Commit 8e4ff6f2 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore

selinux: distinguish non-init user namespace capability checks

Distinguish capability checks against a target associated
with the init user namespace versus capability checks against
a target associated with a non-init user namespace by defining
and using separate security classes for the latter.

This is needed to support e.g. Chrome usage of user namespaces
for the Chrome sandbox without needing to allow Chrome to also
exercise capabilities on targets in the init user namespace.
Suggested-by: default avatarDan Walsh <dwalsh@redhat.com>
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 1ac42476
...@@ -1631,7 +1631,7 @@ static int current_has_perm(const struct task_struct *tsk, ...@@ -1631,7 +1631,7 @@ static int current_has_perm(const struct task_struct *tsk,
/* Check whether a task is allowed to use a capability. */ /* Check whether a task is allowed to use a capability. */
static int cred_has_capability(const struct cred *cred, static int cred_has_capability(const struct cred *cred,
int cap, int audit) int cap, int audit, bool initns)
{ {
struct common_audit_data ad; struct common_audit_data ad;
struct av_decision avd; struct av_decision avd;
...@@ -1645,10 +1645,10 @@ static int cred_has_capability(const struct cred *cred, ...@@ -1645,10 +1645,10 @@ static int cred_has_capability(const struct cred *cred,
switch (CAP_TO_INDEX(cap)) { switch (CAP_TO_INDEX(cap)) {
case 0: case 0:
sclass = SECCLASS_CAPABILITY; sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
break; break;
case 1: case 1:
sclass = SECCLASS_CAPABILITY2; sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
break; break;
default: default:
printk(KERN_ERR printk(KERN_ERR
...@@ -2152,7 +2152,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, ...@@ -2152,7 +2152,7 @@ static int selinux_capset(struct cred *new, const struct cred *old,
static int selinux_capable(const struct cred *cred, struct user_namespace *ns, static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit) int cap, int audit)
{ {
return cred_has_capability(cred, cap, audit); return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
} }
static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
...@@ -2230,7 +2230,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) ...@@ -2230,7 +2230,7 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
int rc, cap_sys_admin = 0; int rc, cap_sys_admin = 0;
rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
SECURITY_CAP_NOAUDIT); SECURITY_CAP_NOAUDIT, true);
if (rc == 0) if (rc == 0)
cap_sys_admin = 1; cap_sys_admin = 1;
...@@ -3213,7 +3213,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void ...@@ -3213,7 +3213,7 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
SECURITY_CAP_NOAUDIT); SECURITY_CAP_NOAUDIT);
if (!error) if (!error)
error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
SECURITY_CAP_NOAUDIT); SECURITY_CAP_NOAUDIT, true);
isec = inode_security(inode); isec = inode_security(inode);
if (!error) if (!error)
error = security_sid_to_context_force(isec->sid, &context, error = security_sid_to_context_force(isec->sid, &context,
...@@ -3390,7 +3390,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd, ...@@ -3390,7 +3390,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
case KDSKBENT: case KDSKBENT:
case KDSKBSENT: case KDSKBSENT:
error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
SECURITY_CAP_AUDIT); SECURITY_CAP_AUDIT, true);
break; break;
/* default case assumes that the command will go /* default case assumes that the command will go
......
...@@ -12,6 +12,18 @@ ...@@ -12,6 +12,18 @@
#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
"write", "associate", "unix_read", "unix_write" "write", "associate", "unix_read", "unix_write"
#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
"linux_immutable", "net_bind_service", "net_broadcast", \
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
"sys_boot", "sys_nice", "sys_resource", "sys_time", \
"sys_tty_config", "mknod", "lease", "audit_write", \
"audit_control", "setfcap"
#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
"wake_alarm", "block_suspend", "audit_read"
/* /*
* Note: The name for any socket class should be suffixed by "socket", * Note: The name for any socket class should be suffixed by "socket",
* and doesn't contain more than one substr of "socket". * and doesn't contain more than one substr of "socket".
...@@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = { ...@@ -34,14 +46,7 @@ struct security_class_mapping secclass_map[] = {
{ "ipc_info", "syslog_read", "syslog_mod", { "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", "module_load", NULL } }, "syslog_console", "module_request", "module_load", NULL } },
{ "capability", { "capability",
{ "chown", "dac_override", "dac_read_search", { COMMON_CAP_PERMS, NULL } },
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
"linux_immutable", "net_bind_service", "net_broadcast",
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
"sys_boot", "sys_nice", "sys_resource", "sys_time",
"sys_tty_config", "mknod", "lease", "audit_write",
"audit_control", "setfcap", NULL } },
{ "filesystem", { "filesystem",
{ "mount", "remount", "unmount", "getattr", { "mount", "remount", "unmount", "getattr",
"relabelfrom", "relabelto", "associate", "quotamod", "relabelfrom", "relabelto", "associate", "quotamod",
...@@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = { ...@@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = {
{ "memprotect", { "mmap_zero", NULL } }, { "memprotect", { "mmap_zero", NULL } },
{ "peer", { "recv", NULL } }, { "peer", { "recv", NULL } },
{ "capability2", { "capability2",
{ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", { COMMON_CAP2_PERMS, NULL } },
"audit_read", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } }, { "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket", { "tun_socket",
{ COMMON_SOCK_PERMS, "attach_queue", NULL } }, { COMMON_SOCK_PERMS, "attach_queue", NULL } },
{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
NULL } }, NULL } },
{ "cap_userns",
{ COMMON_CAP_PERMS, NULL } },
{ "cap2_userns",
{ COMMON_CAP2_PERMS, NULL } },
{ NULL } { NULL }
}; };
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment