| Message ID | 20200720181156.1461461-1-mortonm@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] LSM: Signal to SafeSetID when in set*gid syscall | expand |
On Mon, Jul 20, 2020 at 11:11:56AM -0700, Micah Morton wrote: > From: Thomas Cedeno <thomascedeno@google.com> > > For SafeSetID to properly gate set*gid() calls, it needs to know whether > ns_capable() is being called from within a sys_set*gid() function or is > being called from elsewhere in the kernel. This allows SafeSetID to deny > CAP_SETGID to restricted groups when they are attempting to use the > capability for code paths other than updating GIDs (e.g. setting up > userns GID mappings). This is the identical approach to what is > currently done for CAP_SETUID. > > Signed-off-by: Thomas Cedeno <thomascedeno@google.com> > Signed-off-by: Micah Morton <mortonm@chromium.org> I see that only safesetid is using that now anyway. Reviewed-by: Serge Hallyn <serge@hallyn.com> > --- > kernel/sys.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/kernel/sys.c b/kernel/sys.c > index 00a96746e28a..55e0c86772ab 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -373,7 +373,7 @@ long __sys_setregid(gid_t rgid, gid_t egid) > if (rgid != (gid_t) -1) { > if (gid_eq(old->gid, krgid) || > gid_eq(old->egid, krgid) || > - ns_capable(old->user_ns, CAP_SETGID)) > + ns_capable_setid(old->user_ns, CAP_SETGID)) > new->gid = krgid; > else > goto error; > @@ -382,7 +382,7 @@ long __sys_setregid(gid_t rgid, gid_t egid) > if (gid_eq(old->gid, kegid) || > gid_eq(old->egid, kegid) || > gid_eq(old->sgid, kegid) || > - ns_capable(old->user_ns, CAP_SETGID)) > + ns_capable_setid(old->user_ns, CAP_SETGID)) > new->egid = kegid; > else > goto error; > @@ -432,7 +432,7 @@ long __sys_setgid(gid_t gid) > old = current_cred(); > > retval = -EPERM; > - if (ns_capable(old->user_ns, CAP_SETGID)) > + if (ns_capable_setid(old->user_ns, CAP_SETGID)) > new->gid = new->egid = new->sgid = new->fsgid = kgid; > else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid)) > new->egid = new->fsgid = kgid; > @@ -744,7 +744,7 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) > old = current_cred(); > > retval = -EPERM; > - if (!ns_capable(old->user_ns, CAP_SETGID)) { > + if (!ns_capable_setid(old->user_ns, CAP_SETGID)) { > if (rgid != (gid_t) -1 && !gid_eq(krgid, old->gid) && > !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid)) > goto error; > @@ -871,7 +871,7 @@ long __sys_setfsgid(gid_t gid) > > if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) || > gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) || > - ns_capable(old->user_ns, CAP_SETGID)) { > + ns_capable_setid(old->user_ns, CAP_SETGID)) { > if (!gid_eq(kgid, old->fsgid)) { > new->fsgid = kgid; > if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0) > -- > 2.28.0.rc0.105.gf9edc3c819-goog
On Mon, 20 Jul 2020, Micah Morton wrote: > From: Thomas Cedeno <thomascedeno@google.com> > > For SafeSetID to properly gate set*gid() calls, it needs to know whether > ns_capable() is being called from within a sys_set*gid() function or is > being called from elsewhere in the kernel. This allows SafeSetID to deny > CAP_SETGID to restricted groups when they are attempting to use the > capability for code paths other than updating GIDs (e.g. setting up > userns GID mappings). This is the identical approach to what is > currently done for CAP_SETUID. > > Signed-off-by: Thomas Cedeno <thomascedeno@google.com> > Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: James Morris <jamorris@linux.microsoft.com>
diff --git a/kernel/sys.c b/kernel/sys.c index 00a96746e28a..55e0c86772ab 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -373,7 +373,7 @@ long __sys_setregid(gid_t rgid, gid_t egid) if (rgid != (gid_t) -1) { if (gid_eq(old->gid, krgid) || gid_eq(old->egid, krgid) || - ns_capable(old->user_ns, CAP_SETGID)) + ns_capable_setid(old->user_ns, CAP_SETGID)) new->gid = krgid; else goto error; @@ -382,7 +382,7 @@ long __sys_setregid(gid_t rgid, gid_t egid) if (gid_eq(old->gid, kegid) || gid_eq(old->egid, kegid) || gid_eq(old->sgid, kegid) || - ns_capable(old->user_ns, CAP_SETGID)) + ns_capable_setid(old->user_ns, CAP_SETGID)) new->egid = kegid; else goto error; @@ -432,7 +432,7 @@ long __sys_setgid(gid_t gid) old = current_cred(); retval = -EPERM; - if (ns_capable(old->user_ns, CAP_SETGID)) + if (ns_capable_setid(old->user_ns, CAP_SETGID)) new->gid = new->egid = new->sgid = new->fsgid = kgid; else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid)) new->egid = new->fsgid = kgid; @@ -744,7 +744,7 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) old = current_cred(); retval = -EPERM; - if (!ns_capable(old->user_ns, CAP_SETGID)) { + if (!ns_capable_setid(old->user_ns, CAP_SETGID)) { if (rgid != (gid_t) -1 && !gid_eq(krgid, old->gid) && !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid)) goto error; @@ -871,7 +871,7 @@ long __sys_setfsgid(gid_t gid) if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) || gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) || - ns_capable(old->user_ns, CAP_SETGID)) { + ns_capable_setid(old->user_ns, CAP_SETGID)) { if (!gid_eq(kgid, old->fsgid)) { new->fsgid = kgid; if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0)