Skip to content

Commit

Permalink
Smack: ptrace capability use fixes
Browse files Browse the repository at this point in the history 
This fixes a pair of problems in the Smack ptrace checks
related to checking capabilities. In both cases, as reported
by Lukasz Pawelczyk, the raw capability calls are used rather
than the Smack wrapper that check addition restrictions.
In one case, as reported by Jann Horn, the wrong task is being
checked for capabilities.

Signed-off-by: Casey Schaufler <[email protected]>
  • Loading branch information
@cschaufler
cschaufler committed Sep 18, 2018
1 parent 76c9805 commit dcb569c
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions security/smack/smack_lsm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
struct smk_audit_info ad, *saip = NULL;
struct task_smack *tsp;
struct smack_known *tracer_known;
const struct cred *tracercred;

if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
Expand All @@ -429,7 +430,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
}

rcu_read_lock();
tsp = __task_cred(tracer)->security;
tracercred = __task_cred(tracer);
tsp = tracercred->security;
tracer_known = smk_of_task(tsp);

if ((mode & PTRACE_MODE_ATTACH) &&
Expand All @@ -439,7 +441,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
rc = 0;
else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
rc = -EACCES;
else if (capable(CAP_SYS_PTRACE))
else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred))
rc = 0;
else
rc = -EACCES;
Expand Down Expand Up @@ -1841,6 +1843,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
{
struct smack_known *skp;
struct smack_known *tkp = smk_of_task(tsk->cred->security);
const struct cred *tcred;
struct file *file;
int rc;
struct smk_audit_info ad;
Expand All @@ -1854,8 +1857,12 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
skp = file->f_security;
rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))

rcu_read_lock();
tcred = __task_cred(tsk);
if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred))
rc = 0;
rcu_read_unlock();

smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, tsk);
Expand Down

0 comments on commit dcb569c

Please sign in to comment.