Commit d19dfe58 authored by Casey Schaufler's avatar Casey Schaufler

Smack: Privilege check on key operations

Smack: Privilege check on key operations

Operations on key objects are subjected to Smack policy
even if the process is privileged. This is inconsistent
with the general behavior of Smack and may cause issues
with authentication by privileged daemons. This patch
allows processes with CAP_MAC_OVERRIDE to access keys
even if the Smack rules indicate otherwise.
Reported-by: default avatarJose Bollo <jobol@nonadev.net>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
parent da49b5da
...@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); ...@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
void smk_insert_entry(struct smack_known *skp); void smk_insert_entry(struct smack_known *skp);
struct smack_known *smk_find_entry(const char *); struct smack_known *smk_find_entry(const char *);
bool smack_privileged(int cap); bool smack_privileged(int cap);
bool smack_privileged_cred(int cap, const struct cred *cred);
void smk_destroy_label_list(struct list_head *list); void smk_destroy_label_list(struct list_head *list);
/* /*
......
...@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) ...@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
LIST_HEAD(smack_onlycap_list); LIST_HEAD(smack_onlycap_list);
DEFINE_MUTEX(smack_onlycap_lock); DEFINE_MUTEX(smack_onlycap_lock);
/* /**
* smack_privileged_cred - are all privilege requirements met by cred
* @cap: The requested capability
* @cred: the credential to use
*
* Is the task privileged and allowed to be privileged * Is the task privileged and allowed to be privileged
* by the onlycap rule. * by the onlycap rule.
* *
* Returns true if the task is allowed to be privileged, false if it's not. * Returns true if the task is allowed to be privileged, false if it's not.
*/ */
bool smack_privileged(int cap) bool smack_privileged_cred(int cap, const struct cred *cred)
{ {
struct smack_known *skp = smk_of_current(); struct task_smack *tsp = cred->security;
struct smack_known *skp = tsp->smk_task;
struct smack_known_list_elem *sklep; struct smack_known_list_elem *sklep;
int rc; int rc;
/* rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
* All kernel tasks are privileged
*/
if (unlikely(current->flags & PF_KTHREAD))
return true;
rc = cap_capable(current_cred(), &init_user_ns, cap,
SECURITY_CAP_AUDIT);
if (rc) if (rc)
return false; return false;
...@@ -662,3 +660,23 @@ bool smack_privileged(int cap) ...@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
return false; return false;
} }
/**
* smack_privileged - are all privilege requirements met
* @cap: The requested capability
*
* Is the task privileged and allowed to be privileged
* by the onlycap rule.
*
* Returns true if the task is allowed to be privileged, false if it's not.
*/
bool smack_privileged(int cap)
{
/*
* All kernel tasks are privileged
*/
if (unlikely(current->flags & PF_KTHREAD))
return true;
return smack_privileged_cred(cap, current_cred());
}
...@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, ...@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
*/ */
if (tkp == NULL) if (tkp == NULL)
return -EACCES; return -EACCES;
if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
return 0;
#ifdef CONFIG_AUDIT #ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key = keyp->serial;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment