Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot Transmute Smack label #140

Open
cuongdtone opened this issue Mar 11, 2024 · 2 comments
Open

Cannot Transmute Smack label #140

cuongdtone opened this issue Mar 11, 2024 · 2 comments

Comments

@cuongdtone
Copy link

cuongdtone commented Mar 11, 2024
edited
Loading

Dear SMACK team,
I met the issue with SMACK transmute function with ubifs file system:
Snerio:

  1. Add access label and transmute label for directory: chsmack -a "Object" -t
  2. Add rule "t" for subject, such as "Subject Object rwxat"
  3. When subject create a file in directory -> file have smack label (from parent directory) -> PASS
  4. But when subject create a folder in directory -> folder have smack label (parent directory), but don't have transmute label -> FAIL
    Then Ubifs assert failed -> assert action (alway switch to read-only) happend:
    [ 32.638124 01-01 00:00:35.501] UBIFS error (ubi4:3 pid 1307): ubifs_assert_failed: UBIFS assert failed: inode_is_locked(host), in fs/ubifs/xattr.c:276

Summary:
parent_directory access="Object" transmute="True"
|--- file access="Object"
|--- child_directory access="Object" (dont have transmute="True")

I checked and the cause from this patch:
https://lore.kernel.org/lkml/[email protected]/T/

They add check_lock, but from ubifs_mkdir -> d_instantiate(dentry, inode); -> security_d_instantiate, new inode has never been locked.

So I add inode lock in smack_d_instantiate and this bug resolve:

--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3425,10 +3425,19 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
 			 */
 			if (isp->smk_flags & SMK_INODE_CHANGED) {
 				isp->smk_flags &= ~SMK_INODE_CHANGED;
-				rc = __vfs_setxattr(dp, inode,
-					XATTR_NAME_SMACKTRANSMUTE,
-					TRANS_TRUE, TRANS_TRUE_SIZE,
-					0);
+				if (inode_is_locked(inode)) {
+					rc = __vfs_setxattr(dp, inode,
+						XATTR_NAME_SMACKTRANSMUTE,
+						TRANS_TRUE, TRANS_TRUE_SIZE,
+						0);
+				} else {
+					inode_lock(inode);
+					rc = __vfs_setxattr(dp, inode,
+						XATTR_NAME_SMACKTRANSMUTE,
+						TRANS_TRUE, TRANS_TRUE_SIZE,
+						0);
+					inode_unlock(inode);
+				}
 			} else {
 				rc = __vfs_getxattr(dp, inode,
 					XATTR_NAME_SMACKTRANSMUTE, trattr,

Do you agree with it ?
Let me know your opinion !!
Thank you!
@cschaufler
Copy link
Contributor

We will definitely look more closely at your patch. If you would like to submit a patch please do so using the kernel patch submission process:

https://docs.kernel.org/process/submitting-patches.html

Please include the LSM email list [email protected] and the Smack kernel maintainer [email protected] on the patch. If you don't feel up to sending the patch, we can produce a version and add you on a suggested-by tag. Let me know how you'd like to proceed.

@cuongdtone
Copy link
Author

Kernel patch submission process is too complicated for me. So please help me produce a version and add me on a suggested-by tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cschaufler @cuongdtone