From: "Serge E. Hallyn" <serge@hallyn.com>
To: mortonm@chromium.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
casey@schaufler-ca.com, sds@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/2] LSM: SafeSetID: gate setgid transitions
Date: Sat, 16 Feb 2019 10:43:33 -0600 [thread overview]
Message-ID: <20190216164333.GA10883@mail.hallyn.com> (raw)
In-Reply-To: <20190215222217.133213-1-mortonm@chromium.org>
On Fri, Feb 15, 2019 at 02:22:17PM -0800, mortonm@chromium.org wrote:
> From: Micah Morton <mortonm@chromium.org>
>
> This patch adds a 'task_fix_setgid' LSM hook, which is analogous to the
> existing 'task_fix_setuid' LSM hook, and calls this new hook from the
> setgid functions in kernel/sys.c. This will allow the SafeSetID LSM to
> govern setgid transitions in addition to setuid transitions. This change
> also makes sure the setgid functions in kernel/sys.c call
> security_capable_setid rather than the ordinary security_capable
Sorry, where security_capable_setid this defined? I assume it was in a recent
patchset, but google and grep are failing me.
> function, so that the security_capable hook in the SafeSetID LSM knows
> it is being invoked from a setid function.
>
> Signed-off-by: Micah Morton <mortonm@chromium.org>
> ---
> Tested with slight mod to test in tools/testing/selftests/safesetid for
> testing setgid as well as setuid.
>
> include/linux/lsm_hooks.h | 12 ++++++++++++
> include/linux/security.h | 10 ++++++++++
> kernel/sys.c | 27 +++++++++++++++++++++------
> security/security.c | 6 ++++++
> 4 files changed, 49 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 22fc786d723a..f252ed3e95ef 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -603,6 +603,15 @@
> * @old is the set of credentials that are being replaces
> * @flags contains one of the LSM_SETID_* values.
> * Return 0 on success.
> + * @task_fix_setgid:
> + * Update the module's state after setting one or more of the group
> + * identity attributes of the current process. The @flags parameter
> + * indicates which of the set*gid system calls invoked this hook.
> + * @new is the set of credentials that will be installed. Modifications
> + * should be made to this rather than to @current->cred.
> + * @old is the set of credentials that are being replaced
> + * @flags contains one of the LSM_SETID_* values.
> + * Return 0 on success.
> * @task_setpgid:
> * Check permission before setting the process group identifier of the
> * process @p to @pgid.
> @@ -1596,6 +1605,8 @@ union security_list_options {
> enum kernel_read_file_id id);
> int (*task_fix_setuid)(struct cred *new, const struct cred *old,
> int flags);
> + int (*task_fix_setgid)(struct cred *new, const struct cred *old,
> + int flags);
> int (*task_setpgid)(struct task_struct *p, pid_t pgid);
> int (*task_getpgid)(struct task_struct *p);
> int (*task_getsid)(struct task_struct *p);
> @@ -1887,6 +1898,7 @@ struct security_hook_heads {
> struct hlist_head kernel_post_read_file;
> struct hlist_head kernel_module_request;
> struct hlist_head task_fix_setuid;
> + struct hlist_head task_fix_setgid;
> struct hlist_head task_setpgid;
> struct hlist_head task_getpgid;
> struct hlist_head task_getsid;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 13537a49ae97..f3d095e8dfc1 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -96,6 +96,7 @@ extern int cap_mmap_addr(unsigned long addr);
> extern int cap_mmap_file(struct file *file, unsigned long reqprot,
> unsigned long prot, unsigned long flags);
> extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
> +extern int cap_task_fix_setgid(struct cred *new, const struct cred *old, int flags);
> extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> unsigned long arg4, unsigned long arg5);
> extern int cap_task_setscheduler(struct task_struct *p);
> @@ -326,6 +327,8 @@ int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> enum kernel_read_file_id id);
> int security_task_fix_setuid(struct cred *new, const struct cred *old,
> int flags);
> +int security_task_fix_setgid(struct cred *new, const struct cred *old,
> + int flags);
> int security_task_setpgid(struct task_struct *p, pid_t pgid);
> int security_task_getpgid(struct task_struct *p);
> int security_task_getsid(struct task_struct *p);
> @@ -930,6 +933,13 @@ static inline int security_task_fix_setuid(struct cred *new,
> return cap_task_fix_setuid(new, old, flags);
> }
>
> +static inline int security_task_fix_setgid(struct cred *new,
> + const struct cred *old,
> + int flags)
> +{
> + return cap_task_fix_setgid(new, old, flags);
> +}
> +
> static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)
> {
> return 0;
> diff --git a/kernel/sys.c b/kernel/sys.c
> index c5f875048aef..76f1c46ac66f 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -372,7 +372,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
> if (rgid != (gid_t) -1) {
> if (gid_eq(old->gid, krgid) ||
> gid_eq(old->egid, krgid) ||
> - ns_capable(old->user_ns, CAP_SETGID))
> + ns_capable_setid(old->user_ns, CAP_SETGID))
> new->gid = krgid;
> else
> goto error;
> @@ -381,7 +381,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
> if (gid_eq(old->gid, kegid) ||
> gid_eq(old->egid, kegid) ||
> gid_eq(old->sgid, kegid) ||
> - ns_capable(old->user_ns, CAP_SETGID))
> + ns_capable_setid(old->user_ns, CAP_SETGID))
> new->egid = kegid;
> else
> goto error;
> @@ -392,6 +392,10 @@ long __sys_setregid(gid_t rgid, gid_t egid)
> new->sgid = new->egid;
> new->fsgid = new->egid;
>
> + retval = security_task_fix_setgid(new, old, LSM_SETID_RE);
> + if (retval < 0)
> + goto error;
> +
> return commit_creds(new);
>
> error:
> @@ -427,13 +431,17 @@ long __sys_setgid(gid_t gid)
> old = current_cred();
>
> retval = -EPERM;
> - if (ns_capable(old->user_ns, CAP_SETGID))
> + if (ns_capable_setid(old->user_ns, CAP_SETGID))
> new->gid = new->egid = new->sgid = new->fsgid = kgid;
> else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
> new->egid = new->fsgid = kgid;
> else
> goto error;
>
> + retval = security_task_fix_setgid(new, old, LSM_SETID_ID);
> + if (retval < 0)
> + goto error;
> +
> return commit_creds(new);
>
> error:
> @@ -735,7 +743,7 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
> old = current_cred();
>
> retval = -EPERM;
> - if (!ns_capable(old->user_ns, CAP_SETGID)) {
> + if (!ns_capable_setid(old->user_ns, CAP_SETGID)) {
> if (rgid != (gid_t) -1 && !gid_eq(krgid, old->gid) &&
> !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid))
> goto error;
> @@ -755,6 +763,10 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
> new->sgid = ksgid;
> new->fsgid = new->egid;
>
> + retval = security_task_fix_setgid(new, old, LSM_SETID_RES);
> + if (retval < 0)
> + goto error;
> +
> return commit_creds(new);
>
> error:
> @@ -858,10 +870,13 @@ long __sys_setfsgid(gid_t gid)
>
> if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
> gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
> - ns_capable(old->user_ns, CAP_SETGID)) {
> + ns_capable_setid(old->user_ns, CAP_SETGID)) {
> if (!gid_eq(kgid, old->fsgid)) {
> new->fsgid = kgid;
> - goto change_okay;
> + if (security_task_fix_setgid(new,
> + old,
> + LSM_SETID_FS) == 0)
> + goto change_okay;
> }
> }
>
> diff --git a/security/security.c b/security/security.c
> index b6bff646d373..4264a1e77ce8 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1570,6 +1570,12 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old,
> return call_int_hook(task_fix_setuid, 0, new, old, flags);
> }
>
> +int security_task_fix_setgid(struct cred *new, const struct cred *old,
> + int flags)
> +{
> + return call_int_hook(task_fix_setgid, 0, new, old, flags);
> +}
> +
> int security_task_setpgid(struct task_struct *p, pid_t pgid)
> {
> return call_int_hook(task_setpgid, 0, p, pgid);
> --
> 2.21.0.rc0.258.g878e2cd30e-goog
next prev parent reply other threads:[~2019-02-16 16:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 22:22 [PATCH 1/2] LSM: SafeSetID: gate setgid transitions mortonm
2019-02-16 16:43 ` Serge E. Hallyn [this message]
2019-02-19 17:00 ` Micah Morton
2019-02-19 18:20 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190216164333.GA10883@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mortonm@chromium.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).