Re: [PATCH] id: show SMACK security context

[Casey Schaufler]

On 8/29/2013 2:18 AM, Jarkko Sakkinen wrote:
> Hi Casey,
>
> On 08/28/2013 03:21 AM, Pádraig Brady wrote:
>> On 04/22/2013 02:09 PM, Jarkko Sakkinen wrote:
>>> On Mon, Apr 22, 2013, at 13:15, Pádraig Brady wrote:
>>>> On 04/17/2013 09:30 PM, Jarkko Sakkinen wrote:
>>
>>>>> diff --git a/src/id.c b/src/id.c
>>
>>>>> @@ -189,14 +199,17 @@ main (int argc, char **argv)
>>>>>        and we're not in POSIXLY_CORRECT mode, get our context. 
>>>>> Otherwise,
>>>>>        leave the context variable alone - it has been initialized
>>>>> to an
>>>>>        invalid value that will be not displayed in
>>>>> print_full_info().  */
>>>>> -  if (selinux_enabled
>>>>> -      && n_ids == 0
>>>>> +  if (n_ids == 0
>>>>>         && (just_context
>>>>>             || (default_format && ! getenv ("POSIXLY_CORRECT"))))
>>>>>       {
>>>>>         /* Report failure only if --context (-Z) was explicitly
>>>>> requested.  */
>>>>> -      if (getcon (&context) && just_context)
>>>>> +      if (selinux_enabled && getcon (&context) && just_context)
>>>>> +        error (EXIT_FAILURE, 0, _("can't get process context"));
>>>>> +#ifdef HAVE_SMACK
>>>>> +      else if (smack_enabled && smack_new_label_from_self ((char
>>>>> **) &context))
>>>>>           error (EXIT_FAILURE, 0, _("can't get process context"));
>>>>> +#endif
>>>>
>>>> So smack defers to SELinux.
>>>> In that case you probably don't want --with-smack above,
>>>> and instead auto detect smack availability.
>>>
>>> Well, actually you couldn't have SELinux and SMACK active in the
>>> kernel at the same time. Kernel can only have one LSM enabled at
>>> a time (and you cannot switch or disable LSM). So this essentially
>>> detects, which one is enabled in the kernel.
>>
>> It seems like this will no longer be the case:
>> https://lkml.org/lkml/2013/7/25/482
>
> Looks like your LSM stacker has been progressing.
>
> Do you have recommendations how  should this work
> together with coreutils? For example, what ls show
> if we have both SELinux and SMACK enabled?

We're going to be discussing this at the Linux security summit in
New Orleans at the end of the week. I would like to see a consensus
on both terminology and behavior. I would like "ps -Z" to print the
"security context", which can be obtained from /proc/.../attr/context
as opposed to the context of one LSM, which will come from the existing
/proc/.../attr/current interface. The result of "ls -Z" is harder,
because there is not interface to get the "context". Maybe we could
have a pseudo-attribute security.context, which gets you that. Without
that I'm afraid you'll have to go out LSM by LSM and check.

Which brings us to the possibility of a liblsm.so, which provides
agnostic interfaces that coreutils and the like can use to get the
"context" without having to know what LSM(s) is(are) in use.


>
>>
>> thanks,
>> Pádraig.
>>
>>
>
> /Jarkko
>