linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: mortonm@chromium.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
	casey@schaufler-ca.com, sds@tycho.nsa.gov,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] LSM: SafeSetID: gate setgid transitions
Date: Sun, 17 Feb 2019 12:49:06 -0600	[thread overview]
Message-ID: <20190217184906.GA20247@mail.hallyn.com> (raw)
In-Reply-To: <20190215222228.133709-1-mortonm@chromium.org>

On Fri, Feb 15, 2019 at 02:22:28PM -0800, mortonm@chromium.org wrote:
> From: Micah Morton <mortonm@chromium.org>
> 
> The SafeSetID LSM already gates setuid transitions for UIDs on the
> system whose use of CAP_SETUID has been 'restricted'. This patch
> implements the analogous functionality for setgid transitions, in order
> to restrict the use of CAP_SETGID for certain UIDs on the system. One
> notable consequence of this addition is that a process running under a
> restricted UID (i.e. one that is only allowed to setgid to certain
> approved GIDs) will not be allowed to call the setgroups() syscall to
> set its supplementary group IDs. For now, we leave such support for
> restricted setgroups() to future work, as it would require hooking the
> logic in setgroups() and verifying that the array of GIDs passed in from
> userspace only consists of approved GIDs.
> 
> Signed-off-by: Micah Morton <mortonm@chromium.org>
> ---
> Tested with slight mod to test in tools/testing/selftests/safesetid for
> testing setgid as well as setuid.
> 
>  security/safesetid/lsm.c        | 263 +++++++++++++++++++++++++++-----
>  security/safesetid/lsm.h        |  11 +-
>  security/safesetid/securityfs.c | 105 +++++++++----
>  3 files changed, 307 insertions(+), 72 deletions(-)
> 
> diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
> index cecd38e2ac80..5d9710b7bb04 100644
> --- a/security/safesetid/lsm.c
> +++ b/security/safesetid/lsm.c
> @@ -26,27 +26,30 @@ int safesetid_initialized;
>  
>  #define NUM_BITS 8 /* 128 buckets in hash table */
...
> +int add_safesetid_whitelist_uid_entry(kuid_t parent, kuid_t child)
>  {
> -	struct entry *new;
> +	struct id_entry *new;
>  
>  	/* Return if entry already exists */
>  	if (check_setuid_policy_hashtable_key_value(parent, child))
>  		return 0;
>  
> -	new = kzalloc(sizeof(struct entry), GFP_KERNEL);
> +	new = kzalloc(sizeof(struct id_entry), GFP_KERNEL);
> +	if (!new)
> +		return -ENOMEM;
> +	new->parent_kuid = __kuid_val(parent);
> +	new->child_kid = __kuid_val(child);
> +	spin_lock(&safesetid_whitelist_uid_hashtable_spinlock);
> +	hash_add_rcu(safesetid_whitelist_uid_hashtable,
> +		     &new->next,
> +		     __kuid_val(parent));

Do you care at all about the possibility of duplicate entries?

> +	spin_unlock(&safesetid_whitelist_uid_hashtable_spinlock);
> +	return 0;
> +}

  reply	other threads:[~2019-02-17 18:49 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-15 22:22 [PATCH 2/2] LSM: SafeSetID: gate setgid transitions mortonm
2019-02-17 18:49 ` Serge E. Hallyn [this message]
2019-02-19 17:04   ` Micah Morton
2019-02-19 18:26     ` Serge E. Hallyn
2019-02-19 23:30       ` Micah Morton
2019-02-19 23:40       ` [PATCH v2 " mortonm
2019-02-25 22:35         ` Serge E. Hallyn
2019-02-26 18:00           ` [PATCH v3 " mortonm
2019-02-26 18:03           ` [PATCH v2 " Micah Morton
2019-02-27 20:00             ` [PATCH v2 1/2] " mortonm
2019-02-28  3:11               ` Serge E. Hallyn
2019-02-28 16:50               ` Casey Schaufler
2019-02-28 19:06                 ` [PATCH v3 " mortonm
2019-02-28 19:12                   ` Casey Schaufler
2019-02-28 20:20                     ` [PATCH v4 2/2] " mortonm
2019-02-28 22:50                       ` Casey Schaufler
2019-02-28 23:55                         ` [PATCH v4 1/2] " mortonm
2019-03-04 18:10                           ` Micah Morton
2019-03-04 18:27                             ` [PATCH v5 " mortonm
2019-03-05  3:30                             ` [PATCH v4 " James Morris
2019-03-05 15:46                               ` Micah Morton
2019-02-28 19:08                 ` [PATCH v2 " Micah Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190217184906.GA20247@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mortonm@chromium.org \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).