From: "Serge E. Hallyn" <serge@hallyn.com>
To: Micah Morton <mortonm@chromium.org>
Cc: linux-security-module@vger.kernel.org, keescook@chromium.org,
casey@schaufler-ca.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, serge@hallyn.com,
jmorris@namei.org, Thomas Cedeno <thomascedeno@google.com>
Subject: Re: [PATCH 1/2] LSM: Signal to SafeSetID when in set*gid syscall
Date: Mon, 20 Jul 2020 21:11:47 -0500 [thread overview]
Message-ID: <20200721021147.GA28125@mail.hallyn.com> (raw)
In-Reply-To: <20200720181156.1461461-1-mortonm@chromium.org>
On Mon, Jul 20, 2020 at 11:11:56AM -0700, Micah Morton wrote:
> From: Thomas Cedeno <thomascedeno@google.com>
>
> For SafeSetID to properly gate set*gid() calls, it needs to know whether
> ns_capable() is being called from within a sys_set*gid() function or is
> being called from elsewhere in the kernel. This allows SafeSetID to deny
> CAP_SETGID to restricted groups when they are attempting to use the
> capability for code paths other than updating GIDs (e.g. setting up
> userns GID mappings). This is the identical approach to what is
> currently done for CAP_SETUID.
>
> Signed-off-by: Thomas Cedeno <thomascedeno@google.com>
> Signed-off-by: Micah Morton <mortonm@chromium.org>
I see that only safesetid is using that now anyway.
Reviewed-by: Serge Hallyn <serge@hallyn.com>
> ---
> kernel/sys.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 00a96746e28a..55e0c86772ab 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -373,7 +373,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
> if (rgid != (gid_t) -1) {
> if (gid_eq(old->gid, krgid) ||
> gid_eq(old->egid, krgid) ||
> - ns_capable(old->user_ns, CAP_SETGID))
> + ns_capable_setid(old->user_ns, CAP_SETGID))
> new->gid = krgid;
> else
> goto error;
> @@ -382,7 +382,7 @@ long __sys_setregid(gid_t rgid, gid_t egid)
> if (gid_eq(old->gid, kegid) ||
> gid_eq(old->egid, kegid) ||
> gid_eq(old->sgid, kegid) ||
> - ns_capable(old->user_ns, CAP_SETGID))
> + ns_capable_setid(old->user_ns, CAP_SETGID))
> new->egid = kegid;
> else
> goto error;
> @@ -432,7 +432,7 @@ long __sys_setgid(gid_t gid)
> old = current_cred();
>
> retval = -EPERM;
> - if (ns_capable(old->user_ns, CAP_SETGID))
> + if (ns_capable_setid(old->user_ns, CAP_SETGID))
> new->gid = new->egid = new->sgid = new->fsgid = kgid;
> else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
> new->egid = new->fsgid = kgid;
> @@ -744,7 +744,7 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
> old = current_cred();
>
> retval = -EPERM;
> - if (!ns_capable(old->user_ns, CAP_SETGID)) {
> + if (!ns_capable_setid(old->user_ns, CAP_SETGID)) {
> if (rgid != (gid_t) -1 && !gid_eq(krgid, old->gid) &&
> !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid))
> goto error;
> @@ -871,7 +871,7 @@ long __sys_setfsgid(gid_t gid)
>
> if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
> gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
> - ns_capable(old->user_ns, CAP_SETGID)) {
> + ns_capable_setid(old->user_ns, CAP_SETGID)) {
> if (!gid_eq(kgid, old->fsgid)) {
> new->fsgid = kgid;
> if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0)
> --
> 2.28.0.rc0.105.gf9edc3c819-goog
next prev parent reply other threads:[~2020-07-21 2:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 18:11 [PATCH 1/2] LSM: Signal to SafeSetID when in set*gid syscall Micah Morton
2020-07-21 2:11 ` Serge E. Hallyn [this message]
2020-07-27 18:44 ` James Morris
2020-08-04 21:13 ` [PATCH v2 1/2] LSM: Signal to SafeSetID when setting group IDs Micah Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200721021147.GA28125@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mortonm@chromium.org \
--cc=paul@paul-moore.com \
--cc=stephen.smalley.work@gmail.com \
--cc=thomascedeno@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).