Smack: Signal delivery as an append operation

Under a strict subject/object security policy delivering a
signal or delivering network IPC could be considered either
a write or an append operation. The original choice to make
both write operations leads to an issue where IPC delivery
is desired under policy, but delivery of signals is not.
This patch provides the option of making signal delivery
an append operation, allowing Smack rules that deny signal
delivery while allowing IPC. This was requested for Tizen.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[mainline backport of commit c60b906673eebb4f65840fa9dc204401caf276ea]
Change-Id: I474d9a2b51b653c9c6d21391a2c281c1f1f2d709

diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index b1c221d694c6edd3238db19d3a02d805a47c05c5..160eb04a4ce2b23e4b859db23b2567d8c58d929f 100644 (file)
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -41,6 +41,18 @@ config SECURITY_SMACK_NETFILTER
          Smack labels.
          If you are unsure how to answer this question, answer N.
 
+config SECURITY_SMACK_APPEND_SIGNALS
+       bool "Treat delivering signals as an append operation"
+       depends on SECURITY_SMACK
+       default n
+       help
+         Sending a signal has been treated as a write operation to the
+         receiving process. If this option is selected, the delivery
+         will be an append operation instead. This makes it possible
+         to differentiate between delivering a network packet and
+         delivering a signal in the Smack rules.
+         If you are unsure how to answer this question, answer N.
+
 config SECURITY_SMACK_PERMISSIVE_MODE
        bool "Enable Permissive mode for debugging purpose"
        depends on SECURITY_SMACK

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 7fd481a79c93415ee57f4f06ad0a754bfb1c38f3..b57b9702b2622266d7e8a69c560f04a90653d0bc 100644 (file)
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -218,6 +218,16 @@ enum {
 #define MAY_LOCK       0x00002000      /* Locks should be writes, but ... */
 #define MAY_BRINGUP    0x00004000      /* Report use of this rule */
 
+/*
+ * The policy for delivering signals is configurable.
+ * It is usually "write", but can be "append".
+ */
+#ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
+#define MAY_DELIVER    MAY_APPEND      /* Signal delivery requires append */
+#else
+#define MAY_DELIVER    MAY_WRITE       /* Signal delivery requires write */
+#endif
+
 #define SMACK_BRINGUP_ALLOW            1       /* Allow bringup mode */
 #define SMACK_UNCONFINED_SUBJECT       2       /* Allow unconfined label */
 #define SMACK_UNCONFINED_OBJECT                3       /* Allow unconfined label */

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c9eb4c1d7eb81d25a2a56793d32ca57e3cc1863f..8922b6792e991d6fbd20dd51e71cf00b5c6cd05b 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1862,14 +1862,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
 
        /* we don't log here as rc can be overriden */
        skp = file->f_security;
-       rc = smk_access(skp, tkp, MAY_WRITE, NULL);
-       rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc);
+       rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
+       rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
        if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
                rc = 0;
 
        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
        smk_ad_setfield_u_tsk(&ad, tsk);
-       smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad);
+       smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad);
        return rc;
 }
 
@@ -2282,8 +2282,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
         * can write the receiver.
         */
        if (secid == 0) {
-               rc = smk_curacc(tkp, MAY_WRITE, &ad);
-               rc = smk_bu_task(p, MAY_WRITE, rc);
+               rc = smk_curacc(tkp, MAY_DELIVER, &ad);
+               rc = smk_bu_task(p, MAY_DELIVER, rc);
                return rc;
        }
        /*
@@ -2292,8 +2292,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
         * we can't take privilege into account.
         */
        skp = smack_from_secid(secid);
-       rc = smk_access(skp, tkp, MAY_WRITE, &ad);
-       rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc);
+       rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
+       rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
        return rc;
 }