]> Gentwo Git Trees - linux/.git/commit
gentwo / linux / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c147e13) | patch
smack: fix bug: setting task label silently ignores input garbage
authorKonstantin Andreev <andreev@swemel.ru>
Mon, 16 Jun 2025 21:32:17 +0000 (00:32 +0300)
committerCasey Schaufler <casey@schaufler-ca.com>
Tue, 24 Jun 2025 23:30:24 +0000 (16:30 -0700)
commit674e2b24791cbe8fd5dc8a0aed4cb4404fcd2028
tree9d894c33369ef1963dc6e0566b857b15508710e2tree | snapshot
parentc147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3commit | diff
smack: fix bug: setting task label silently ignores input garbage

This command:
    # echo foo/bar >/proc/$$/attr/smack/current

gives the task a label 'foo' w/o indication
that label does not match input.
Setting the label with lsm_set_self_attr() syscall
behaves identically.

This occures because:

1) smk_parse_smack() is used to convert input to a label
2) smk_parse_smack() takes only that part from the
   beginning of the input that looks like a label.
3) `/' is prohibited in labels, so only "foo" is taken.

(2) is by design, because smk_parse_smack() is used
for parsing strings which are more than just a label.

Silent failure is not a good thing, and there are two
indicators that this was not done intentionally:

    (size >= SMK_LONGLABEL) ~> invalid

clause at the beginning of the do_setattr() and the
"Returns the length of the smack label" claim
in the do_setattr() description.

So I fixed this by adding one tiny check:
the taken label length == input length.

Since input length is now strictly controlled,
I changed the two ways of setting label

   smack_setselfattr(): lsm_set_self_attr() syscall
   smack_setprocattr(): > /proc/.../current

to accommodate the divergence in
what they understand by "input length":

  smack_setselfattr counts mandatory \0 into input length,
  smack_setprocattr does not.

  smack_setprocattr allows various trailers after label

Related changes:

* fixed description for smk_parse_smack

* allow unprivileged tasks validate label syntax.

* extract smk_parse_label_len() from smk_parse_smack()
  so parsing may be done w/o string allocation.

* extract smk_import_valid_label() from smk_import_entry()
  to avoid repeated parsing.

* smk_parse_smack(): scan null-terminated strings
  for no more than SMK_LONGLABEL(256) characters

* smack_setselfattr(): require struct lsm_ctx . flags == 0
  to reserve them for future.

Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel")
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Documentation/admin-guide/LSM/Smack.rst diff | blob | blame | history
security/smack/smack.h diff | blob | blame | history
security/smack/smack_access.c diff | blob | blame | history
security/smack/smack_lsm.c diff | blob | blame | history
Development tree.