Hi Casey
Thank you for the swift reply.
On Mon, Jul 22, 2019 at 5:25 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> On 7/22/2019 1:03 AM, Martin Townsend wrote:
> > Hi,
> >
> > One of our developers has reported the following audit log entry when
> > trying to add a key to the kernel's keyring when SMACK is enabled:
> >
> > Jul 9 09:33:23 mach-cw-rnet-ppm-1840 user.notice kernel: audit:
> > type=1400 audit(1562664803.960:12): lsm=SMACK fn=smack_key_permission
> > action=denied subject="programmingapp" object="_" requested=w pid=905
> > comm="programmingapp" key_serial=98475196 key_desc="_ses"
>
> The Smack label on a key is set when the key is created,
> and is set to the label of the process that created it.
I'll have to check but I thought that the programmingapp process from
the audit message above was trying to create the key, the dev team
were reporting that the add_key syscall was failing the SMACK access
check. This raises another question, we currently compile in several
root Certificates into the kernel, would these get a SMACK label? and
if so would this be '_'?
>
> > I had a quick look through the code in smack_lsm.c but can't see how
> > I'm supposed to set a SMACK label for keys or keyrings. Is it
> > possible and if so how?
>
> There is currently no way to change the Smack label on a key.
>
> > We are running a 4.9 Kernel with not much
> > chance of upgrading as it's a vendor kernel (linux-imx). As it's an
> > embedded system we are happy to hard code the SMACK labels into the
> > kernel if this is possible?
>
> In smack_key_alloc() change
>
> key->security = skp;
>
> to
> key->security = &smack_known_star;
>
> and all keys will have the star ("*") label, which
> grants everyone access to them. Not the best solution
> long term, but it should get you by.
They are currently adding a rule 'programmingapp _ rw' so I think this
would be an upgrade :)
Could I go one further and have something like?
#ifdef CONFIG_KEYS
+static struct smack_known smack_known_keymaster = {
+ .smk_known = "keymaster",
+ .smk_secid = 9,
+};
+
/**
* smack_key_alloc - Set the key security blob
* @key: object
@@ -4327,9 +4332,7 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- struct smack_known *skp = smk_of_task(cred->security);
-
- key->security = skp;
+ key->security = &smack_known_keymaster;
return 0;
}
or is this just asking for trouble
>
> > or is it set to '_' by design and we
> > should add the key whilst the process is a privileged state before the
> > SMACK label for the process has been set?
>
> If you can run the program that creates the key with a label
> other than floor ("_"), perhaps "keymaster", the key would be
> labeled keymaster, and you could create access rules like
I will get some more information on how they are creating the keys as
I thought the process creating the keys was labelled "programmingapp"
so the key in theory should be labelled "programmingapp". And looking
at the smack_key_alloc function mentioned previously it definitely
looks like it should have. I'll see if I can get them to create some
test code and debug why this isn't happening.
Thanks again for your help.
>
> programmingapp keymaster rw
>
>
> >
> > Many Thanks,
> > Martin.
>
