From patchwork Wed Apr 10 16:55:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894421 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4C36E17E6 for ; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33C26284C8 for ; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 27DCC28B5A; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4494284C8 for ; Wed, 10 Apr 2019 16:55:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733258AbfDJQzo (ORCPT ); Wed, 10 Apr 2019 12:55:44 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:38727 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733280AbfDJQzo (ORCPT ); Wed, 10 Apr 2019 12:55:44 -0400 Received: by mail-pg1-f195.google.com with SMTP id j26so1909157pgl.5 for ; Wed, 10 Apr 2019 09:55:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eUypBXodY0erBeXTZIWhrSekmLh1Upz6H7xhxGfMPp8=; b=iXmRcGafMKXhqrkM/O42SJ440W8Sn6EjyAjOBPdv9k4DhE9eaxnVjF8C26h3YhpHaO akEs46eUKe/FHGzHqweV2IIxWBa90cso0kTTNVUG3nWv6iGMIXa8ntYjA6dv8/8RaXIh N1J3EtGu1e+9dqWFBhWbK26coCgcNz6h3a9n4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eUypBXodY0erBeXTZIWhrSekmLh1Upz6H7xhxGfMPp8=; b=ZBJfx4vO8ZpSGe0BVFPsH9BHo+zy1d8RQ+gcd+7pcBr1k418hGBfb0HEwMN8YtTeLY SUUPGIcLBm23swFt6fCk+/NQYLwV5LU+YH3VT6Hg2ngYgz1QCxJmsYir+Oj5lfuiWAV+ 8w/RG3NqCBCVHIjxYVUtbmhxNZ7h+qe4+JhE1j+LxQ83VWbiuzZggxl309tGYCf1cNGm D4XdQZs94j7BvKqLMaN4ApT6CTUVVx6wSTP0BZB/pOQQ8OFWQarzzuRRY9k+sbrSMovg 6aHQBHXUPIp3yVvghy1zRFmHIVa0PPR3YVMwaMKJzHvrRgwLTtDmt+6auEAkmpPkrYqE NyaQ== X-Gm-Message-State: APjAAAUI+M9GzPS/9J2ldFzh54S735otPiEFHDRwP0iFOuBCK81pAyp4 xFtHZ4Ysgr4rq3zOhc76wMmvAghyOReNpw== X-Google-Smtp-Source: APXvYqzdhBRy2mW3GisaU62Gu3iLGqOTO9Dq6+04sOB2+FOMrQEExsFYMklkmipMQ/tFFX8f/q4Jbw== X-Received: by 2002:a63:c45:: with SMTP id 5mr42420066pgm.385.1554915343483; Wed, 10 Apr 2019 09:55:43 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id h1sm24857345pgs.67.2019.04.10.09.55.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:55:43 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 04/10] LSM: SafeSetID: refactor safesetid_security_capable() Date: Wed, 10 Apr 2019 09:55:41 -0700 Message-Id: <20190410165541.210809-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn At the moment, safesetid_security_capable() has two nested conditional blocks, and one big comment for all the logic. Chop it up and reduce the amount of indentation. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 41 +++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 15cd13b5a211..ab429e1816c5 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -55,21 +55,32 @@ static int safesetid_security_capable(const struct cred *cred, int cap, unsigned int opts) { - if (cap == CAP_SETUID && - setuid_policy_lookup(cred->uid, INVALID_UID) != SIDPOL_DEFAULT) { - if (!(opts & CAP_OPT_INSETID)) { - /* - * Deny if we're not in a set*uid() syscall to avoid - * giving powers gated by CAP_SETUID that are related - * to functionality other than calling set*uid() (e.g. - * allowing user to set up userns uid mappings). - */ - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", - __kuid_val(cred->uid)); - return -1; - } - } - return 0; + /* We're only interested in CAP_SETUID. */ + if (cap != CAP_SETUID) + return 0; + + /* + * If CAP_SETUID is currently used for a set*uid() syscall, we want to + * let it go through here; the real security check happens later, in the + * task_fix_setuid hook. + */ + if ((opts & CAP_OPT_INSETID) != 0) + return 0; + + /* + * If no policy applies to this task, allow the use of CAP_SETUID for + * other purposes. + */ + if (setuid_policy_lookup(cred->uid, INVALID_UID) == SIDPOL_DEFAULT) + return 0; + + /* + * Reject use of CAP_SETUID for functionality other than calling + * set*uid() (e.g. setting up userns uid mappings). + */ + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", + __kuid_val(cred->uid)); + return -1; } /*