Linux Kernel Smack Label Creation Vulnerability for Unprivileged Tasks

A vulnerability in the Linux kernel's Smack (Simplified Mandatory Access Control Kernel) implementation allows unprivileged tasks to create new labels. This issue arises when a task is permitted to relabel itself and the 'relabel-self' list is not empty. The vulnerability exists in the Linux kernel stable tree. The problem occurs because the 'do_setattr()' function imports the specified label before verifying the 'relabel-self' list, enabling the creation of arbitrary labels by writing to '/proc/PID/attr/smack/current'.

Impact

Exploitation of this vulnerability allows unprivileged tasks to create and modify Smack labels, potentially leading to unauthorized access or privilege escalation by manipulating the security context of processes.

Reproduction

To reproduce this vulnerability, an unprivileged task must be allowed to relabel itself by ensuring that the '/smack/relabel-self' attribute is not empty. Once this condition is met, the task can create new labels by writing their names into the '/proc/PID/attr/smack/current' file. The 'do_setattr()' function will import the labels before checking the 'relabel-self' list, allowing the arbitrary label creation to occur.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.