summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch233
1 files changed, 233 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch
new file mode 100644
index 0000000..0efd7db
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0026-Smack-adds-smackfs-ptrace-interface.patch
@@ -0,0 +1,233 @@
+From 9cb98c12dbf89a36970b0ee9c4b61c98ccd61d76 Mon Sep 17 00:00:00 2001
+From: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Date: Tue, 11 Mar 2014 17:07:06 +0100
+Subject: [PATCH 26/54] Smack: adds smackfs/ptrace interface
+
+This allows to limit ptrace beyond the regular smack access rules.
+It adds a smackfs/ptrace interface that allows smack to be configured
+to require equal smack labels for PTRACE_MODE_ATTACH access.
+See the changes in Documentation/security/Smack.txt below for details.
+
+Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+---
+ Documentation/security/Smack.txt | 10 ++++++
+ security/smack/smack.h | 9 +++++
+ security/smack/smack_access.c | 5 ++-
+ security/smack/smack_lsm.c | 22 +++++++++++-
+ security/smack/smackfs.c | 74 ++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 118 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
+index 7a2d30c..5597917 100644
+--- a/Documentation/security/Smack.txt
++++ b/Documentation/security/Smack.txt
+@@ -204,6 +204,16 @@ onlycap
+ these capabilities are effective at for processes with any
+ label. The value is set by writing the desired label to the
+ file or cleared by writing "-" to the file.
++ptrace
++ This is used to define the current ptrace policy
++ 0 - default: this is the policy that relies on smack access rules.
++ For the PTRACE_READ a subject needs to have a read access on
++ object. For the PTRACE_ATTACH a read-write access is required.
++ 1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
++ only allowed when subject's and object's labels are equal.
++ PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE.
++ 2 - draconian: this policy behaves like the 'exact' above with an
++ exception that it can't be overriden with CAP_SYS_PTRACE.
+ revoke-subject
+ Writing a Smack label here sets the access to '-' for all access
+ rules with that subject label.
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index b9dfc4e..fade085 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -177,6 +177,14 @@ struct smk_port_label {
+ #define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
+
+ /*
++ * Ptrace rules
++ */
++#define SMACK_PTRACE_DEFAULT 0
++#define SMACK_PTRACE_EXACT 1
++#define SMACK_PTRACE_DRACONIAN 2
++#define SMACK_PTRACE_MAX SMACK_PTRACE_DRACONIAN
++
++/*
+ * Flags for untraditional access modes.
+ * It shouldn't be necessary to avoid conflicts with definitions
+ * in fs.h, but do so anyway.
+@@ -245,6 +253,7 @@ extern struct smack_known *smack_net_ambient;
+ extern struct smack_known *smack_onlycap;
+ extern struct smack_known *smack_syslog_label;
+ extern const char *smack_cipso_option;
++extern int smack_ptrace_rule;
+
+ extern struct smack_known smack_known_floor;
+ extern struct smack_known smack_known_hat;
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index f161deb..c062e94 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -304,7 +304,10 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
+ audit_log_untrustedstring(ab, sad->subject);
+ audit_log_format(ab, " object=");
+ audit_log_untrustedstring(ab, sad->object);
+- audit_log_format(ab, " requested=%s", sad->request);
++ if (sad->request[0] == '\0')
++ audit_log_format(ab, " labels_differ");
++ else
++ audit_log_format(ab, " requested=%s", sad->request);
+ }
+
+ /**
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 72438156..91a447a 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -178,7 +178,8 @@ static inline unsigned int smk_ptrace_mode(unsigned int mode)
+ /**
+ * smk_ptrace_rule_check - helper for ptrace access
+ * @tracer: tracer process
+- * @tracee_label: label of the process that's about to be traced
++ * @tracee_label: label of the process that's about to be traced,
++ * the pointer must originate from smack structures
+ * @mode: ptrace attachment mode (PTRACE_MODE_*)
+ * @func: name of the function that called us, used for audit
+ *
+@@ -201,6 +202,25 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
+ tsp = task_security(tracer);
+ skp = smk_of_task(tsp);
+
++ if ((mode & PTRACE_MODE_ATTACH) &&
++ (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
++ smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
++ if (skp->smk_known == tracee_label)
++ rc = 0;
++ else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
++ rc = -EACCES;
++ else if (capable(CAP_SYS_PTRACE))
++ rc = 0;
++ else
++ rc = -EACCES;
++
++ if (saip)
++ smack_log(skp->smk_known, tracee_label, 0, rc, saip);
++
++ return rc;
++ }
++
++ /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
+ rc = smk_tskacc(tsp, tracee_label, smk_ptrace_mode(mode), saip);
+ return rc;
+ }
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 3198cfe..177d878 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -53,6 +53,7 @@ enum smk_inos {
+ SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
+ SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
+ SMK_SYSLOG = 20, /* change syslog label) */
++ SMK_PTRACE = 21, /* set ptrace rule */
+ };
+
+ /*
+@@ -101,6 +102,15 @@ struct smack_known *smack_onlycap;
+ struct smack_known *smack_syslog_label;
+
+ /*
++ * Ptrace current rule
++ * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based)
++ * SMACK_PTRACE_EXACT labels must match, but can be overriden with
++ * CAP_SYS_PTRACE
++ * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect
++ */
++int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
++
++/*
+ * Certain IP addresses may be designated as single label hosts.
+ * Packets are sent there unlabeled, but only from tasks that
+ * can write to the specified label.
+@@ -2244,6 +2254,68 @@ static const struct file_operations smk_syslog_ops = {
+
+
+ /**
++ * smk_read_ptrace - read() for /smack/ptrace
++ * @filp: file pointer, not actually used
++ * @buf: where to put the result
++ * @count: maximum to send along
++ * @ppos: where to start
++ *
++ * Returns number of bytes read or error code, as appropriate
++ */
++static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
++ size_t count, loff_t *ppos)
++{
++ char temp[32];
++ ssize_t rc;
++
++ if (*ppos != 0)
++ return 0;
++
++ sprintf(temp, "%d\n", smack_ptrace_rule);
++ rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
++ return rc;
++}
++
++/**
++ * smk_write_ptrace - write() for /smack/ptrace
++ * @file: file pointer
++ * @buf: data from user space
++ * @count: bytes sent
++ * @ppos: where to start - must be 0
++ */
++static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos)
++{
++ char temp[32];
++ int i;
++
++ if (!smack_privileged(CAP_MAC_ADMIN))
++ return -EPERM;
++
++ if (*ppos != 0 || count >= sizeof(temp) || count == 0)
++ return -EINVAL;
++
++ if (copy_from_user(temp, buf, count) != 0)
++ return -EFAULT;
++
++ temp[count] = '\0';
++
++ if (sscanf(temp, "%d", &i) != 1)
++ return -EINVAL;
++ if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
++ return -EINVAL;
++ smack_ptrace_rule = i;
++
++ return count;
++}
++
++static const struct file_operations smk_ptrace_ops = {
++ .write = smk_write_ptrace,
++ .read = smk_read_ptrace,
++ .llseek = default_llseek,
++};
++
++/**
+ * smk_fill_super - fill the smackfs superblock
+ * @sb: the empty superblock
+ * @data: unused
+@@ -2296,6 +2368,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
+ "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
+ [SMK_SYSLOG] = {
+ "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
++ [SMK_PTRACE] = {
++ "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
+ /* last one */
+ {""}
+ };
+--
+2.1.4
+