On 7/22/2019 1:03 AM, Martin Townsend wrote:
> Hi,
>
> One of our developers has reported the following audit log entry when
> trying to add a key to the kernel's keyring when SMACK is enabled:
>
> Jul 9 09:33:23 mach-cw-rnet-ppm-1840 user.notice kernel: audit:
> type=1400 audit(1562664803.960:12): lsm=SMACK fn=smack_key_permission
> action=denied subject="programmingapp" object="_" requested=w pid=905
> comm="programmingapp" key_serial=98475196 key_desc="_ses"
The Smack label on a key is set when the key is created,
and is set to the label of the process that created it.
> I had a quick look through the code in smack_lsm.c but can't see how
> I'm supposed to set a SMACK label for keys or keyrings. Is it
> possible and if so how?
There is currently no way to change the Smack label on a key.
> We are running a 4.9 Kernel with not much
> chance of upgrading as it's a vendor kernel (linux-imx). As it's an
> embedded system we are happy to hard code the SMACK labels into the
> kernel if this is possible?
In smack_key_alloc() change
key->security = skp;
to
key->security = &smack_known_star;
and all keys will have the star ("*") label, which
grants everyone access to them. Not the best solution
long term, but it should get you by.
> or is it set to '_' by design and we
> should add the key whilst the process is a privileged state before the
> SMACK label for the process has been set?
If you can run the program that creates the key with a label
other than floor ("_"), perhaps "keymaster", the key would be
labeled keymaster, and you could create access rules like
programmingapp keymaster rw
>
> Many Thanks,
> Martin.
