &&
873 (skp == &smack_known_star || skp == &smack_known_web)))
874 rc = -EINVAL;
875 }
876
865 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 877 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
866 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 878 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
867 879
@@ -2847,8 +2859,17 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
2847 if (rc >= 0) 2859 if (rc >= 0)
2848 transflag = SMK_INODE_TRANSMUTE; 2860 transflag = SMK_INODE_TRANSMUTE;
2849 } 2861 }
2850 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2862 /*
2851 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 2863 * Don't let the exec or mmap label be "*" or "@".
2864 */
2865 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
2866 if (skp == &smack_known_star || skp == &smack_known_web)
2867 skp = NULL;
2868 isp->smk_task = skp;
2869 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
2870 if (skp == &smack_known_star || skp == &smack_known_web)
2871 skp = NULL;
2872 isp->smk_mmap = skp;
2852 2873
2853 dput(dp); 2874 dput(dp);
2854 break; 2875 break;