ホーム エクスプローラ ヘルプ
サインイン
GfA
/
linux_kernel
5
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ソースを参照

smack: parse mnt opts after privileges check

In smack_set_mnt_opts()first the SMACK mount options are being
parsed and later it is being checked whether the user calling
mount has CAP_MAC_ADMIN capability.
This sequence of operationis will allow unauthorized user to add
SMACK labels in label list and may cause denial of security attack
by adding many labels by allocating kernel memory by unauthorized user.
Superblock smack flag is also being set as initialized though function
may return with EPERM error.
First check the capability of calling user then set the SMACK attributes
and smk_flags.

Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Himanshu Shukla 8 年 前
08382c9f6e
コミット
2097f59920
1 ファイル変更25 行追加25 行削除
分割表示 差分情報を表示
  1. 25 25
      security/smack/smack_lsm.c

+ 25 - 25
security/smack/smack_lsm.c
ファイルの表示 

@@ -769,6 +769,31 @@ static int smack_set_mnt_opts(struct super_block *sb,
 
 	if (sp->smk_flags & SMK_SB_INITIALIZED)
 
 		return 0;
 
 
+	if (!smack_privileged(CAP_MAC_ADMIN)) {
 
+		/*
 
+		 * Unprivileged mounts don't get to specify Smack values.
 
+		 */
 
+		if (num_opts)
 
+			return -EPERM;
 
+		/*
 
+		 * Unprivileged mounts get root and default from the caller.
 
+		 */
 
+		skp = smk_of_current();
 
+		sp->smk_root = skp;
 
+		sp->smk_default = skp;
 
+		/*
 
+		 * For a handful of fs types with no user-controlled
 
+		 * backing store it's okay to trust security labels
 
+		 * in the filesystem. The rest are untrusted.
 
+		 */
 
+		if (sb->s_user_ns != &init_user_ns &&
 
+		    sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC &&
 
+		    sb->s_magic != RAMFS_MAGIC) {
 
+			transmute = 1;
 
+			sp->smk_flags |= SMK_SB_UNTRUSTED;
 
+		}
 
+	}
 
+
 
 	sp->smk_flags |= SMK_SB_INITIALIZED;
 
 
 	for (i = 0; i < num_opts; i++) {
 
@@ -809,31 +834,6 @@ static int smack_set_mnt_opts(struct super_block *sb,
 
 		}
 
 	}
 
 
-	if (!smack_privileged(CAP_MAC_ADMIN)) {
 
-		/*
 
-		 * Unprivileged mounts don't get to specify Smack values.
 
-		 */
 
-		if (num_opts)
 
-			return -EPERM;
 
-		/*
 
-		 * Unprivileged mounts get root and default from the caller.
 
-		 */
 
-		skp = smk_of_current();
 
-		sp->smk_root = skp;
 
-		sp->smk_default = skp;
 
-		/*
 
-		 * For a handful of fs types with no user-controlled
 
-		 * backing store it's okay to trust security labels
 
-		 * in the filesystem. The rest are untrusted.
 
-		 */
 
-		if (sb->s_user_ns != &init_user_ns &&
 
-		    sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC &&
 
-		    sb->s_magic != RAMFS_MAGIC) {
 
-			transmute = 1;
 
-			sp->smk_flags |= SMK_SB_UNTRUSTED;
 
-		}
 
-	}
 
-
 
 	/*
 
 	 * Initialize the root inode.
 
 	 */