Smack: Signal delivery as an append operation

Under a strict subject/object security policy delivering a
signal or delivering network IPC could be considered either
a write or an append operation. The original choice to make
both write operations leads to an issue where IPC delivery
is desired under policy, but delivery of signals is not.
This patch provides the option of making signal delivery
an append operation, allowing Smack rules that deny signal
delivery while allowing IPC. This was requested for Tizen.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index b065f97894185557c88fe77c554719a3deca955d..9d78dada2c8c289ffb3c0ff1b18271ded1a9912b 100644 (file)
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
          access rule set once the behavior is well understood.
          This is a superior mechanism to the oft abused
          "permissive" mode of other systems.
+
+config SECURITY_SMACK_APPEND_SIGNALS
+       bool "Treat delivering signals as an append operation"
+       depends on SECURITY_SMACK
+       default n
+       help
+         Sending a signal has been treated as a write operation to the
+         receiving process. If this option is selected, the delivery
+         will be an append operation instead. This makes it possible
+         to differentiate between delivering a network packet and
+         delivering a signal in the Smack rules.
+         If you are unsure how to answer this question, answer N.

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 96cbb91799a4ed6f22b2d7876ff1cb6347d3bd78..ed7f8c31024178fdcd551644c5c011055c562322 100644 (file)
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -200,6 +200,16 @@ struct smack_known_list_elem {
 #define MAY_LOCK       0x00002000      /* Locks should be writes, but ... */
 #define MAY_BRINGUP    0x00004000      /* Report use of this rule */
 
+/*
+ * The policy for delivering signals is configurable.
+ * It is usually "write", but can be "append".
+ */
+#ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
+#define MAY_DELIVER    MAY_APPEND      /* Signal delivery requires append */
+#else
+#define MAY_DELIVER    MAY_WRITE       /* Signal delivery requires write */
+#endif
+
 #define SMACK_BRINGUP_ALLOW            1       /* Allow bringup mode */
 #define SMACK_UNCONFINED_SUBJECT       2       /* Allow unconfined label */
 #define SMACK_UNCONFINED_OBJECT                3       /* Allow unconfined label */

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8be37158c7643036cdbfbdefba44e30b4dc775d6..885a08c9105a65813c5f4bd810230a4b1ee3df42 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1688,14 +1688,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
 
        /* we don't log here as rc can be overriden */
        skp = file->f_security;
-       rc = smk_access(skp, tkp, MAY_WRITE, NULL);
-       rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc);
+       rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
+       rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
        if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
                rc = 0;
 
        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
        smk_ad_setfield_u_tsk(&ad, tsk);
-       smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad);
+       smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad);
        return rc;
 }
 
@@ -2079,8 +2079,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
         * can write the receiver.
         */
        if (secid == 0) {
-               rc = smk_curacc(tkp, MAY_WRITE, &ad);
-               rc = smk_bu_task(p, MAY_WRITE, rc);
+               rc = smk_curacc(tkp, MAY_DELIVER, &ad);
+               rc = smk_bu_task(p, MAY_DELIVER, rc);
                return rc;
        }
        /*
@@ -2089,8 +2089,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
         * we can't take privilege into account.
         */
        skp = smack_from_secid(secid);
-       rc = smk_access(skp, tkp, MAY_WRITE, &ad);
-       rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc);
+       rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
+       rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
        return rc;
 }