From patchwork Wed Apr 10 16:54:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894415 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6A2B417E6 for ; Wed, 10 Apr 2019 16:54:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5042C28A2A for ; Wed, 10 Apr 2019 16:54:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3E17928A32; Wed, 10 Apr 2019 16:54:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CDCEA28A2A for ; Wed, 10 Apr 2019 16:54:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730417AbfDJQyn (ORCPT ); Wed, 10 Apr 2019 12:54:43 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:34152 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730324AbfDJQyn (ORCPT ); Wed, 10 Apr 2019 12:54:43 -0400 Received: by mail-pg1-f196.google.com with SMTP id v12so1920415pgq.1 for ; Wed, 10 Apr 2019 09:54:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TrcHL0kMBw/SvjlhZQb5Lz2YkuzTjIC+UsSx0C/4214=; b=RqN+sxxUNazXMPmh1vqpGzL0oHUJpijlK2g8/8klMYjd+UBcv562haiJjgovGLO15g y+UHZ3A7Ebu4H9ZRyjmaEZVfn126Rgv7RYeyF2SMlp/IL64kfqnC7dKQI8cMlNlVTjt8 ieJQFeRIgd1QaumLJw5xbvPtQhsyu8VmN7r+Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TrcHL0kMBw/SvjlhZQb5Lz2YkuzTjIC+UsSx0C/4214=; b=e7r8j2PVHie0gXtChoLCGiNP/oZu/VqlCH3aIu8lYLK/ha3qzF/gBN5Sa5LrQWsmfR JmMSQzl69QMBXRsLb5PXojmyZSsOfRO8hSi0eaB2aqOfsEyqDW7IbkBMp7GWdVvXCJhr 6wm92wKsipyhQ+Hp/v3Uzyh5xslvKrVvgdKLD066WRs7W5pFP7dgCrypOh5nk5h22l/o jWPDqUa3BzWd2B9h/sVQNu0qHLJ+7uCoTS40d2ftJh0QEToK/9wwbQIGtmN4uo1byIOQ +DKMMpAPwfnh1z7Tyox/SkOwjGFGDUbOVL3VDMSf/9DWXzrATnHTbRjXIdZa2iIZNWAI EPZw== X-Gm-Message-State: APjAAAVupCfYSI29hYcwSOZIGUXSR6I07BXf3OqrXg3dZWqwk9SKrhUH LMBWHP+5VsmajU2m0mX8JcKvLg== X-Google-Smtp-Source: APXvYqxmrI89ehpm68s5ZXHOF6SE4j7Julbv7LyNMhlWUzRwcFYPPnI1VbsST/V+oEdG1wo2L52VQg== X-Received: by 2002:a62:415d:: with SMTP id o90mr44476618pfa.236.1554915282625; Wed, 10 Apr 2019 09:54:42 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id a3sm3439841pgj.89.2019.04.10.09.54.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:54:41 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 01/10] LSM: SafeSetID: fix pr_warn() to include newline Date: Wed, 10 Apr 2019 09:54:34 -0700 Message-Id: <20190410165434.206579-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn Fix the pr_warn() calls in the SafeSetID LSM to have newlines at the end. Without this, denial messages will be buffered as incomplete lines in log_output(), and will then only show up once something else prints into dmesg. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index cecd38e2ac80..2daecab3a4c0 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -91,7 +91,7 @@ static int safesetid_security_capable(const struct cred *cred, * to functionality other than calling set*uid() (e.g. * allowing user to set up userns uid mappings). */ - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions", + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", __kuid_val(cred->uid)); return -1; } @@ -103,7 +103,7 @@ static int check_uid_transition(kuid_t parent, kuid_t child) { if (check_setuid_policy_hashtable_key_value(parent, child)) return 0; - pr_warn("UID transition (%d -> %d) blocked", + pr_warn("UID transition (%d -> %d) blocked\n", __kuid_val(parent), __kuid_val(child)); /* From patchwork Wed Apr 10 16:55:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894417 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7277C17E6 for ; Wed, 10 Apr 2019 16:55:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5940A28B67 for ; Wed, 10 Apr 2019 16:55:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4D6BB28B68; Wed, 10 Apr 2019 16:55:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD73828A8B for ; Wed, 10 Apr 2019 16:55:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733267AbfDJQz0 (ORCPT ); Wed, 10 Apr 2019 12:55:26 -0400 Received: from mail-pf1-f169.google.com ([209.85.210.169]:44269 "EHLO mail-pf1-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729737AbfDJQzZ (ORCPT ); Wed, 10 Apr 2019 12:55:25 -0400 Received: by mail-pf1-f169.google.com with SMTP id y13so1819014pfm.11 for ; Wed, 10 Apr 2019 09:55:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=sl4t4ul/+E9f2TaRFFo8H7oESH1GeQUI1PK2lPsmZY4=; b=TByvivjOsDIDE4sfrwCowXVKlQWA2ORE/pfs7KhmhHpXig0JZ2mB2MS/B4HfYLL2p+ kOEjWIVSos+agKpnSnl//ouFAdBs9M3FHTqaDR0KK1Hi/e3nxizHKYUSp/1gRgeB7Ec8 qIH35vum1OFwaCX6NckCE8XXRDhZty96PV+jM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=sl4t4ul/+E9f2TaRFFo8H7oESH1GeQUI1PK2lPsmZY4=; b=fMxv38rE/S7NOV0e3w/jAozROa3ABN6uJyEhRdNiXS6COybOEDElhRM3kMHt8N0ALs HsdnLaWSYH0yaGzt+FXbQwsQWbFDhxbBwqC6Ea587KYYCl6KzlpG9QWw5E9Bd5T/MUkS zEiwJdpOYfEJQhBxcBsFV84A/1j6uVSkXTqcdOl0HR/fPavk5nJv+jSyVuY+JxrRa+S8 V8Vstz11O7t1xZRUrMzlmCrQ0edDO1KIstluqgq/Au0qHL9DfnWVMkc9wc9gLLVJNTlf i6fQe8Wzve8ky7c+RKNA21TwU4JwzWD+58gAgVJKsf4vDzWxLfDBtu3Hcm1TrpKMH13c oTjw== X-Gm-Message-State: APjAAAW+1hNst6bR7nagzEg/wi3pj09x+TRj2yVpHbTU/x6DFW2sPNM7 TGkQoqqWrlHJpoLERcrn0ILiuA== X-Google-Smtp-Source: APXvYqyRUfRrvHzgty+TgY4IXe3293QPN/w4ogQtyTBq/owSTUU9VPI5VFK5cMoz6nEGp0VMWfTNFw== X-Received: by 2002:a63:1654:: with SMTP id 20mr42539711pgw.166.1554915324837; Wed, 10 Apr 2019 09:55:24 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id u26sm49264827pfn.5.2019.04.10.09.55.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:55:24 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 02/10] LSM: SafeSetID: fix check for setresuid(new1, new2, new3) Date: Wed, 10 Apr 2019 09:55:19 -0700 Message-Id: <20190410165519.209565-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn With the old code, when a process with the (real,effective,saved) UID set (1,1,1) calls setresuid(2,3,4), safesetid_task_fix_setuid() only checks whether the transition 1->2 is permitted; the transitions 1->3 and 1->4 are not checked. Fix this. This is also a good opportunity to refactor safesetid_task_fix_setuid() to be less verbose - having one branch per set*uid() syscall is unnecessary. Note that this slightly changes semantics: The UID transition check for UIDs that were not in the old cred struct is now always performed against the policy of the RUID. I think that's more consistent anyway, since the RUID is also the one that decides whether any policy is enforced at all. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 125 +++++++++++---------------------------- 1 file changed, 35 insertions(+), 90 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 2daecab3a4c0..5310fcf3052a 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -99,20 +99,30 @@ static int safesetid_security_capable(const struct cred *cred, return 0; } -static int check_uid_transition(kuid_t parent, kuid_t child) +/* + * Check whether a caller with old credentials @old is allowed to switch to + * credentials that contain @new_uid. + */ +static bool uid_permitted_for_cred(const struct cred *old, kuid_t new_uid) { - if (check_setuid_policy_hashtable_key_value(parent, child)) - return 0; - pr_warn("UID transition (%d -> %d) blocked\n", - __kuid_val(parent), - __kuid_val(child)); + bool permitted; + + /* If our old creds already had this UID in it, it's fine. */ + if (uid_eq(new_uid, old->uid) || uid_eq(new_uid, old->euid) || + uid_eq(new_uid, old->suid)) + return true; + /* - * Kill this process to avoid potential security vulnerabilities - * that could arise from a missing whitelist entry preventing a - * privileged process from dropping to a lesser-privileged one. + * Transitions to new UIDs require a check against the policy of the old + * RUID. */ - force_sig(SIGKILL, current); - return -EACCES; + permitted = check_setuid_policy_hashtable_key_value(old->uid, new_uid); + if (!permitted) { + pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n", + __kuid_val(old->uid), __kuid_val(old->euid), + __kuid_val(old->suid), __kuid_val(new_uid)); + } + return permitted; } /* @@ -125,88 +135,23 @@ static int safesetid_task_fix_setuid(struct cred *new, int flags) { - /* Do nothing if there are no setuid restrictions for this UID. */ + /* Do nothing if there are no setuid restrictions for our old RUID. */ if (!check_setuid_policy_hashtable_key(old->uid)) return 0; - switch (flags) { - case LSM_SETID_RE: - /* - * Users for which setuid restrictions exist can only set the - * real UID to the real UID or the effective UID, unless an - * explicit whitelist policy allows the transition. - */ - if (!uid_eq(old->uid, new->uid) && - !uid_eq(old->euid, new->uid)) { - return check_uid_transition(old->uid, new->uid); - } - /* - * Users for which setuid restrictions exist can only set the - * effective UID to the real UID, the effective UID, or the - * saved set-UID, unless an explicit whitelist policy allows - * the transition. - */ - if (!uid_eq(old->uid, new->euid) && - !uid_eq(old->euid, new->euid) && - !uid_eq(old->suid, new->euid)) { - return check_uid_transition(old->euid, new->euid); - } - break; - case LSM_SETID_ID: - /* - * Users for which setuid restrictions exist cannot change the - * real UID or saved set-UID unless an explicit whitelist - * policy allows the transition. - */ - if (!uid_eq(old->uid, new->uid)) - return check_uid_transition(old->uid, new->uid); - if (!uid_eq(old->suid, new->suid)) - return check_uid_transition(old->suid, new->suid); - break; - case LSM_SETID_RES: - /* - * Users for which setuid restrictions exist cannot change the - * real UID, effective UID, or saved set-UID to anything but - * one of: the current real UID, the current effective UID or - * the current saved set-user-ID unless an explicit whitelist - * policy allows the transition. - */ - if (!uid_eq(new->uid, old->uid) && - !uid_eq(new->uid, old->euid) && - !uid_eq(new->uid, old->suid)) { - return check_uid_transition(old->uid, new->uid); - } - if (!uid_eq(new->euid, old->uid) && - !uid_eq(new->euid, old->euid) && - !uid_eq(new->euid, old->suid)) { - return check_uid_transition(old->euid, new->euid); - } - if (!uid_eq(new->suid, old->uid) && - !uid_eq(new->suid, old->euid) && - !uid_eq(new->suid, old->suid)) { - return check_uid_transition(old->suid, new->suid); - } - break; - case LSM_SETID_FS: - /* - * Users for which setuid restrictions exist cannot change the - * filesystem UID to anything but one of: the current real UID, - * the current effective UID or the current saved set-UID - * unless an explicit whitelist policy allows the transition. - */ - if (!uid_eq(new->fsuid, old->uid) && - !uid_eq(new->fsuid, old->euid) && - !uid_eq(new->fsuid, old->suid) && - !uid_eq(new->fsuid, old->fsuid)) { - return check_uid_transition(old->fsuid, new->fsuid); - } - break; - default: - pr_warn("Unknown setid state %d\n", flags); - force_sig(SIGKILL, current); - return -EINVAL; - } - return 0; + if (uid_permitted_for_cred(old, new->uid) && + uid_permitted_for_cred(old, new->euid) && + uid_permitted_for_cred(old, new->suid) && + uid_permitted_for_cred(old, new->fsuid)) + return 0; + + /* + * Kill this process to avoid potential security vulnerabilities + * that could arise from a missing whitelist entry preventing a + * privileged process from dropping to a lesser-privileged one. + */ + force_sig(SIGKILL, current); + return -EACCES; } int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child) From patchwork Wed Apr 10 16:55:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894419 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5CE8F1515 for ; Wed, 10 Apr 2019 16:55:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 42744284C8 for ; Wed, 10 Apr 2019 16:55:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 35AAA28B5A; Wed, 10 Apr 2019 16:55:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94C2E284C8 for ; Wed, 10 Apr 2019 16:55:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388139AbfDJQzh (ORCPT ); Wed, 10 Apr 2019 12:55:37 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:36555 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733280AbfDJQzh (ORCPT ); Wed, 10 Apr 2019 12:55:37 -0400 Received: by mail-pg1-f194.google.com with SMTP id 85so1914301pgc.3 for ; Wed, 10 Apr 2019 09:55:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=WNZ9A2E9lNF9DtU6n0CDvqQTdXDB3ObGpdEuZNzmKOY=; b=OaLXS+PziqiVaNQkSudkaluUerpK/Ox64n0BZJGKc/enS4668KPO6G6BeAMU0eyvHw pBKuOzbEpG7NDkD2Y47aPhmMYrvDCTOYKYckwEaVFVsgiJO3x+03VG2aPjwSmr2ZOSKV aSFrohUbDUpCH3zP0o+Wp/ytwNa1jmYkC0+Xs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=WNZ9A2E9lNF9DtU6n0CDvqQTdXDB3ObGpdEuZNzmKOY=; b=BZuAVc0/dTnuUu6S6kiFgUvAqDZI/DWbko4muwegFms6vhs0nnLPEXIJo11tNC5YqI mDGErFZ7oBhZhFA1bSSK5CbTvO+o4nWj7k2fnL8KSGystoO8CggpDBMvQdI9qbAIDWYu OFvcxi14Lcr/cLZPjq4ZGmFx+p9Z0hlilNWi0pZDqXI3jo/XB70ZrhoJIT7zBUTuLe9x p+uXkr61vl9+BtD3tUe5iV2VUXOXHhh2quC0aCGuZAXmGGkSpKuglDi/GcCAvoC8nBzj WZei+65GSFXCxfJX3Mvi7jhl3rIyQqdb6uPcCX9o0nfJmiGmmX5J55BZoNziURL38xDa Wf+w== X-Gm-Message-State: APjAAAXhGi0e0GmgZbs2FB76A6xPiMiGvGaU9ql6rMPoe9zUPxBF9BJ4 iqB3mZhZFAC35QzuypXBJ5z6rQ== X-Google-Smtp-Source: APXvYqwJW1qMpK+QBO0HX/syVxyfQcV2A0pqHWKwBsSeyp2Ry4vXQT7b5vABi6QT6eg1uamkXGUfaQ== X-Received: by 2002:a63:330e:: with SMTP id z14mr41045000pgz.4.1554915336804; Wed, 10 Apr 2019 09:55:36 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id k65sm77525737pfb.68.2019.04.10.09.55.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:55:36 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 03/10] LSM: SafeSetID: refactor policy hash table Date: Wed, 10 Apr 2019 09:55:34 -0700 Message-Id: <20190410165534.210333-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn parent_kuid and child_kuid are kuids, there is no reason to make them uint64_t. (And anyway, in the kernel, the normal name for that would be u64, not uint64_t.) check_setuid_policy_hashtable_key() and check_setuid_policy_hashtable_key_value() are basically the same thing, merge them. Also fix the comment that claimed that (1<<8)==128. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 62 ++++++++++++---------------------------- security/safesetid/lsm.h | 19 ++++++++++++ 2 files changed, 37 insertions(+), 44 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 5310fcf3052a..15cd13b5a211 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -14,67 +14,40 @@ #define pr_fmt(fmt) "SafeSetID: " fmt -#include #include #include #include #include #include +#include "lsm.h" /* Flag indicating whether initialization completed */ int safesetid_initialized; -#define NUM_BITS 8 /* 128 buckets in hash table */ +#define NUM_BITS 8 /* 256 buckets in hash table */ static DEFINE_HASHTABLE(safesetid_whitelist_hashtable, NUM_BITS); -/* - * Hash table entry to store safesetid policy signifying that 'parent' user - * can setid to 'child' user. - */ -struct entry { - struct hlist_node next; - struct hlist_node dlist; /* for deletion cleanup */ - uint64_t parent_kuid; - uint64_t child_kuid; -}; - static DEFINE_SPINLOCK(safesetid_whitelist_hashtable_spinlock); -static bool check_setuid_policy_hashtable_key(kuid_t parent) +static enum sid_policy_type setuid_policy_lookup(kuid_t src, kuid_t dst) { struct entry *entry; + enum sid_policy_type result = SIDPOL_DEFAULT; rcu_read_lock(); hash_for_each_possible_rcu(safesetid_whitelist_hashtable, - entry, next, __kuid_val(parent)) { - if (entry->parent_kuid == __kuid_val(parent)) { + entry, next, __kuid_val(src)) { + if (!uid_eq(entry->src_uid, src)) + continue; + if (uid_eq(entry->dst_uid, dst)) { rcu_read_unlock(); - return true; + return SIDPOL_ALLOWED; } + result = SIDPOL_CONSTRAINED; } rcu_read_unlock(); - - return false; -} - -static bool check_setuid_policy_hashtable_key_value(kuid_t parent, - kuid_t child) -{ - struct entry *entry; - - rcu_read_lock(); - hash_for_each_possible_rcu(safesetid_whitelist_hashtable, - entry, next, __kuid_val(parent)) { - if (entry->parent_kuid == __kuid_val(parent) && - entry->child_kuid == __kuid_val(child)) { - rcu_read_unlock(); - return true; - } - } - rcu_read_unlock(); - - return false; + return result; } static int safesetid_security_capable(const struct cred *cred, @@ -83,7 +56,7 @@ static int safesetid_security_capable(const struct cred *cred, unsigned int opts) { if (cap == CAP_SETUID && - check_setuid_policy_hashtable_key(cred->uid)) { + setuid_policy_lookup(cred->uid, INVALID_UID) != SIDPOL_DEFAULT) { if (!(opts & CAP_OPT_INSETID)) { /* * Deny if we're not in a set*uid() syscall to avoid @@ -116,7 +89,8 @@ static bool uid_permitted_for_cred(const struct cred *old, kuid_t new_uid) * Transitions to new UIDs require a check against the policy of the old * RUID. */ - permitted = check_setuid_policy_hashtable_key_value(old->uid, new_uid); + permitted = + setuid_policy_lookup(old->uid, new_uid) != SIDPOL_CONSTRAINED; if (!permitted) { pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n", __kuid_val(old->uid), __kuid_val(old->euid), @@ -136,7 +110,7 @@ static int safesetid_task_fix_setuid(struct cred *new, { /* Do nothing if there are no setuid restrictions for our old RUID. */ - if (!check_setuid_policy_hashtable_key(old->uid)) + if (setuid_policy_lookup(old->uid, INVALID_UID) == SIDPOL_DEFAULT) return 0; if (uid_permitted_for_cred(old, new->uid) && @@ -159,14 +133,14 @@ int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child) struct entry *new; /* Return if entry already exists */ - if (check_setuid_policy_hashtable_key_value(parent, child)) + if (setuid_policy_lookup(parent, child) == SIDPOL_ALLOWED) return 0; new = kzalloc(sizeof(struct entry), GFP_KERNEL); if (!new) return -ENOMEM; - new->parent_kuid = __kuid_val(parent); - new->child_kuid = __kuid_val(child); + new->src_uid = parent; + new->dst_uid = child; spin_lock(&safesetid_whitelist_hashtable_spinlock); hash_add_rcu(safesetid_whitelist_hashtable, &new->next, diff --git a/security/safesetid/lsm.h b/security/safesetid/lsm.h index c1ea3c265fcf..6806f902794c 100644 --- a/security/safesetid/lsm.h +++ b/security/safesetid/lsm.h @@ -15,6 +15,8 @@ #define _SAFESETID_H #include +#include +#include /* Flag indicating whether initialization completed */ extern int safesetid_initialized; @@ -25,6 +27,23 @@ enum safesetid_whitelist_file_write_type { SAFESETID_WHITELIST_FLUSH, /* Flush whitelist policies. */ }; +enum sid_policy_type { + SIDPOL_DEFAULT, /* source ID is unaffected by policy */ + SIDPOL_CONSTRAINED, /* source ID is affected by policy */ + SIDPOL_ALLOWED /* target ID explicitly allowed */ +}; + +/* + * Hash table entry to store safesetid policy signifying that 'src_uid' + * can setid to 'dst_uid'. + */ +struct entry { + struct hlist_node next; + struct hlist_node dlist; /* for deletion cleanup */ + kuid_t src_uid; + kuid_t dst_uid; +}; + /* Add entry to safesetid whitelist to allow 'parent' to setid to 'child'. */ int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child); From patchwork Wed Apr 10 16:55:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894421 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4C36E17E6 for ; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33C26284C8 for ; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 27DCC28B5A; Wed, 10 Apr 2019 16:55:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4494284C8 for ; Wed, 10 Apr 2019 16:55:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733258AbfDJQzo (ORCPT ); Wed, 10 Apr 2019 12:55:44 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:38727 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733280AbfDJQzo (ORCPT ); Wed, 10 Apr 2019 12:55:44 -0400 Received: by mail-pg1-f195.google.com with SMTP id j26so1909157pgl.5 for ; Wed, 10 Apr 2019 09:55:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eUypBXodY0erBeXTZIWhrSekmLh1Upz6H7xhxGfMPp8=; b=iXmRcGafMKXhqrkM/O42SJ440W8Sn6EjyAjOBPdv9k4DhE9eaxnVjF8C26h3YhpHaO akEs46eUKe/FHGzHqweV2IIxWBa90cso0kTTNVUG3nWv6iGMIXa8ntYjA6dv8/8RaXIh N1J3EtGu1e+9dqWFBhWbK26coCgcNz6h3a9n4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eUypBXodY0erBeXTZIWhrSekmLh1Upz6H7xhxGfMPp8=; b=ZBJfx4vO8ZpSGe0BVFPsH9BHo+zy1d8RQ+gcd+7pcBr1k418hGBfb0HEwMN8YtTeLY SUUPGIcLBm23swFt6fCk+/NQYLwV5LU+YH3VT6Hg2ngYgz1QCxJmsYir+Oj5lfuiWAV+ 8w/RG3NqCBCVHIjxYVUtbmhxNZ7h+qe4+JhE1j+LxQ83VWbiuzZggxl309tGYCf1cNGm D4XdQZs94j7BvKqLMaN4ApT6CTUVVx6wSTP0BZB/pOQQ8OFWQarzzuRRY9k+sbrSMovg 6aHQBHXUPIp3yVvghy1zRFmHIVa0PPR3YVMwaMKJzHvrRgwLTtDmt+6auEAkmpPkrYqE NyaQ== X-Gm-Message-State: APjAAAUI+M9GzPS/9J2ldFzh54S735otPiEFHDRwP0iFOuBCK81pAyp4 xFtHZ4Ysgr4rq3zOhc76wMmvAghyOReNpw== X-Google-Smtp-Source: APXvYqzdhBRy2mW3GisaU62Gu3iLGqOTO9Dq6+04sOB2+FOMrQEExsFYMklkmipMQ/tFFX8f/q4Jbw== X-Received: by 2002:a63:c45:: with SMTP id 5mr42420066pgm.385.1554915343483; Wed, 10 Apr 2019 09:55:43 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id h1sm24857345pgs.67.2019.04.10.09.55.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:55:43 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 04/10] LSM: SafeSetID: refactor safesetid_security_capable() Date: Wed, 10 Apr 2019 09:55:41 -0700 Message-Id: <20190410165541.210809-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn At the moment, safesetid_security_capable() has two nested conditional blocks, and one big comment for all the logic. Chop it up and reduce the amount of indentation. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 41 +++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 15cd13b5a211..ab429e1816c5 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -55,21 +55,32 @@ static int safesetid_security_capable(const struct cred *cred, int cap, unsigned int opts) { - if (cap == CAP_SETUID && - setuid_policy_lookup(cred->uid, INVALID_UID) != SIDPOL_DEFAULT) { - if (!(opts & CAP_OPT_INSETID)) { - /* - * Deny if we're not in a set*uid() syscall to avoid - * giving powers gated by CAP_SETUID that are related - * to functionality other than calling set*uid() (e.g. - * allowing user to set up userns uid mappings). - */ - pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", - __kuid_val(cred->uid)); - return -1; - } - } - return 0; + /* We're only interested in CAP_SETUID. */ + if (cap != CAP_SETUID) + return 0; + + /* + * If CAP_SETUID is currently used for a set*uid() syscall, we want to + * let it go through here; the real security check happens later, in the + * task_fix_setuid hook. + */ + if ((opts & CAP_OPT_INSETID) != 0) + return 0; + + /* + * If no policy applies to this task, allow the use of CAP_SETUID for + * other purposes. + */ + if (setuid_policy_lookup(cred->uid, INVALID_UID) == SIDPOL_DEFAULT) + return 0; + + /* + * Reject use of CAP_SETUID for functionality other than calling + * set*uid() (e.g. setting up userns uid mappings). + */ + pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", + __kuid_val(cred->uid)); + return -1; } /* From patchwork Wed Apr 10 16:55:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894423 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A986E1515 for ; Wed, 10 Apr 2019 16:55:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 91458284C8 for ; Wed, 10 Apr 2019 16:55:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8563728B5A; Wed, 10 Apr 2019 16:55:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1AB2D284C8 for ; Wed, 10 Apr 2019 16:55:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733245AbfDJQzw (ORCPT ); Wed, 10 Apr 2019 12:55:52 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:38590 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733244AbfDJQzw (ORCPT ); Wed, 10 Apr 2019 12:55:52 -0400 Received: by mail-pf1-f195.google.com with SMTP id 10so1836456pfo.5 for ; Wed, 10 Apr 2019 09:55:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LajVu4VslfAgWMA/TCWVbfoWVgf035evlD8l/6dvzDA=; b=kQ0CQoUHh3aQKwsIc5oTSMfjEAkytF+fmvsLLtAd597bHixYk76l2GM3xLY0hD2uhM Co5glDlTZvQZRdbBzNsEZCgFTYetWLMEVI85M9I3ev0E7qHv/GFgrkj6Gy9DtQJJXMje NJpPN4tEgPwJ4LwPiWgpiPPTJYm1AgBOapup4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LajVu4VslfAgWMA/TCWVbfoWVgf035evlD8l/6dvzDA=; b=lz3oOl87/M2Dh7H4d7LO/RyFVzgYRd+GgX0sIQtyWLrrzINZ5aqR5HweQA9buosDyB e+WNY3KJXjmQ74z3PjUoK7aPhkveRC7LYv8WmBQ1rYCdQRDtw/S9k3e4Rzd2xlHEws3e jeq0Mzv1fCffcv+brp1Vmb3GSwOh4fiXJ8Ecj4EN9jkYnLgQaDp6J+odkMo9Cv8QpvrA JUYrVC23sEjP9eM4uY1kSEKB3TEGy1pQCNrbtYjstDz3fA4sohkIjX4DDeBIci46X7lc UCYcPBHjHIzBw6P0CiJcHM1/t1cazP137gpWQJNc79U1H0PjEshqsbeJpy6kk65uWam1 rETg== X-Gm-Message-State: APjAAAULP7A8naBzOfOrZRPna9oe4fb4PysHq733sGlWMUb+iuu9X0GC zQT8YTYDyLRi6g7UbIte881IlCItJVH9wA== X-Google-Smtp-Source: APXvYqzKsVa2LAgw7WoNeoww6g0MV040hhphYGcsvfFnXToV+1YCiT/+ztYmTCaHuQNBuXjm1LrH8g== X-Received: by 2002:a63:bd52:: with SMTP id d18mr41966787pgp.52.1554915351455; Wed, 10 Apr 2019 09:55:51 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id x16sm78186086pge.27.2019.04.10.09.55.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:55:50 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 05/10] LSM: SafeSetID: refactor policy parsing Date: Wed, 10 Apr 2019 09:55:48 -0700 Message-Id: <20190410165548.211254-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn In preparation for changing the policy parsing logic, refactor the line parsing logic to be less verbose and move it into a separate function. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- I made a minor change to Jann's original patch to use u32 instead of s32 for the 'parsed_parent' and 'parsed_child' variables. security/safesetid/securityfs.c | 84 +++++++++++++-------------------- 1 file changed, 33 insertions(+), 51 deletions(-) diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 2c6c829be044..90784a8d950a 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -33,68 +33,50 @@ static struct safesetid_file_entry safesetid_files[] = { /* * In the case the input buffer contains one or more invalid UIDs, the kuid_t - * variables pointed to by 'parent' and 'child' will get updated but this + * variables pointed to by @parent and @child will get updated but this * function will return an error. + * Contents of @buf may be modified. */ -static int parse_safesetid_whitelist_policy(const char __user *buf, - size_t len, - kuid_t *parent, - kuid_t *child) +static int parse_policy_line( + struct file *file, char *buf, kuid_t *parent, kuid_t *child) { - char *kern_buf; - char *parent_buf; - char *child_buf; - const char separator[] = ":"; + char *child_str; int ret; - size_t first_substring_length; - long parsed_parent; - long parsed_child; + u32 parsed_parent, parsed_child; - /* Duplicate string from user memory and NULL-terminate */ - kern_buf = memdup_user_nul(buf, len); - if (IS_ERR(kern_buf)) - return PTR_ERR(kern_buf); - - /* - * Format of |buf| string should be :. - * Find location of ":" in kern_buf (copied from |buf|). - */ - first_substring_length = strcspn(kern_buf, separator); - if (first_substring_length == 0 || first_substring_length == len) { - ret = -EINVAL; - goto free_kern; - } - - parent_buf = kmemdup_nul(kern_buf, first_substring_length, GFP_KERNEL); - if (!parent_buf) { - ret = -ENOMEM; - goto free_kern; - } + /* Format of |buf| string should be :. */ + child_str = strchr(buf, ':'); + if (child_str == NULL) + return -EINVAL; + *child_str = '\0'; + child_str++; - ret = kstrtol(parent_buf, 0, &parsed_parent); + ret = kstrtou32(buf, 0, &parsed_parent); if (ret) - goto free_both; + return ret; - child_buf = kern_buf + first_substring_length + 1; - ret = kstrtol(child_buf, 0, &parsed_child); + ret = kstrtou32(child_str, 0, &parsed_child); if (ret) - goto free_both; + return ret; *parent = make_kuid(current_user_ns(), parsed_parent); - if (!uid_valid(*parent)) { - ret = -EINVAL; - goto free_both; - } - *child = make_kuid(current_user_ns(), parsed_child); - if (!uid_valid(*child)) { - ret = -EINVAL; - goto free_both; - } + if (!uid_valid(*parent) || !uid_valid(*child)) + return -EINVAL; -free_both: - kfree(parent_buf); -free_kern: + return 0; +} + +static int parse_safesetid_whitelist_policy( + struct file *file, const char __user *buf, size_t len, + kuid_t *parent, kuid_t *child) +{ + char *kern_buf = memdup_user_nul(buf, len); + int ret; + + if (IS_ERR(kern_buf)) + return PTR_ERR(kern_buf); + ret = parse_policy_line(file, kern_buf, parent, child); kfree(kern_buf); return ret; } @@ -121,8 +103,8 @@ static ssize_t safesetid_file_write(struct file *file, flush_safesetid_whitelist_entries(); break; case SAFESETID_WHITELIST_ADD: - ret = parse_safesetid_whitelist_policy(buf, len, &parent, - &child); + ret = parse_safesetid_whitelist_policy(file, buf, len, + &parent, &child); if (ret) return ret; From patchwork Wed Apr 10 16:55:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894425 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 072461515 for ; Wed, 10 Apr 2019 16:56:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E267D284C8 for ; Wed, 10 Apr 2019 16:56:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D6E5128B5A; Wed, 10 Apr 2019 16:56:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3BA9284C8 for ; Wed, 10 Apr 2019 16:56:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733214AbfDJQ4B (ORCPT ); Wed, 10 Apr 2019 12:56:01 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:40833 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733175AbfDJQ4B (ORCPT ); Wed, 10 Apr 2019 12:56:01 -0400 Received: by mail-pl1-f194.google.com with SMTP id b3so1774991plr.7 for ; Wed, 10 Apr 2019 09:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZcnGgMu03T8LTTqVr2mqlTYFf4INWRgM/Q8XomVCOz4=; b=HCb2Y3eQjdD8wwXwkVLkmrgLN/r42Os1rjQoIJRqJro9tiVuhlJj98HJT5+7ulbPlF e/EAZl9CaIiFTJ08dfyv//yWgoqv4rzonPGmYjP+3LloyW54elbOo/wjZSAU7VYZgx/P VjDYK5p3xayWxp9KuoohITIEWFcmuyOjZod+A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZcnGgMu03T8LTTqVr2mqlTYFf4INWRgM/Q8XomVCOz4=; b=ChiieYlqmW2YCANxfEbRPmVQwVtEBAv9mq/vEP3tKwdqfGWyhHJR1Y8ayCNRg0teLD jhFjfe65W4umBIxr4BCBLmAzjip0F8VYyFP+435u+hKF0nRqLik+kqlBsRHh2Jrzusjj xWpaEzp8lNWDpU7vIeBqD1z/m4wi17i75ydR+Oy4ewaEqN3SQwHrq9yKUQaelHHs/BpI HlDraTeIGdf//fKYIo7AZKx+IXqP2eKSymK4BRqr88bCcI472vtSWL0w3XxOlJ9asPwo +r5bXW/Gwh3N/DTpHr86IdS3AY5tDlEg0y3HGn0isVrXYcRNnBDP8tu+GXIeW6M326cp Ll2g== X-Gm-Message-State: APjAAAWUV8AdOa6CqYSjR26LANr7/AqmBreqz3g21BD4Q1tSg6PLHt0P D3JvdWilF58mFlPzipVNVpGT+A== X-Google-Smtp-Source: APXvYqxCfAF31tcrDxApn6u0UecgXLlWBk0DFpvCDy7igKFfuB12pg96mzlRZMnnn93uhfNvky54+Q== X-Received: by 2002:a17:902:e101:: with SMTP id cc1mr45320044plb.129.1554915360626; Wed, 10 Apr 2019 09:56:00 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id m7sm51300435pgg.62.2019.04.10.09.55.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:56:00 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 06/10] LSM: SafeSetID: fix userns handling in securityfs Date: Wed, 10 Apr 2019 09:55:58 -0700 Message-Id: <20190410165558.211483-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn Looking at current_cred() in write handlers is bad form, stop doing that. Also, let's just require that the write is coming from the initial user namespace. Especially SAFESETID_WHITELIST_FLUSH requires privilege over all namespaces, and SAFESETID_WHITELIST_ADD should probably require it as well. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/securityfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 87e42b7f3e33..76c1e8a6ab93 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -59,8 +59,8 @@ static int parse_policy_line( if (ret) return ret; - *parent = make_kuid(current_user_ns(), parsed_parent); - *child = make_kuid(current_user_ns(), parsed_child); + *parent = make_kuid(file->f_cred->user_ns, parsed_parent); + *child = make_kuid(file->f_cred->user_ns, parsed_child); if (!uid_valid(*parent) || !uid_valid(*child)) return -EINVAL; @@ -92,7 +92,7 @@ static ssize_t safesetid_file_write(struct file *file, kuid_t child; int ret; - if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN)) + if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN)) return -EPERM; if (*ppos != 0) From patchwork Wed Apr 10 16:56:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894427 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ED4C717E6 for ; Wed, 10 Apr 2019 16:56:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D2B6428B20 for ; Wed, 10 Apr 2019 16:56:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C6C8828B45; Wed, 10 Apr 2019 16:56:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C38B728B20 for ; Wed, 10 Apr 2019 16:56:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726951AbfDJQ4J (ORCPT ); Wed, 10 Apr 2019 12:56:09 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:38599 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726556AbfDJQ4J (ORCPT ); Wed, 10 Apr 2019 12:56:09 -0400 Received: by mail-pl1-f194.google.com with SMTP id f36so1791655plb.5 for ; Wed, 10 Apr 2019 09:56:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ESBUryCXNaGTygEmKIPq3edWvpEpB7IBNOCbsnV9Dhw=; b=nE3ywD1L77yIvYrfKvJS8BdPf8AzWuwNCZVfyzkuql3hKk+YXfcFWVcJCTJJg7Lpsv Ws6GC0GfqTpNPIdXme93NlA3WHOc55V3chcnWezx0lMx7xMce01X6MoUB+8TepTMNjdi 1FRKXfsKxlHwObRc0ee41QLJBNJjXzh2kM09Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ESBUryCXNaGTygEmKIPq3edWvpEpB7IBNOCbsnV9Dhw=; b=tntxH4jk248Waav+78myTopWMydooPcIiSWGgsDZTLB+9LMKySF1v26L43E1nBjQGZ HSrpGWYvLteUsVNJ6qCCfLQbRlBNDO8fIjl+3mppoMgjkDldDcU9W+7NuI+ejNfZ9MNI S6+AQpKpcHJUaGUaOySY8LftjRrS7iGmL++3PvdMPAI8nGANfb8Gu39Hue4Eyex8pfW+ aqh22HDcW9/5OUC/Xqv93nvrtiY4O5YY9qzZmyhpSOD3xB5EysNWK07AKBoi8W9+Kc8z BHftyk+a8w/w47YGMZhJvVNL0Ucec9Og5b3mKfeuQgHAqPw+5FgQGmM/14hTbtkuOl2q xg9g== X-Gm-Message-State: APjAAAUPKVyU8t6AmcQN4SKCJ/Wqhoyzi2Qi3WnXrCBm416xkqUbNfRC OuA/hgExOxNd/Pn6Uq3cZzsa3HIixbFtXQ== X-Google-Smtp-Source: APXvYqyQnb3LVfKRcg6+yL7dgcnmSsYEsx8UWiWFkITG6CP+Cv8xdY3BlpVBrcjgn6H5Yka10FSMcg== X-Received: by 2002:a17:902:768c:: with SMTP id m12mr44492175pll.160.1554915368157; Wed, 10 Apr 2019 09:56:08 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id i10sm72165063pfj.7.2019.04.10.09.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:56:07 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 07/10] LSM: SafeSetID: rewrite userspace API to atomic updates Date: Wed, 10 Apr 2019 09:56:05 -0700 Message-Id: <20190410165605.211749-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn The current API of the SafeSetID LSM uses one write() per rule, and applies each written rule instantly. This has several downsides: - While a policy is being loaded, once a single parent-child pair has been loaded, the parent is restricted to that specific child, even if subsequent rules would allow transitions to other child UIDs. This means that during policy loading, set*uid() can randomly fail. - To replace the policy without rebooting, it is necessary to first flush all old rules. This creates a time window in which no constraints are placed on the use of CAP_SETUID. - If we want to perform sanity checks on the final policy, this requires that the policy isn't constructed in a piecemeal fashion without telling the kernel when it's done. Other kernel APIs - including things like the userns code and netfilter - avoid this problem by performing updates atomically. Luckily, SafeSetID hasn't landed in a stable (upstream) release yet, so maybe it's not too late to completely change the API. The new API for SafeSetID is: If you want to change the policy, open "safesetid/whitelist_policy" and write the entire policy, newline-delimited, in there. Signed-off-by: Jann Horn Signed-off-by: Micah Morton --- security/safesetid/lsm.c | 84 +++----- security/safesetid/lsm.h | 24 +-- security/safesetid/securityfs.c | 194 ++++++++++-------- .../selftests/safesetid/safesetid-test.c | 16 +- 4 files changed, 149 insertions(+), 169 deletions(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index ab429e1816c5..4ab4d7cdba31 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -24,28 +24,38 @@ /* Flag indicating whether initialization completed */ int safesetid_initialized; -#define NUM_BITS 8 /* 256 buckets in hash table */ +struct setuid_ruleset __rcu *safesetid_setuid_rules; -static DEFINE_HASHTABLE(safesetid_whitelist_hashtable, NUM_BITS); - -static DEFINE_SPINLOCK(safesetid_whitelist_hashtable_spinlock); - -static enum sid_policy_type setuid_policy_lookup(kuid_t src, kuid_t dst) +/* Compute a decision for a transition from @src to @dst under @policy. */ +enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, + kuid_t src, kuid_t dst) { - struct entry *entry; + struct setuid_rule *rule; enum sid_policy_type result = SIDPOL_DEFAULT; - rcu_read_lock(); - hash_for_each_possible_rcu(safesetid_whitelist_hashtable, - entry, next, __kuid_val(src)) { - if (!uid_eq(entry->src_uid, src)) + hash_for_each_possible(policy->rules, rule, next, __kuid_val(src)) { + if (!uid_eq(rule->src_uid, src)) continue; - if (uid_eq(entry->dst_uid, dst)) { - rcu_read_unlock(); + if (uid_eq(rule->dst_uid, dst)) return SIDPOL_ALLOWED; - } result = SIDPOL_CONSTRAINED; } + return result; +} + +/* + * Compute a decision for a transition from @src to @dst under the active + * policy. + */ +static enum sid_policy_type setuid_policy_lookup(kuid_t src, kuid_t dst) +{ + enum sid_policy_type result = SIDPOL_DEFAULT; + struct setuid_ruleset *pol; + + rcu_read_lock(); + pol = rcu_dereference(safesetid_setuid_rules); + if (pol) + result = _setuid_policy_lookup(pol, src, dst); rcu_read_unlock(); return result; } @@ -139,52 +149,6 @@ static int safesetid_task_fix_setuid(struct cred *new, return -EACCES; } -int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child) -{ - struct entry *new; - - /* Return if entry already exists */ - if (setuid_policy_lookup(parent, child) == SIDPOL_ALLOWED) - return 0; - - new = kzalloc(sizeof(struct entry), GFP_KERNEL); - if (!new) - return -ENOMEM; - new->src_uid = parent; - new->dst_uid = child; - spin_lock(&safesetid_whitelist_hashtable_spinlock); - hash_add_rcu(safesetid_whitelist_hashtable, - &new->next, - __kuid_val(parent)); - spin_unlock(&safesetid_whitelist_hashtable_spinlock); - return 0; -} - -void flush_safesetid_whitelist_entries(void) -{ - struct entry *entry; - struct hlist_node *hlist_node; - unsigned int bkt_loop_cursor; - HLIST_HEAD(free_list); - - /* - * Could probably use hash_for_each_rcu here instead, but this should - * be fine as well. - */ - spin_lock(&safesetid_whitelist_hashtable_spinlock); - hash_for_each_safe(safesetid_whitelist_hashtable, bkt_loop_cursor, - hlist_node, entry, next) { - hash_del_rcu(&entry->next); - hlist_add_head(&entry->dlist, &free_list); - } - spin_unlock(&safesetid_whitelist_hashtable_spinlock); - synchronize_rcu(); - hlist_for_each_entry_safe(entry, hlist_node, &free_list, dlist) { - hlist_del(&entry->dlist); - kfree(entry); - } -} - static struct security_hook_list safesetid_security_hooks[] = { LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(capable, safesetid_security_capable) diff --git a/security/safesetid/lsm.h b/security/safesetid/lsm.h index 6806f902794c..4a34f558d964 100644 --- a/security/safesetid/lsm.h +++ b/security/safesetid/lsm.h @@ -21,12 +21,6 @@ /* Flag indicating whether initialization completed */ extern int safesetid_initialized; -/* Function type. */ -enum safesetid_whitelist_file_write_type { - SAFESETID_WHITELIST_ADD, /* Add whitelist policy. */ - SAFESETID_WHITELIST_FLUSH, /* Flush whitelist policies. */ -}; - enum sid_policy_type { SIDPOL_DEFAULT, /* source ID is unaffected by policy */ SIDPOL_CONSTRAINED, /* source ID is affected by policy */ @@ -35,18 +29,24 @@ enum sid_policy_type { /* * Hash table entry to store safesetid policy signifying that 'src_uid' - * can setid to 'dst_uid'. + * can setuid to 'dst_uid'. */ -struct entry { +struct setuid_rule { struct hlist_node next; - struct hlist_node dlist; /* for deletion cleanup */ kuid_t src_uid; kuid_t dst_uid; }; -/* Add entry to safesetid whitelist to allow 'parent' to setid to 'child'. */ -int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child); +#define SETID_HASH_BITS 8 /* 256 buckets in hash table */ + +struct setuid_ruleset { + DECLARE_HASHTABLE(rules, SETID_HASH_BITS); + struct rcu_head rcu; +}; + +enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, + kuid_t src, kuid_t dst); -void flush_safesetid_whitelist_entries(void); +extern struct setuid_ruleset __rcu *safesetid_setuid_rules; #endif /* _SAFESETID_H */ diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 76c1e8a6ab93..13fce4c10930 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -11,25 +11,15 @@ * published by the Free Software Foundation. * */ + +#define pr_fmt(fmt) "SafeSetID: " fmt + #include #include #include "lsm.h" -static struct dentry *safesetid_policy_dir; - -struct safesetid_file_entry { - const char *name; - enum safesetid_whitelist_file_write_type type; - struct dentry *dentry; -}; - -static struct safesetid_file_entry safesetid_files[] = { - {.name = "add_whitelist_policy", - .type = SAFESETID_WHITELIST_ADD}, - {.name = "flush_whitelist_policies", - .type = SAFESETID_WHITELIST_FLUSH}, -}; +static DEFINE_SPINLOCK(policy_update_lock); /* * In the case the input buffer contains one or more invalid UIDs, the kuid_t @@ -37,8 +27,8 @@ static struct safesetid_file_entry safesetid_files[] = { * function will return an error. * Contents of @buf may be modified. */ -static int parse_policy_line( - struct file *file, char *buf, kuid_t *parent, kuid_t *child) +static int parse_policy_line(struct file *file, char *buf, + struct setuid_rule *rule) { char *child_str; int ret; @@ -59,26 +49,103 @@ static int parse_policy_line( if (ret) return ret; - *parent = make_kuid(file->f_cred->user_ns, parsed_parent); - *child = make_kuid(file->f_cred->user_ns, parsed_child); - if (!uid_valid(*parent) || !uid_valid(*child)) + rule->src_uid = make_kuid(file->f_cred->user_ns, parsed_parent); + rule->dst_uid = make_kuid(file->f_cred->user_ns, parsed_child); + if (!uid_valid(rule->src_uid) || !uid_valid(rule->dst_uid)) return -EINVAL; return 0; } -static int parse_safesetid_whitelist_policy( - struct file *file, const char __user *buf, size_t len, - kuid_t *parent, kuid_t *child) +static void __release_ruleset(struct rcu_head *rcu) { - char *kern_buf = memdup_user_nul(buf, len); - int ret; + struct setuid_ruleset *pol = + container_of(rcu, struct setuid_ruleset, rcu); + int bucket; + struct setuid_rule *rule; + struct hlist_node *tmp; + + hash_for_each_safe(pol->rules, bucket, tmp, rule, next) + kfree(rule); + kfree(pol); +} - if (IS_ERR(kern_buf)) - return PTR_ERR(kern_buf); - ret = parse_policy_line(file, kern_buf, parent, child); - kfree(kern_buf); - return ret; +static void release_ruleset(struct setuid_ruleset *pol) +{ + call_rcu(&pol->rcu, __release_ruleset); +} + +static ssize_t handle_policy_update(struct file *file, + const char __user *ubuf, size_t len) +{ + struct setuid_ruleset *pol; + char *buf, *p, *end; + int err; + + pol = kmalloc(sizeof(struct setuid_ruleset), GFP_KERNEL); + if (!pol) + return -ENOMEM; + hash_init(pol->rules); + + p = buf = memdup_user_nul(ubuf, len); + if (IS_ERR(buf)) { + err = PTR_ERR(buf); + goto out_free_pol; + } + + /* policy lines, including the last one, end with \n */ + while (*p != '\0') { + struct setuid_rule *rule; + + end = strchr(p, '\n'); + if (end == NULL) { + err = -EINVAL; + goto out_free_buf; + } + *end = '\0'; + + rule = kmalloc(sizeof(struct setuid_rule), GFP_KERNEL); + if (!rule) { + err = -ENOMEM; + goto out_free_buf; + } + + err = parse_policy_line(file, p, rule); + if (err) + goto out_free_rule; + + if (_setuid_policy_lookup(pol, rule->src_uid, rule->dst_uid) == + SIDPOL_ALLOWED) { + pr_warn("bad policy: duplicate entry\n"); + err = -EEXIST; + goto out_free_rule; + } + + hash_add(pol->rules, &rule->next, __kuid_val(rule->src_uid)); + p = end + 1; + continue; + +out_free_rule: + kfree(rule); + goto out_free_buf; + } + + /* + * Everything looks good, apply the policy and release the old one. + * What we really want here is an xchg() wrapper for RCU, but since that + * doesn't currently exist, just use a spinlock for now. + */ + spin_lock(&policy_update_lock); + rcu_swap_protected(safesetid_setuid_rules, pol, + lockdep_is_held(&policy_update_lock)); + spin_unlock(&policy_update_lock); + err = len; + +out_free_buf: + kfree(buf); +out_free_pol: + release_ruleset(pol); + return err; } static ssize_t safesetid_file_write(struct file *file, @@ -86,90 +153,45 @@ static ssize_t safesetid_file_write(struct file *file, size_t len, loff_t *ppos) { - struct safesetid_file_entry *file_entry = - file->f_inode->i_private; - kuid_t parent; - kuid_t child; - int ret; - if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN)) return -EPERM; if (*ppos != 0) return -EINVAL; - switch (file_entry->type) { - case SAFESETID_WHITELIST_FLUSH: - flush_safesetid_whitelist_entries(); - break; - case SAFESETID_WHITELIST_ADD: - ret = parse_safesetid_whitelist_policy(file, buf, len, - &parent, &child); - if (ret) - return ret; - - ret = add_safesetid_whitelist_entry(parent, child); - if (ret) - return ret; - break; - default: - pr_warn("Unknown securityfs file %d\n", file_entry->type); - break; - } - - /* Return len on success so caller won't keep trying to write */ - return len; + return handle_policy_update(file, buf, len); } static const struct file_operations safesetid_file_fops = { .write = safesetid_file_write, }; -static void safesetid_shutdown_securityfs(void) -{ - int i; - - for (i = 0; i < ARRAY_SIZE(safesetid_files); ++i) { - struct safesetid_file_entry *entry = - &safesetid_files[i]; - securityfs_remove(entry->dentry); - entry->dentry = NULL; - } - - securityfs_remove(safesetid_policy_dir); - safesetid_policy_dir = NULL; -} - static int __init safesetid_init_securityfs(void) { - int i; int ret; + struct dentry *policy_dir; + struct dentry *policy_file; if (!safesetid_initialized) return 0; - safesetid_policy_dir = securityfs_create_dir("safesetid", NULL); - if (IS_ERR(safesetid_policy_dir)) { - ret = PTR_ERR(safesetid_policy_dir); + policy_dir = securityfs_create_dir("safesetid", NULL); + if (IS_ERR(policy_dir)) { + ret = PTR_ERR(policy_dir); goto error; } - for (i = 0; i < ARRAY_SIZE(safesetid_files); ++i) { - struct safesetid_file_entry *entry = - &safesetid_files[i]; - entry->dentry = securityfs_create_file( - entry->name, 0200, safesetid_policy_dir, - entry, &safesetid_file_fops); - if (IS_ERR(entry->dentry)) { - ret = PTR_ERR(entry->dentry); - goto error; - } + policy_file = securityfs_create_file("whitelist_policy", 0200, + policy_dir, NULL, &safesetid_file_fops); + if (IS_ERR(policy_file)) { + ret = PTR_ERR(policy_file); + goto error; } return 0; error: - safesetid_shutdown_securityfs(); + securityfs_remove(policy_dir); return ret; } fs_initcall(safesetid_init_securityfs); diff --git a/tools/testing/selftests/safesetid/safesetid-test.c b/tools/testing/selftests/safesetid/safesetid-test.c index 892c8e8b1b8b..4f03813d1911 100644 --- a/tools/testing/selftests/safesetid/safesetid-test.c +++ b/tools/testing/selftests/safesetid/safesetid-test.c @@ -142,23 +142,17 @@ static void ensure_securityfs_mounted(void) static void write_policies(void) { + static char *policy_str = + "1:2\n" + "1:3\n"; ssize_t written; int fd; fd = open(add_whitelist_policy_file, O_WRONLY); if (fd < 0) die("cant open add_whitelist_policy file\n"); - written = write(fd, "1:2", strlen("1:2")); - if (written != strlen("1:2")) { - if (written >= 0) { - die("short write to %s\n", add_whitelist_policy_file); - } else { - die("write to %s failed: %s\n", - add_whitelist_policy_file, strerror(errno)); - } - } - written = write(fd, "1:3", strlen("1:3")); - if (written != strlen("1:3")) { + written = write(fd, policy_str, strlen(policy_str)); + if (written != strlen(policy_str)) { if (written >= 0) { die("short write to %s\n", add_whitelist_policy_file); } else { From patchwork Wed Apr 10 16:56:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894429 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48B1317E6 for ; Wed, 10 Apr 2019 16:56:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30DBC28B20 for ; Wed, 10 Apr 2019 16:56:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 251CD28B2B; Wed, 10 Apr 2019 16:56:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B2E9728B20 for ; Wed, 10 Apr 2019 16:56:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726832AbfDJQ4Q (ORCPT ); Wed, 10 Apr 2019 12:56:16 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:44934 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726556AbfDJQ4Q (ORCPT ); Wed, 10 Apr 2019 12:56:16 -0400 Received: by mail-pf1-f194.google.com with SMTP id y13so1820441pfm.11 for ; Wed, 10 Apr 2019 09:56:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FRKzXLFLbU7DMEk2P3khrapG+d6oPZs96LbWtLYN8Sg=; b=dzwEU+8/ifknUJSDQSEGD2onmSUM+mnKSoWkThQTGZijr7a3ew9MVszjoI6s3EmdoC WoILFaqpKs007WoR19H6s1zAdDT15xGgK3Pf1TkRUGqFW4OkAMkTgdaXpjGEDQkZUFUM 4Bq18q4YI7lL2WJ2NwOvXfJFHxAN2dtsIv4pQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FRKzXLFLbU7DMEk2P3khrapG+d6oPZs96LbWtLYN8Sg=; b=azRXN4EPTemjwFTzpIY0GG2jT0wbtpmoszBVTpzCUFeLhHRUh9cYCiIC97FEhGUqCi TXhTdWNSboU4iigLKWj4XsVjRr5SGHF97SdGthADBVWiD7p9ddiiODuP/X9qlpR99StT lwftN98XmJ+rNP/k5ZeQK1Uxj3rL+Q+qT9LxQCcXmVQZcinUn3YLA1dHG6DIiawYeXt0 Ux4Fe2oYJea5SJR94LjNrh2DAFZ9Ej12e/3IDGGquNhTJBsV+QJp0EVTq8O+etNE5R4n hbAMPWYTrgdFBhc61XNgh3OMnQISC8AszfV1A2SR1UOGJcEvQuqStl5RCafRoEI/r/11 n6Zw== X-Gm-Message-State: APjAAAWBkVsBpHvbT4vQGxWtO9deHdGP2nN5v5rXFTS3rWtyYXdvXV58 MGzlzSNRSP40O8xXgmAT6RD8TQ== X-Google-Smtp-Source: APXvYqxiGciZgRntaw28fluPyiT8H8A8wD1P+4/hmFhaKSe6bH7Vcapowg+aaQcOpAmenBOAoOBvQQ== X-Received: by 2002:aa7:8092:: with SMTP id v18mr43525299pff.35.1554915375289; Wed, 10 Apr 2019 09:56:15 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id t82sm97551836pfa.153.2019.04.10.09.56.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:56:14 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 08/10] LSM: SafeSetID: add read handler Date: Wed, 10 Apr 2019 09:56:13 -0700 Message-Id: <20190410165613.212056-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn For debugging a running system, it is very helpful to be able to see what policy the system is using. Add a read handler that can dump out a copy of the loaded policy. Signed-off-by: Jann Horn Signed-off-by: Micah Morton --- security/safesetid/lsm.h | 3 +++ security/safesetid/securityfs.c | 38 +++++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/security/safesetid/lsm.h b/security/safesetid/lsm.h index 4a34f558d964..9380329fe30a 100644 --- a/security/safesetid/lsm.h +++ b/security/safesetid/lsm.h @@ -17,6 +17,7 @@ #include #include #include +#include /* Flag indicating whether initialization completed */ extern int safesetid_initialized; @@ -41,7 +42,9 @@ struct setuid_rule { struct setuid_ruleset { DECLARE_HASHTABLE(rules, SETID_HASH_BITS); + char *policy_str; struct rcu_head rcu; + refcount_t refcount; }; enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 13fce4c10930..7a08fff2bc14 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -67,12 +67,14 @@ static void __release_ruleset(struct rcu_head *rcu) hash_for_each_safe(pol->rules, bucket, tmp, rule, next) kfree(rule); + kfree(pol->policy_str); kfree(pol); } static void release_ruleset(struct setuid_ruleset *pol) { - call_rcu(&pol->rcu, __release_ruleset); + if (pol != NULL && refcount_dec_and_test(&pol->refcount)) + call_rcu(&pol->rcu, __release_ruleset); } static ssize_t handle_policy_update(struct file *file, @@ -85,6 +87,8 @@ static ssize_t handle_policy_update(struct file *file, pol = kmalloc(sizeof(struct setuid_ruleset), GFP_KERNEL); if (!pol) return -ENOMEM; + refcount_set(&pol->refcount, 1); + pol->policy_str = NULL; hash_init(pol->rules); p = buf = memdup_user_nul(ubuf, len); @@ -92,6 +96,11 @@ static ssize_t handle_policy_update(struct file *file, err = PTR_ERR(buf); goto out_free_pol; } + pol->policy_str = kstrdup(buf, GFP_KERNEL); + if (pol->policy_str == NULL) { + err = -ENOMEM; + goto out_free_buf; + } /* policy lines, including the last one, end with \n */ while (*p != '\0') { @@ -162,7 +171,32 @@ static ssize_t safesetid_file_write(struct file *file, return handle_policy_update(file, buf, len); } +static ssize_t safesetid_file_read(struct file *file, char __user *buf, + size_t len, loff_t *ppos) +{ + ssize_t res; + struct setuid_ruleset *pol; + const char *kbuf; + + rcu_read_lock(); + pol = rcu_dereference(safesetid_setuid_rules); + if (!pol) { + rcu_read_unlock(); + return 0; + } + if (!refcount_inc_not_zero(&pol->refcount)) { + rcu_read_unlock(); + return -EBUSY; + } + rcu_read_unlock(); + kbuf = pol->policy_str; + res = simple_read_from_buffer(buf, len, ppos, kbuf, strlen(kbuf)); + release_ruleset(pol); + return res; +} + static const struct file_operations safesetid_file_fops = { + .read = safesetid_file_read, .write = safesetid_file_write, }; @@ -181,7 +215,7 @@ static int __init safesetid_init_securityfs(void) goto error; } - policy_file = securityfs_create_file("whitelist_policy", 0200, + policy_file = securityfs_create_file("whitelist_policy", 0600, policy_dir, NULL, &safesetid_file_fops); if (IS_ERR(policy_file)) { ret = PTR_ERR(policy_file); From patchwork Wed Apr 10 16:56:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894431 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B53E417E6 for ; Wed, 10 Apr 2019 16:56:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C89A28B20 for ; Wed, 10 Apr 2019 16:56:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9116928B2B; Wed, 10 Apr 2019 16:56:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29EB528B20 for ; Wed, 10 Apr 2019 16:56:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727286AbfDJQ4W (ORCPT ); Wed, 10 Apr 2019 12:56:22 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:43830 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726556AbfDJQ4W (ORCPT ); Wed, 10 Apr 2019 12:56:22 -0400 Received: by mail-pl1-f195.google.com with SMTP id n8so1764208plp.10 for ; Wed, 10 Apr 2019 09:56:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7NN44NkEtMVXdxkdk12Rk4J66J5+HedQJJJFmuyRC6Q=; b=P5sUy1sdYbrIg8zBxDwDOeVLkcU5AazfpXn+Hm20jWmu+GylPYbzpMtindewvQeWIs 9YEVcN4vijoBLkZNKodqVRAhkxpNmOi9jSyR934yNfx58gmsOMWav3q+vy0VbJznTDce mRmSEzwh12WEpl2ZAmRMxVY4iktiiQixp7JKs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=7NN44NkEtMVXdxkdk12Rk4J66J5+HedQJJJFmuyRC6Q=; b=BIwFqA/OF0h6T8uSmySAI3ypcq2s1+hUA8z0ytb9JFFpus8v1saEHUnN2tpQZ4vt8i 9NpUNDoIqKvRjo42mjfEIClrjkKxBcgmCKkF2h04ZG/T3UIscGtmZLxtQa8silM6AIP/ XaXx85nl0odZvwsLmpmBWDdccyhRGDL/gcrQY5y/NwkumNSTXlI9NBG/kLIt22e3yd1m JtWLAMfHzNeriDqStJZ5lZbhaX1eSrrZfnLLTqCrxdQNlGVYXdAB14XxgBnyYo3V/s5q makqez+YYSggADSvGSJdHjqhOv8AfoZkLPl/umEzkrLNno+hE8KF8cBZtqk86W0xRPr5 faCw== X-Gm-Message-State: APjAAAX0zkFk0V93pSBN/I6jod26RgDXzV8AuKJ9+KtrPMWDy2/8g6Ph GY9BzFskYAMDvaWNL+UInL6kYQ== X-Google-Smtp-Source: APXvYqysw3rtGdFoXsXB9UOo8SQwcWeY3mp9GzptMEfSv1lsYy4EZAB0Vr5sk+f9kA7eFq2qzvmk7Q== X-Received: by 2002:a17:902:f81:: with SMTP id 1mr45560048plz.216.1554915382045; Wed, 10 Apr 2019 09:56:22 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id j6sm48606518pfe.107.2019.04.10.09.56.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:56:21 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 09/10] LSM: SafeSetID: verify transitive constrainedness Date: Wed, 10 Apr 2019 09:56:19 -0700 Message-Id: <20190410165619.212464-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn Someone might write a ruleset like the following, expecting that it securely constrains UID 1 to UIDs 1, 2 and 3: 1:2 1:3 However, because no constraints are applied to UIDs 2 and 3, an attacker with UID 1 can simply first switch to UID 2, then switch to any UID from there. The secure way to write this ruleset would be: 1:2 1:3 2:2 3:3 , which uses "transition to self" as a way to inhibit the default-allow policy without allowing anything specific. This is somewhat unintuitive. To make sure that policy authors don't accidentally write insecure policies because of this, let the kernel verify that a new ruleset does not contain any entries that are constrained, but transitively unconstrained. Signed-off-by: Jann Horn Signed-off-by: Micah Morton --- security/safesetid/securityfs.c | 21 +++++++++++++++++++ .../selftests/safesetid/safesetid-test.c | 4 +++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 7a08fff2bc14..3ec64487f0e9 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -77,6 +77,23 @@ static void release_ruleset(struct setuid_ruleset *pol) call_rcu(&pol->rcu, __release_ruleset); } +static int verify_ruleset(struct setuid_ruleset *pol) +{ + int bucket; + struct setuid_rule *rule; + + hash_for_each(pol->rules, bucket, rule, next) { + if (_setuid_policy_lookup(pol, rule->dst_uid, INVALID_UID) == + SIDPOL_DEFAULT) { + pr_warn("insecure policy rejected: uid %d is constrained but transitively unconstrained through uid %d\n", + __kuid_val(rule->src_uid), + __kuid_val(rule->dst_uid)); + return -EINVAL; + } + } + return 0; +} + static ssize_t handle_policy_update(struct file *file, const char __user *ubuf, size_t len) { @@ -139,6 +156,10 @@ static ssize_t handle_policy_update(struct file *file, goto out_free_buf; } + err = verify_ruleset(pol); + if (err) + goto out_free_buf; + /* * Everything looks good, apply the policy and release the old one. * What we really want here is an xchg() wrapper for RCU, but since that diff --git a/tools/testing/selftests/safesetid/safesetid-test.c b/tools/testing/selftests/safesetid/safesetid-test.c index 4f03813d1911..8f40c6ecdad1 100644 --- a/tools/testing/selftests/safesetid/safesetid-test.c +++ b/tools/testing/selftests/safesetid/safesetid-test.c @@ -144,7 +144,9 @@ static void write_policies(void) { static char *policy_str = "1:2\n" - "1:3\n"; + "1:3\n" + "2:2\n" + "3:3\n"; ssize_t written; int fd; From patchwork Wed Apr 10 16:56:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Micah Morton X-Patchwork-Id: 10894433 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7BF2B17E6 for ; Wed, 10 Apr 2019 16:56:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 62BC328B20 for ; Wed, 10 Apr 2019 16:56:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 568A228B2B; Wed, 10 Apr 2019 16:56:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 01DA128B20 for ; Wed, 10 Apr 2019 16:56:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726577AbfDJQ4a (ORCPT ); Wed, 10 Apr 2019 12:56:30 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:43270 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726556AbfDJQ4a (ORCPT ); Wed, 10 Apr 2019 12:56:30 -0400 Received: by mail-pg1-f193.google.com with SMTP id z9so1893044pgu.10 for ; Wed, 10 Apr 2019 09:56:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=k/vBZWFEN+EOzvl05vZba81q+aJ2WHyZNzbuhqeb0y8=; b=BXMmBIMZ6oLXwcxo8A1UVpTjM3mHf6iTVlJpgyNGDhResaLnwxDzcSb8vxnqk2b2RL WXHaZIcAtBeG6F9gz5QPcRtTDiUXFGplUGVU27eHJp/TNnWUNKpI+w9dmbmO5z0laPLk qk5i4r94cKmgCWl3C87D4TW5KTQPPtt9ucRSo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=k/vBZWFEN+EOzvl05vZba81q+aJ2WHyZNzbuhqeb0y8=; b=Hw2cR4cGE04jRi3DvkxczpV6QsPEAiPCmCBOQsSV3sO7jsnYX+WAamwHK64KSrg7up 75QgwqtD/YQai8HR7BD8L5uiOqX5al0VbZEiljDfRAgsAQJQhblIleAYmiUll/XQILBL Cc55IfFc5N6BoGUKDZfTJ9LB1HXfoUxwgHkRh4N1/nwWEKJi8sWFSFdjxbqi9iaGeJPm scI12nGDCIQc1ShfT8vc+cRIwdG6Lpdps0xvs1/T47CJpcvQwea4LWGA4JUX41SVvgd2 JJ+hVJ/veWWtBe6jwMqhWAk069Fj0nOgAoxaZm72xDlSuX4aG4tcRxAL9yk9F3sZGcVO gUZA== X-Gm-Message-State: APjAAAVUF+0IQ99dV8VGZ/p9uIS8BMFsfcc2cCJMhzm+fU6891NWSr0N 3djbe0iZbCWcwZGa0q+p1eyZQg== X-Google-Smtp-Source: APXvYqxIplkAm/uJnXKbhMsR/ySK5mnxwlWImmQnFVBKWuvReG1RDqJg71Of9nK5ZNwTcQjPrmrCww== X-Received: by 2002:aa7:8392:: with SMTP id u18mr18324427pfm.217.1554915389824; Wed, 10 Apr 2019 09:56:29 -0700 (PDT) Received: from localhost ([2620:15c:202:201:9e10:971c:f11c:a814]) by smtp.gmail.com with ESMTPSA id q87sm55790466pfa.133.2019.04.10.09.56.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 09:56:29 -0700 (PDT) From: Micah Morton X-Google-Original-From: Micah Morton To: jmorris@namei.org, keescook@chromium.org, casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: Jann Horn , Micah Morton Subject: [PATCH 10/10] LSM: SafeSetID: fix use of literal -1 in capable hook Date: Wed, 10 Apr 2019 09:56:27 -0700 Message-Id: <20190410165627.212572-1-mortonm@chromium.org> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Jann Horn The capable() hook returns an error number. -EPERM is actually the same as -1, so this doesn't make a difference in behavior. Signed-off-by: Jann Horn Signed-off-by: Micah Morton Reviewed-by: Kees Cook --- security/safesetid/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index 4ab4d7cdba31..61b84e20f2dd 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -90,7 +90,7 @@ static int safesetid_security_capable(const struct cred *cred, */ pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", __kuid_val(cred->uid)); - return -1; + return -EPERM; } /*