From: mortonm@chromium.org To: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, casey@schaufler-ca.com, sds@tycho.nsa.gov, linux-security-module@vger.kernel.org Cc: Micah Morton <mortonm@chromium.org> Subject: [PATCH v3 1/2] LSM: mark all set*uid call sites in kernel/sys.c Date: Tue, 15 Jan 2019 10:04:21 -0800 Message-ID: <20190115180421.102209-1-mortonm@chromium.org> (raw) In-Reply-To: <CAGXu5jKiFDD25TUnt7s_zFv7sjrt8avjeZgBKUBVzQ-er+xdkg@mail.gmail.com> From: Micah Morton <mortonm@chromium.org> This change ensures that the set*uid family of syscalls in kernel/sys.c (setreuid, setuid, setresuid, setfsuid) all call ns_capable_common with the CAP_OPT_INSETID flag, so capability checks in the security_capable hook can know whether they are being called from within a set*uid syscall. This change is a no-op by itself, but is needed for the proposed SafeSetID LSM. Signed-off-by: Micah Morton <mortonm@chromium.org> --- These changes used to be part of the main SafeSetID LSM patch set. include/linux/capability.h | 5 +++++ kernel/capability.c | 19 +++++++++++++++++++ kernel/sys.c | 10 +++++----- 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index f640dcbc880c..c3f9a4d558a0 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -209,6 +209,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t, extern bool capable(int cap); extern bool ns_capable(struct user_namespace *ns, int cap); extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); +extern bool ns_capable_setid(struct user_namespace *ns, int cap); #else static inline bool has_capability(struct task_struct *t, int cap) { @@ -240,6 +241,10 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) { return true; } +static inline bool ns_capable_setid(struct user_namespace *ns, int cap) +{ + return true; +} #endif /* CONFIG_MULTIUSER */ extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode); extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); diff --git a/kernel/capability.c b/kernel/capability.c index 7718d7dcadc7..e0734ace5bc2 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -417,6 +417,25 @@ bool ns_capable_noaudit(struct user_namespace *ns, int cap) } EXPORT_SYMBOL(ns_capable_noaudit); +/** + * ns_capable_setid - Determine if the current task has a superior capability + * in effect, while signalling that this check is being done from within a + * setid syscall. + * @ns: The usernamespace we want the capability in + * @cap: The capability to be tested for + * + * Return true if the current task has the given superior capability currently + * available for use, false if not. + * + * This sets PF_SUPERPRIV on the task if the capability is available on the + * assumption that it's about to be used. + */ +bool ns_capable_setid(struct user_namespace *ns, int cap) +{ + return ns_capable_common(ns, cap, CAP_OPT_INSETID); +} +EXPORT_SYMBOL(ns_capable_setid); + /** * capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for diff --git a/kernel/sys.c b/kernel/sys.c index a48cbf1414b8..a98061c1a124 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -516,7 +516,7 @@ long __sys_setreuid(uid_t ruid, uid_t euid) new->uid = kruid; if (!uid_eq(old->uid, kruid) && !uid_eq(old->euid, kruid) && - !ns_capable(old->user_ns, CAP_SETUID)) + !ns_capable_setid(old->user_ns, CAP_SETUID)) goto error; } @@ -525,7 +525,7 @@ long __sys_setreuid(uid_t ruid, uid_t euid) if (!uid_eq(old->uid, keuid) && !uid_eq(old->euid, keuid) && !uid_eq(old->suid, keuid) && - !ns_capable(old->user_ns, CAP_SETUID)) + !ns_capable_setid(old->user_ns, CAP_SETUID)) goto error; } @@ -584,7 +584,7 @@ long __sys_setuid(uid_t uid) old = current_cred(); retval = -EPERM; - if (ns_capable(old->user_ns, CAP_SETUID)) { + if (ns_capable_setid(old->user_ns, CAP_SETUID)) { new->suid = new->uid = kuid; if (!uid_eq(kuid, old->uid)) { retval = set_user(new); @@ -646,7 +646,7 @@ long __sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) old = current_cred(); retval = -EPERM; - if (!ns_capable(old->user_ns, CAP_SETUID)) { + if (!ns_capable_setid(old->user_ns, CAP_SETUID)) { if (ruid != (uid_t) -1 && !uid_eq(kruid, old->uid) && !uid_eq(kruid, old->euid) && !uid_eq(kruid, old->suid)) goto error; @@ -814,7 +814,7 @@ long __sys_setfsuid(uid_t uid) if (uid_eq(kuid, old->uid) || uid_eq(kuid, old->euid) || uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) || - ns_capable(old->user_ns, CAP_SETUID)) { + ns_capable_setid(old->user_ns, CAP_SETUID)) { if (!uid_eq(kuid, old->fsuid)) { new->fsuid = kuid; if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0) -- 2.20.1.97.g81188d93c3-goog
next prev parent reply index Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-31 15:28 [PATCH] LSM: add SafeSetID module that gates setid calls mortonm 2018-10-31 21:02 ` Serge E. Hallyn 2018-10-31 21:57 ` Kees Cook 2018-10-31 22:37 ` Casey Schaufler 2018-11-01 1:12 ` Micah Morton 2018-11-01 6:13 ` Serge E. Hallyn 2018-11-01 15:39 ` Casey Schaufler 2018-11-01 15:56 ` Serge E. Hallyn 2018-11-01 16:18 ` Micah Morton 2018-11-01 6:07 ` Serge E. Hallyn 2018-11-01 16:11 ` Micah Morton 2018-11-01 16:22 ` Micah Morton 2018-11-01 16:41 ` Micah Morton 2018-11-01 17:08 ` Casey Schaufler 2018-11-01 19:52 ` Micah Morton 2018-11-02 16:05 ` Casey Schaufler 2018-11-02 17:12 ` Micah Morton 2018-11-02 18:19 ` Casey Schaufler 2018-11-02 18:30 ` Serge E. Hallyn 2018-11-02 19:02 ` Casey Schaufler 2018-11-02 19:22 ` Serge E. Hallyn 2018-11-08 20:53 ` Micah Morton 2018-11-08 21:34 ` Casey Schaufler 2018-11-09 0:30 ` Micah Morton 2018-11-09 23:21 ` [PATCH] LSM: generalize flag passing to security_capable mortonm 2018-11-21 16:54 ` [PATCH] LSM: add SafeSetID module that gates setid calls mortonm 2018-12-06 0:08 ` Kees Cook 2018-12-06 17:51 ` Micah Morton 2019-01-11 17:13 ` [PATCH v2] " mortonm 2019-01-15 0:38 ` Kees Cook 2019-01-15 18:04 ` mortonm [this message] 2019-01-15 19:34 ` [PATCH v3 1/2] LSM: mark all set*uid call sites in kernel/sys.c Kees Cook 2019-01-15 18:04 ` [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls mortonm 2019-01-15 19:44 ` Kees Cook 2019-01-15 21:50 ` [PATCH v4 " mortonm 2019-01-15 22:32 ` Kees Cook 2019-01-16 15:46 ` [PATCH v5 " mortonm 2019-01-16 16:10 ` Casey Schaufler 2019-01-22 20:40 ` Micah Morton 2019-01-22 22:28 ` James Morris 2019-01-22 22:40 ` Micah Morton 2019-01-22 22:42 ` [PATCH v3 1/2] " mortonm 2019-01-25 15:51 ` Micah Morton 2019-01-25 20:15 ` [PATCH v5 2/2] " James Morris 2019-01-25 21:06 ` Micah Morton 2019-01-28 19:47 ` Micah Morton 2019-01-28 19:56 ` Kees Cook 2019-01-28 20:09 ` James Morris 2019-01-28 20:19 ` Micah Morton 2019-01-28 20:30 ` [PATCH] LSM: Add 'name' field for SafeSetID in DEFINE_LSM mortonm 2019-01-28 22:12 ` James Morris 2019-01-28 22:33 ` [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls Micah Morton 2019-01-29 17:25 ` James Morris 2019-01-29 21:14 ` Micah Morton 2019-01-30 7:15 ` Kees Cook 2019-02-06 19:03 ` [PATCH] LSM: SafeSetID: add selftest mortonm 2019-02-06 19:26 ` Edwin Zimmerman 2019-02-07 21:54 ` Micah Morton 2019-02-12 19:01 ` James Morris 2019-01-15 21:58 ` [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls Micah Morton 2019-01-15 19:49 ` [PATCH v2] " Micah Morton 2019-01-15 19:53 ` Kees Cook 2019-01-15 4:07 ` James Morris 2019-01-15 19:42 ` Micah Morton 2018-11-02 19:28 ` [PATCH] " Micah Morton 2018-11-06 19:09 ` [PATCH v2] " mortonm 2018-11-06 20:59 ` [PATCH] " James Morris 2018-11-06 21:21 ` [PATCH v3] " mortonm 2018-11-02 18:07 ` [PATCH] " Stephen Smalley 2018-11-02 19:13 ` Micah Morton 2018-11-19 18:54 ` [PATCH] [PATCH] LSM: generalize flag passing to security_capable mortonm 2018-12-13 22:29 ` Micah Morton 2018-12-13 23:09 ` Casey Schaufler 2018-12-14 0:05 ` Micah Morton 2018-12-18 22:37 ` [PATCH v2] " mortonm 2019-01-07 17:55 ` Micah Morton 2019-01-07 18:16 ` Casey Schaufler 2019-01-07 18:36 ` Micah Morton 2019-01-07 18:46 ` Casey Schaufler 2019-01-07 19:02 ` Micah Morton 2019-01-07 22:57 ` [PATCH v3] " mortonm 2019-01-07 23:13 ` [PATCH v2] " Kees Cook 2019-01-08 0:10 ` [PATCH v4] " mortonm 2019-01-08 0:20 ` Kees Cook 2019-01-09 18:39 ` Micah Morton 2019-01-10 22:31 ` James Morris 2019-01-10 23:03 ` Micah Morton 2019-01-08 0:10 ` [PATCH v2] " Micah Morton
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190115180421.102209-1-mortonm@chromium.org \ --to=mortonm@chromium.org \ --cc=casey@schaufler-ca.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=linux-security-module@vger.kernel.org \ --cc=sds@tycho.nsa.gov \ --cc=serge@hallyn.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git