From: Micah Morton <mortonm@chromium.org>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: James Morris <jmorris@namei.org>,
Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 2/2] LSM: SafeSetID: gate setgid transitions
Date: Tue, 19 Feb 2019 15:30:06 -0800 [thread overview]
Message-ID: <CAJ-EccPdoXp_duz8uL2pEHa3bA9QoCs-9=ybYwwVhMqMChXhtg@mail.gmail.com> (raw)
In-Reply-To: <20190219182656.GB10524@mail.hallyn.com>
Oh I see, good point. Right now there's no harm in having duplicate
entries, but it could be a problem later if certain functionality were
added (e.g. deletion of individual policy entries). Might as well fix
it. Uploading a v2 patch.
On Tue, Feb 19, 2019 at 10:26 AM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> On Tue, Feb 19, 2019 at 09:04:10AM -0800, Micah Morton wrote:
> > On Sun, Feb 17, 2019 at 10:49 AM Serge E. Hallyn <serge@hallyn.com> wrote:
> > >
> > > On Fri, Feb 15, 2019 at 02:22:28PM -0800, mortonm@chromium.org wrote:
> > > > From: Micah Morton <mortonm@chromium.org>
> > > >
> > > > The SafeSetID LSM already gates setuid transitions for UIDs on the
> > > > system whose use of CAP_SETUID has been 'restricted'. This patch
> > > > implements the analogous functionality for setgid transitions, in order
> > > > to restrict the use of CAP_SETGID for certain UIDs on the system. One
> > > > notable consequence of this addition is that a process running under a
> > > > restricted UID (i.e. one that is only allowed to setgid to certain
> > > > approved GIDs) will not be allowed to call the setgroups() syscall to
> > > > set its supplementary group IDs. For now, we leave such support for
> > > > restricted setgroups() to future work, as it would require hooking the
> > > > logic in setgroups() and verifying that the array of GIDs passed in from
> > > > userspace only consists of approved GIDs.
> > > >
> > > > Signed-off-by: Micah Morton <mortonm@chromium.org>
> > > > ---
> > > > Tested with slight mod to test in tools/testing/selftests/safesetid for
> > > > testing setgid as well as setuid.
> > > >
> > > > security/safesetid/lsm.c | 263 +++++++++++++++++++++++++++-----
> > > > security/safesetid/lsm.h | 11 +-
> > > > security/safesetid/securityfs.c | 105 +++++++++----
> > > > 3 files changed, 307 insertions(+), 72 deletions(-)
> > > >
> > > > diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
> > > > index cecd38e2ac80..5d9710b7bb04 100644
> > > > --- a/security/safesetid/lsm.c
> > > > +++ b/security/safesetid/lsm.c
> > > > @@ -26,27 +26,30 @@ int safesetid_initialized;
> > > >
> > > > #define NUM_BITS 8 /* 128 buckets in hash table */
> > > ...
> > > > +int add_safesetid_whitelist_uid_entry(kuid_t parent, kuid_t child)
> > > > {
> > > > - struct entry *new;
> > > > + struct id_entry *new;
> > > >
> > > > /* Return if entry already exists */
> > > > if (check_setuid_policy_hashtable_key_value(parent, child))
> > > > return 0;
> > > >
> > > > - new = kzalloc(sizeof(struct entry), GFP_KERNEL);
> > > > + new = kzalloc(sizeof(struct id_entry), GFP_KERNEL);
> > > > + if (!new)
> > > > + return -ENOMEM;
> > > > + new->parent_kuid = __kuid_val(parent);
> > > > + new->child_kid = __kuid_val(child);
> > > > + spin_lock(&safesetid_whitelist_uid_hashtable_spinlock);
> > > > + hash_add_rcu(safesetid_whitelist_uid_hashtable,
> > > > + &new->next,
> > > > + __kuid_val(parent));
> > >
> > > Do you care at all about the possibility of duplicate entries?
> >
> > Duplicate entries shouldn't be possible due to the invocation of
> > check_setuid_policy_hashtable_key_value() above where it says "Return
> > if entry already exists". Does this make sense?
>
> I don't believe it does, because you do the check before you lock. So
> two tasks can race.
>
> Obviously you can't do the malloc under the spinlock, but I think you
> will need to check for an existing entry once, do the malloc, lock,
> then check again for an existing entry, then free the alloced
> 'new' if found.
>
> > > > + spin_unlock(&safesetid_whitelist_uid_hashtable_spinlock);
> > > > + return 0;
> > > > +}
next prev parent reply other threads:[~2019-02-19 23:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 22:22 [PATCH 2/2] LSM: SafeSetID: gate setgid transitions mortonm
2019-02-17 18:49 ` Serge E. Hallyn
2019-02-19 17:04 ` Micah Morton
2019-02-19 18:26 ` Serge E. Hallyn
2019-02-19 23:30 ` Micah Morton [this message]
2019-02-19 23:40 ` [PATCH v2 " mortonm
2019-02-25 22:35 ` Serge E. Hallyn
2019-02-26 18:00 ` [PATCH v3 " mortonm
2019-02-26 18:03 ` [PATCH v2 " Micah Morton
2019-02-27 20:00 ` [PATCH v2 1/2] " mortonm
2019-02-28 3:11 ` Serge E. Hallyn
2019-02-28 16:50 ` Casey Schaufler
2019-02-28 19:06 ` [PATCH v3 " mortonm
2019-02-28 19:12 ` Casey Schaufler
2019-02-28 20:20 ` [PATCH v4 2/2] " mortonm
2019-02-28 22:50 ` Casey Schaufler
2019-02-28 23:55 ` [PATCH v4 1/2] " mortonm
2019-03-04 18:10 ` Micah Morton
2019-03-04 18:27 ` [PATCH v5 " mortonm
2019-03-05 3:30 ` [PATCH v4 " James Morris
2019-03-05 15:46 ` Micah Morton
2019-02-28 19:08 ` [PATCH v2 " Micah Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ-EccPdoXp_duz8uL2pEHa3bA9QoCs-9=ybYwwVhMqMChXhtg@mail.gmail.com' \
--to=mortonm@chromium.org \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).