| 03ca0ec1 | 11-Aug-2020 |
Thomas Cedeno <[email protected]> |
LSM: SafeSetID: Fix warnings reported by test bot
Fix multiple cast-to-union warnings related to casting kuid_t and kgid_t types to kid_t union type. Also fix incompatible type warning that arises f
LSM: SafeSetID: Fix warnings reported by test bot
Fix multiple cast-to-union warnings related to casting kuid_t and kgid_t types to kid_t union type. Also fix incompatible type warning that arises from accidental omission of "__rcu" qualifier on the struct setid_ruleset pointer in the argument list for safesetid_file_read().
Reported-by: kernel test robot <[email protected]> Signed-off-by: Thomas Cedeno <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| e10337da | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: fix use of literal -1 in capable hook
The capable() hook returns an error number. -EPERM is actually the same as -1, so this doesn't make a difference in behavior.
Signed-off-by: Ja
LSM: SafeSetID: fix use of literal -1 in capable hook
The capable() hook returns an error number. -EPERM is actually the same as -1, so this doesn't make a difference in behavior.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 4f72123d | 11-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it securely constrains UID 1 to UIDs 1, 2 and 3:
1:2 1:3
However, because
LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it securely constrains UID 1 to UIDs 1, 2 and 3:
1:2 1:3
However, because no constraints are applied to UIDs 2 and 3, an attacker with UID 1 can simply first switch to UID 2, then switch to any UID from there. The secure way to write this ruleset would be:
1:2 1:3 2:2 3:3
, which uses "transition to self" as a way to inhibit the default-allow policy without allowing anything specific.
This is somewhat unintuitive. To make sure that policy authors don't accidentally write insecure policies because of this, let the kernel verify that a new ruleset does not contain any entries that are constrained, but transitively unconstrained.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| fbd9acb2 | 11-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: add read handler
For debugging a running system, it is very helpful to be able to see what policy the system is using. Add a read handler that can dump out a copy of the loaded polic
LSM: SafeSetID: add read handler
For debugging a running system, it is very helpful to be able to see what policy the system is using. Add a read handler that can dump out a copy of the loaded policy.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 03638e62 | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: rewrite userspace API to atomic updates
The current API of the SafeSetID LSM uses one write() per rule, and applies each written rule instantly. This has several downsides:
- While
LSM: SafeSetID: rewrite userspace API to atomic updates
The current API of the SafeSetID LSM uses one write() per rule, and applies each written rule instantly. This has several downsides:
- While a policy is being loaded, once a single parent-child pair has been loaded, the parent is restricted to that specific child, even if subsequent rules would allow transitions to other child UIDs. This means that during policy loading, set*uid() can randomly fail. - To replace the policy without rebooting, it is necessary to first flush all old rules. This creates a time window in which no constraints are placed on the use of CAP_SETUID. - If we want to perform sanity checks on the final policy, this requires that the policy isn't constructed in a piecemeal fashion without telling the kernel when it's done.
Other kernel APIs - including things like the userns code and netfilter - avoid this problem by performing updates atomically. Luckily, SafeSetID hasn't landed in a stable (upstream) release yet, so maybe it's not too late to completely change the API.
The new API for SafeSetID is: If you want to change the policy, open "safesetid/whitelist_policy" and write the entire policy, newline-delimited, in there.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 71a98971 | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: fix userns handling in securityfs
Looking at current_cred() in write handlers is bad form, stop doing that.
Also, let's just require that the write is coming from the initial user n
LSM: SafeSetID: fix userns handling in securityfs
Looking at current_cred() in write handlers is bad form, stop doing that.
Also, let's just require that the write is coming from the initial user namespace. Especially SAFESETID_WHITELIST_FLUSH requires privilege over all namespaces, and SAFESETID_WHITELIST_ADD should probably require it as well.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 78ae7df9 | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: refactor policy parsing
In preparation for changing the policy parsing logic, refactor the line parsing logic to be less verbose and move it into a separate function.
Signed-off-by:
LSM: SafeSetID: refactor policy parsing
In preparation for changing the policy parsing logic, refactor the line parsing logic to be less verbose and move it into a separate function.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 8068866c | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: refactor safesetid_security_capable()
At the moment, safesetid_security_capable() has two nested conditional blocks, and one big comment for all the logic. Chop it up and reduce the
LSM: SafeSetID: refactor safesetid_security_capable()
At the moment, safesetid_security_capable() has two nested conditional blocks, and one big comment for all the logic. Chop it up and reduce the amount of indentation.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 1cd02a27 | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: refactor policy hash table
parent_kuid and child_kuid are kuids, there is no reason to make them uint64_t. (And anyway, in the kernel, the normal name for that would be u64, not uint
LSM: SafeSetID: refactor policy hash table
parent_kuid and child_kuid are kuids, there is no reason to make them uint64_t. (And anyway, in the kernel, the normal name for that would be u64, not uint64_t.)
check_setuid_policy_hashtable_key() and check_setuid_policy_hashtable_key_value() are basically the same thing, merge them.
Also fix the comment that claimed that (1<<8)==128.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 7ef6b306 | 10-Apr-2019 |
Jann Horn <[email protected]> |
LSM: SafeSetID: fix check for setresuid(new1, new2, new3)
With the old code, when a process with the (real,effective,saved) UID set (1,1,1) calls setresuid(2,3,4), safesetid_task_fix_setuid() only c
LSM: SafeSetID: fix check for setresuid(new1, new2, new3)
With the old code, when a process with the (real,effective,saved) UID set (1,1,1) calls setresuid(2,3,4), safesetid_task_fix_setuid() only checks whether the transition 1->2 is permitted; the transitions 1->3 and 1->4 are not checked. Fix this.
This is also a good opportunity to refactor safesetid_task_fix_setuid() to be less verbose - having one branch per set*uid() syscall is unnecessary.
Note that this slightly changes semantics: The UID transition check for UIDs that were not in the old cred struct is now always performed against the policy of the RUID. I think that's more consistent anyway, since the RUID is also the one that decides whether any policy is enforced at all.
Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Micah Morton <[email protected]>
show more ...
|
| 2181e084 | 30-Jan-2019 |
Micah Morton <[email protected]> |
LSM: SafeSetID: remove unused include
The include for asm/syscall.h was needed in a prior version of lsm.c that checked return values of syscall_get_nr, but since we did away with that part of the c
LSM: SafeSetID: remove unused include
The include for asm/syscall.h was needed in a prior version of lsm.c that checked return values of syscall_get_nr, but since we did away with that part of the code this include is no longer necessary. Take out this include since it breaks builds for certain architectures. We no longer have any arch-specific code in SafeSetID.
Signed-off-by: Micah Morton <[email protected]> Signed-off-by: James Morris <[email protected]>
show more ...
|