1 Smack: Privilege check on key operations
3 Operations on key objects are subjected to Smack policy
4 even if the process is privileged. This is inconsistent
5 with the general behavior of Smack and may cause issues
6 with authentication by privileged daemons. This patch
7 allows processes with CAP_MAC_OVERRIDE to access keys
8 even if the Smack rules indicate otherwise.
10 Reported-by: Jose Bollo <jobol@nonadev.net>
11 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
13 security/smack/smack.h | 1 +
14 security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
15 security/smack/smack_lsm.c | 4 ++++
16 3 files changed, 34 insertions(+), 11 deletions(-)
18 diff --git a/security/smack/smack.h b/security/smack/smack.h
19 index 6a71fc7..f7db791 100644
20 --- a/security/smack/smack.h
21 +++ b/security/smack/smack.h
22 @@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
23 void smk_insert_entry(struct smack_known *skp);
24 struct smack_known *smk_find_entry(const char *);
25 bool smack_privileged(int cap);
26 +bool smack_privileged_cred(int cap, const struct cred *cred);
27 void smk_destroy_label_list(struct list_head *list);
30 diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
31 index 1a30041..141ffac 100644
32 --- a/security/smack/smack_access.c
33 +++ b/security/smack/smack_access.c
34 @@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
35 LIST_HEAD(smack_onlycap_list);
36 DEFINE_MUTEX(smack_onlycap_lock);
40 + * smack_privileged_cred - are all privilege requirements met by cred
41 + * @cap: The requested capability
42 + * @cred: the credential to use
44 * Is the task privileged and allowed to be privileged
45 * by the onlycap rule.
47 * Returns true if the task is allowed to be privileged, false if it's not.
49 -bool smack_privileged(int cap)
50 +bool smack_privileged_cred(int cap, const struct cred *cred)
52 - struct smack_known *skp = smk_of_current();
53 + struct task_smack *tsp = cred->security;
54 + struct smack_known *skp = tsp->smk_task;
55 struct smack_known_list_elem *sklep;
59 - * All kernel tasks are privileged
61 - if (unlikely(current->flags & PF_KTHREAD))
64 - rc = cap_capable(current_cred(), &init_user_ns, cap,
65 - SECURITY_CAP_AUDIT);
66 + rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
70 @@ -662,3 +660,23 @@ bool smack_privileged(int cap)
76 + * smack_privileged - are all privilege requirements met
77 + * @cap: The requested capability
79 + * Is the task privileged and allowed to be privileged
80 + * by the onlycap rule.
82 + * Returns true if the task is allowed to be privileged, false if it's not.
84 +bool smack_privileged(int cap)
87 + * All kernel tasks are privileged
89 + if (unlikely(current->flags & PF_KTHREAD))
92 + return smack_privileged_cred(cap, current_cred());
94 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
95 index 30f2c3d..03fdecb 100644
96 --- a/security/smack/smack_lsm.c
97 +++ b/security/smack/smack_lsm.c
98 @@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
103 + if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
107 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
108 ad.a.u.key_struct.key = keyp->serial;