Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Micah Morton <mortonm@chromium.org>
To: serge@hallyn.com
Cc: jmorris@namei.org, Kees Cook <keescook@chromium.org>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH] LSM: add SafeSetID module that gates setid calls
Date: Thu, 1 Nov 2018 09:11:46 -0700
Message-ID: <CAJ-EccMaAu+g55Nuh1nZqt3Ld-YEgDiT_ewdQzGtFGmzRgXckw@mail.gmail.com> (raw)
In-Reply-To: <20181101060737.GA7132@mail.hallyn.com>

On Wed, Oct 31, 2018 at 11:07 PM Serge E. Hallyn <serge@hallyn.com> wrote:
>
> On Wed, Oct 31, 2018 at 09:02:45PM +0000, Serge E. Hallyn wrote:
> > Quoting mortonm@chromium.org (mortonm@chromium.org):
> > > From: Micah Morton <mortonm@chromium.org>
> > >
> > > SafeSetID gates the setid family of syscalls to restrict UID/GID
> > > transitions from a given UID/GID to only those approved by a
> > > system-wide whitelist. These restrictions also prohibit the given
> > > UIDs/GIDs from obtaining auxiliary privileges associated with
> > > CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
> > > mappings. For now, only gating the set*uid family of syscalls is
> > > supported, with support for set*gid coming in a future patch set.
> > >
> > > Signed-off-by: Micah Morton <mortonm@chromium.org>
> > > ---
> > >
> > > NOTE: See the TODO above setuid_syscall() in lsm.c for an aspect of this
> > > code that likely needs improvement before being an acceptable approach.
> > > I'm specifically interested to see if there are better ideas for how
> > > this could be done.
> > >
> > >  Documentation/admin-guide/LSM/SafeSetID.rst |  94 ++++++
> > >  Documentation/admin-guide/LSM/index.rst     |   1 +
> > >  arch/Kconfig                                |   5 +
> > >  arch/arm/Kconfig                            |   1 +
> > >  arch/arm64/Kconfig                          |   1 +
> > >  arch/x86/Kconfig                            |   1 +
> > >  security/Kconfig                            |   1 +
> > >  security/Makefile                           |   2 +
> > >  security/safesetid/Kconfig                  |  13 +
> > >  security/safesetid/Makefile                 |   7 +
> > >  security/safesetid/lsm.c                    | 334 ++++++++++++++++++++
> > >  security/safesetid/lsm.h                    |  30 ++
> > >  security/safesetid/securityfs.c             | 189 +++++++++++
> > >  13 files changed, 679 insertions(+)
> > >  create mode 100644 Documentation/admin-guide/LSM/SafeSetID.rst
> > >  create mode 100644 security/safesetid/Kconfig
> > >  create mode 100644 security/safesetid/Makefile
> > >  create mode 100644 security/safesetid/lsm.c
> > >  create mode 100644 security/safesetid/lsm.h
> > >  create mode 100644 security/safesetid/securityfs.c
> > >
> > > diff --git a/Documentation/admin-guide/LSM/SafeSetID.rst b/Documentation/admin-guide/LSM/SafeSetID.rst
> > > new file mode 100644
> > > index 000000000000..e7d072124424
> > > --- /dev/null
> > > +++ b/Documentation/admin-guide/LSM/SafeSetID.rst
> > > @@ -0,0 +1,94 @@
> > > +=========
> > > +SafeSetID
> > > +=========
> > > +SafeSetID is an LSM module that gates the setid family of syscalls to restrict
> > > +UID/GID transitions from a given UID/GID to only those approved by a
> > > +system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs
> > > +from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as
> > > +allowing a user to set up user namespace UID mappings.
> > > +
> > > +
> > > +Background
> > > +==========
> > > +In absence of file capabilities, processes spawned on a Linux system that need
> > > +to switch to a different user must be spawned with CAP_SETUID privileges.
> > > +CAP_SETUID is granted to programs running as root or those running as a non-root
> > > +user that have been explicitly given the CAP_SETUID runtime capability. It is
> > > +often preferable to use Linux runtime capabilities rather than file
> > > +capabilities, since using file capabilities to run a program with elevated
> > > +privileges opens up possible security holes since any user with access to the
> > > +file can exec() that program to gain the elevated privileges.
> >
> > Not true, see inheritable capabilities.  You also might look at ambient
> > capabilities.
>
> So for example with pam_cap.so you could have your N uids each be given
> the desired pI, and assign the corrsponding fIs to the files they should
> be able to exec with privilege.  No other uids will run those files with
> privilege.  *1

Sorry, what are "pl" and "fls" here? "Privilege level" and "files"?

>
> Can you give some more details about exactly how you see SafeSetID being
> used?

Sure. The main use case for this LSM is to allow a non-root program to
transition to other untrusted uids without full blown CAP_SETUID
capabilities. The non-root program would still need CAP_SETUID to do
any kind of transition, but the additional restrictions imposed by
this LSM would mean it is a "safer" version of CAP_SETUID since the
non-root program cannot take advantage of CAP_SETUID to do any
unapproved actions (i.e. setuid to uid 0 or create/enter new user
namespace). The higher level goal is to allow for uid-based sandboxing
of system services without having to give out CAP_SETUID all over the
place just so that non-root programs can drop to
even-further-non-privileged uids. This is especially relevant when one
non-root daemon on the system should be allowed to spawn other
processes as different uids, but its undesirable to give the daemon a
basically-root-equivalent CAP_SETUID.

>
> I'm still not quite clear on whether you want N completely unprivileged
> uids to be used by some user (i.e. uid 1000), or whether one or more of
> those should also have some privileged, or whether one of the uids might
> or might not b uid 0.  Years ago I used to use N separate uids to
> somewhat segragate workloads on my laptop, and I'd like my browser to
> do something like that.  Is that the kind of uid switching you have
> in mind?

"N completely unprivileged uids to be used by some user (i.e. uid
1000)" is the closest description of what this LSM has in mind. For
example, uid 123 is some system service that needs runtime
capabilities X, Y and Z and a bunch of DBus permissions associated
with uid 123, but also wants to spawn another program without any of
these capabilities/permissions. In this case we would like to avoid
giving the system service CAP_SETUID.

>
> -serge
>
> *1 And maybe with one of the p9auth/factotem proposals out there you
> could have a userspace daemon hand out the tokens for setuid, but that's
> getting "out there" and probably derailing this conversation :)

  reply index

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-31 15:28 mortonm
2018-10-31 21:02 ` Serge E. Hallyn
2018-10-31 21:57   ` Kees Cook
2018-10-31 22:37     ` Casey Schaufler
2018-11-01  1:12       ` Micah Morton
2018-11-01  6:13         ` Serge E. Hallyn
2018-11-01 15:39           ` Casey Schaufler
2018-11-01 15:56             ` Serge E. Hallyn
2018-11-01 16:18             ` Micah Morton
2018-11-01  6:07   ` Serge E. Hallyn
2018-11-01 16:11     ` Micah Morton [this message]
2018-11-01 16:22       ` Micah Morton
2018-11-01 16:41       ` Micah Morton
2018-11-01 17:08       ` Casey Schaufler
2018-11-01 19:52         ` Micah Morton
2018-11-02 16:05           ` Casey Schaufler
2018-11-02 17:12             ` Micah Morton
2018-11-02 18:19               ` Casey Schaufler
2018-11-02 18:30                 ` Serge E. Hallyn
2018-11-02 19:02                   ` Casey Schaufler
2018-11-02 19:22                     ` Serge E. Hallyn
2018-11-08 20:53                       ` Micah Morton
2018-11-08 21:34                         ` Casey Schaufler
2018-11-09  0:30                           ` Micah Morton
2018-11-09 23:21                             ` [PATCH] LSM: generalize flag passing to security_capable mortonm
2018-11-21 16:54                             ` [PATCH] LSM: add SafeSetID module that gates setid calls mortonm
2018-12-06  0:08                               ` Kees Cook
2018-12-06 17:51                                 ` Micah Morton
2019-01-11 17:13                                 ` [PATCH v2] " mortonm
2019-01-15  0:38                                   ` Kees Cook
2019-01-15 18:04                                     ` [PATCH v3 1/2] LSM: mark all set*uid call sites in kernel/sys.c mortonm
2019-01-15 19:34                                       ` Kees Cook
2019-01-15 18:04                                     ` [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls mortonm
2019-01-15 19:44                                       ` Kees Cook
2019-01-15 21:50                                         ` [PATCH v4 " mortonm
2019-01-15 22:32                                           ` Kees Cook
2019-01-16 15:46                                             ` [PATCH v5 " mortonm
2019-01-16 16:10                                               ` Casey Schaufler
2019-01-22 20:40                                                 ` Micah Morton
2019-01-22 22:28                                                   ` James Morris
2019-01-22 22:40                                                     ` Micah Morton
2019-01-22 22:42                                                       ` [PATCH v3 1/2] " mortonm
2019-01-25 15:51                                                         ` Micah Morton
2019-01-25 20:15                                               ` [PATCH v5 2/2] " James Morris
2019-01-25 21:06                                                 ` Micah Morton
2019-01-28 19:47                                                   ` Micah Morton
2019-01-28 19:56                                                     ` Kees Cook
2019-01-28 20:09                                                       ` James Morris
2019-01-28 20:19                                                       ` Micah Morton
2019-01-28 20:30                                                         ` [PATCH] LSM: Add 'name' field for SafeSetID in DEFINE_LSM mortonm
2019-01-28 22:12                                                           ` James Morris
2019-01-28 22:33                                                         ` [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls Micah Morton
2019-01-29 17:25                                                           ` James Morris
2019-01-29 21:14                                                             ` Micah Morton
2019-01-30  7:15                                                               ` Kees Cook
2019-02-06 19:03                                                                 ` [PATCH] LSM: SafeSetID: add selftest mortonm
2019-02-06 19:26                                                                   ` Edwin Zimmerman
2019-02-07 21:54                                                                     ` Micah Morton
2019-02-12 19:01                                                                   ` James Morris
2019-01-15 21:58                                         ` [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls Micah Morton
2019-01-15 19:49                                     ` [PATCH v2] " Micah Morton
2019-01-15 19:53                                       ` Kees Cook
2019-01-15  4:07                                   ` James Morris
2019-01-15 19:42                                     ` Micah Morton
2018-11-02 19:28                 ` [PATCH] " Micah Morton
2018-11-06 19:09                 ` [PATCH v2] " mortonm
2018-11-06 20:59       ` [PATCH] " James Morris
2018-11-06 21:21         ` [PATCH v3] " mortonm
2018-11-02 18:07 ` [PATCH] " Stephen Smalley
2018-11-02 19:13   ` Micah Morton
2018-11-19 18:54   ` [PATCH] [PATCH] LSM: generalize flag passing to security_capable mortonm
2018-12-13 22:29     ` Micah Morton
2018-12-13 23:09       ` Casey Schaufler
2018-12-14  0:05         ` Micah Morton
2018-12-18 22:37         ` [PATCH v2] " mortonm
2019-01-07 17:55           ` Micah Morton
2019-01-07 18:16             ` Casey Schaufler
2019-01-07 18:36               ` Micah Morton
2019-01-07 18:46                 ` Casey Schaufler
2019-01-07 19:02                   ` Micah Morton
2019-01-07 22:57                     ` [PATCH v3] " mortonm
2019-01-07 23:13           ` [PATCH v2] " Kees Cook
2019-01-08  0:10             ` [PATCH v4] " mortonm
2019-01-08  0:20               ` Kees Cook
2019-01-09 18:39                 ` Micah Morton
2019-01-10 22:31               ` James Morris
2019-01-10 23:03                 ` Micah Morton
2019-01-08  0:10             ` [PATCH v2] " Micah Morton

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJ-EccMaAu+g55Nuh1nZqt3Ld-YEgDiT_ewdQzGtFGmzRgXckw@mail.gmail.com \
    --to=mortonm@chromium.org \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox