diff options
author | Yannick GICQUEL <yannick.gicquel@iot.bzh> | 2015-10-19 15:57:07 +0200 |
---|---|---|
committer | Gerrit Code Review <gerrit@172.30.200.200> | 2015-11-06 15:23:36 +0000 |
commit | ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch) | |
tree | 47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch | |
parent | 1cd8ab18abca96e4ee108f80225058d875b28347 (diff) |
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support
on kernel side. For more details, see file:
meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README
Please note that patches are applied only if "smack" is in the
ditro features. Here are the 2 lines to add in the local.conf
OVERRIDES .= ":smack"
DISTRO_FEATURES_append = " smack"
Change-Id: I147a3532aec531f977d6ec34c576261835711f1e
Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch')
-rw-r--r-- | meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch new file mode 100644 index 0000000..43e9fc7 --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0016-Smack-Prevent-the-and-labels-from-being-used-in-SMAC.patch @@ -0,0 +1,104 @@ +From 7e4d45e539473706108e6b77dd9c7a6d70a40ffb Mon Sep 17 00:00:00 2001 +From: Casey Schaufler <casey@schaufler-ca.com> +Date: Mon, 16 Dec 2013 16:27:26 -0800 +Subject: [PATCH 16/54] Smack: Prevent the * and @ labels from being used in + SMACK64EXEC + +Smack prohibits processes from using the star ("*") and web ("@") labels +because we don't want files with those labels getting created implicitly. +All setting of those labels should be done explicitly. The trouble is that +there is no check for these labels in the processing of SMACK64EXEC. That +is repaired. + +Targeted for git://git.gitorious.org/smack-next/kernel.git + +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> +--- + security/smack/smack_lsm.c | 53 ++++++++++++++++++++++++++++++++-------------- + 1 file changed, 37 insertions(+), 16 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b0be893..62ebf4f 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -837,31 +837,43 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) + { + struct smk_audit_info ad; ++ struct smack_known *skp; ++ int check_priv = 0; ++ int check_import = 0; ++ int check_star = 0; + int rc = 0; + ++ /* ++ * Check label validity here so import won't fail in post_setxattr ++ */ + if (strcmp(name, XATTR_NAME_SMACK) == 0 || + strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || +- strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || +- strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || +- strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { +- if (!smack_privileged(CAP_MAC_ADMIN)) +- rc = -EPERM; +- /* +- * check label validity here so import wont fail on +- * post_setxattr +- */ +- if (size == 0 || size >= SMK_LONGLABEL || +- smk_import(value, size) == NULL) +- rc = -EINVAL; ++ strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { ++ check_priv = 1; ++ check_import = 1; ++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || ++ strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { ++ check_priv = 1; ++ check_import = 1; ++ check_star = 1; + } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { +- if (!smack_privileged(CAP_MAC_ADMIN)) +- rc = -EPERM; ++ check_priv = 1; + if (size != TRANS_TRUE_SIZE || + strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) + rc = -EINVAL; + } else + rc = cap_inode_setxattr(dentry, name, value, size, flags); + ++ if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) ++ rc = -EPERM; ++ ++ if (rc == 0 && check_import) { ++ skp = smk_import_entry(value, size); ++ if (skp == NULL || (check_star && ++ (skp == &smack_known_star || skp == &smack_known_web))) ++ rc = -EINVAL; ++ } ++ + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); + smk_ad_setfield_u_fs_path_dentry(&ad, dentry); + +@@ -2847,8 +2859,17 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) + if (rc >= 0) + transflag = SMK_INODE_TRANSMUTE; + } +- isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); +- isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); ++ /* ++ * Don't let the exec or mmap label be "*" or "@". ++ */ ++ skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); ++ if (skp == &smack_known_star || skp == &smack_known_web) ++ skp = NULL; ++ isp->smk_task = skp; ++ skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); ++ if (skp == &smack_known_star || skp == &smack_known_web) ++ skp = NULL; ++ isp->smk_mmap = skp; + + dput(dp); + break; +-- +2.1.4 + |