@@ -373,8 +373,19 @@ static int acl_permission_check(struct mnt_idmap *idmap,
*/
if (mask & (mode ^ (mode >> 3))) {
vfsgid_t vfsgid = i_gid_into_vfsgid(idmap, inode);
- if (vfsgid_in_group_p(vfsgid))
- mode >>= 3;
+ int idx = vfsgid_in_group_p(vfsgid);
+
+ if (idx) {
+ unsigned int mode_grp = mode >> 3;
+
+ if (mask & ~mode_grp)
+ return -EACCES;
+ idx -= 2;
+ if (idx < 0 || idx >= 32 || !((1U << idx) &
+ current_cred()->group_info->restrict_bitmap))
+ return 0;
+ /* If we hit restrict_bitmap, then check Others. */
+ }
}
/* Bits in 'mode' clear that we require? */
@@ -25,6 +25,7 @@ struct inode;
*/
struct group_info {
refcount_t usage;
+ unsigned int restrict_bitmap;
int ngroups;
kgid_t gid[];
} __randomize_layout;
@@ -328,4 +328,7 @@ struct prctl_mm_map {
# define PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC 0x10 /* Clear the aspect on exec */
# define PR_PPC_DEXCR_CTRL_MASK 0x1f
+#define PR_GET_GRBITMAP 74
+#define PR_SET_GRBITMAP 75
+
#endif /* _LINUX_PRCTL_H */
@@ -20,6 +20,7 @@ struct group_info *groups_alloc(int gidsetsize)
return NULL;
refcount_set(&gi->usage, 1);
+ gi->restrict_bitmap = 0;
gi->ngroups = gidsetsize;
return gi;
}
@@ -88,7 +89,9 @@ void groups_sort(struct group_info *group_info)
}
EXPORT_SYMBOL(groups_sort);
-/* a simple bsearch */
+/* a simple bsearch
+ * Return: 1-based index of the matched entry, or 0 if not found,
+ */
int groups_search(const struct group_info *group_info, kgid_t grp)
{
unsigned int left, right;
@@ -105,7 +108,7 @@ int groups_search(const struct group_info *group_info, kgid_t grp)
else if (gid_lt(grp, group_info->gid[mid]))
right = mid;
else
- return 1;
+ return mid + 1;
}
return 0;
}
@@ -222,15 +225,21 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
}
/*
- * Check whether we're fsgid/egid or in the supplemental group..
+ * Check whether we're fsgid/egid or in the supplemental group.
+ * Return: 1-based index of the matched entry, where 1 means fsgid,
+ * 2..N means 2-based index in group_info.
*/
int in_group_p(kgid_t grp)
{
const struct cred *cred = current_cred();
int retval = 1;
- if (!gid_eq(grp, cred->fsgid))
+ if (!gid_eq(grp, cred->fsgid)) {
retval = groups_search(cred->group_info, grp);
+ /* Make it start from 2. */
+ if (retval)
+ retval++;
+ }
return retval;
}
@@ -241,8 +250,12 @@ int in_egroup_p(kgid_t grp)
const struct cred *cred = current_cred();
int retval = 1;
- if (!gid_eq(grp, cred->egid))
+ if (!gid_eq(grp, cred->egid)) {
retval = groups_search(cred->group_info, grp);
+ /* Make it start from 2. */
+ if (retval)
+ retval++;
+ }
return retval;
}
@@ -2784,6 +2784,17 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
case PR_RISCV_SET_ICACHE_FLUSH_CTX:
error = RISCV_SET_ICACHE_FLUSH_CTX(arg2, arg3);
break;
+ case PR_GET_GRBITMAP:
+ if (arg2 || arg3 || arg4 || arg5)
+ return -EINVAL;
+ error = current_cred()->group_info->restrict_bitmap;
+ break;
+ case PR_SET_GRBITMAP:
+ /* Allow 31 bits to avoid setting sign bit. */
+ if (arg2 > (1U << 31) - 1 || arg3 || arg4 || arg5)
+ return -EINVAL;
+ current_cred()->group_info->restrict_bitmap = arg2;
+ break;
default:
error = -EINVAL;
break;
This patch adds the group restriction bitmap. This bitmap is normally 0 (all bits clear), which means the normal handling of the group permission check. When either bit is set, the corresponding entry in supplementary group list is treated differently: - if group access denied, then deny, as before - if group access allowed, then proceed to checking Other perms. Added 2 prctl calls: PR_GET_GRBITMAP and PR_SET_GRBITMAP to manipulate the bitmap. This implementation only allows to manipulate 31 bits. Q: Why is this needed? A: When you want to lower the privs of your process, you may use suid/sgid bits to switch to some home-less (no home dir) unprivileged user that can't touch any files of the original user. But the supplementary group list ruins that possibility, and you can't drop it. The ability to drop the group list was proposed by Josh Tripplett: https://lore.kernel.org/all/0895c1f268bc0b01cc6c8ed4607d7c3953f49728.1416041823.git.josh@joshtriplett.org/ But it wasn't considered secure enough because the group may restrict an access, not only allow. My solution avoids that problem, as when you set a bit in the restriction bitmap, the group restriction still applies - only the permission is withdrawn. Another advantage is that you can selectively restrict groups from the list, rather than to drop it them all at once. Signed-off-by: Stas Sergeev <stsp2@yandex.ru> CC: Alexander Viro <viro@zeniv.linux.org.uk> CC: Christian Brauner <brauner@kernel.org> CC: Jan Kara <jack@suse.cz> CC: Jens Axboe <axboe@kernel.dk> CC: Andrew Morton <akpm@linux-foundation.org> CC: Catalin Marinas <catalin.marinas@arm.com> CC: Florent Revest <revest@chromium.org> CC: Kees Cook <kees@kernel.org> CC: Palmer Dabbelt <palmer@rivosinc.com> CC: Charlie Jenkins <charlie@rivosinc.com> CC: Benjamin Gray <bgray@linux.ibm.com> CC: Oleg Nesterov <oleg@redhat.com> CC: Helge Deller <deller@gmx.de> CC: Zev Weiss <zev@bewilderbeest.net> (commit_signer:1/12=8%) CC: Samuel Holland <samuel.holland@sifive.com> CC: linux-fsdevel@vger.kernel.org CC: linux-kernel@vger.kernel.org CC: Eric Biederman <ebiederm@xmission.com> CC: Andy Lutomirski <luto@kernel.org> CC: Josh Triplett <josh@joshtriplett.org> --- fs/namei.c | 15 +++++++++++++-- include/linux/cred.h | 1 + include/uapi/linux/prctl.h | 3 +++ kernel/groups.c | 23 ++++++++++++++++++----- kernel/sys.c | 11 +++++++++++ 5 files changed, 46 insertions(+), 7 deletions(-)