^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * SafeSetID Linux Security Module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Author: Micah Morton <mortonm@chromium.org>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Copyright (C) 2018 The Chromium OS Authors.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * This program is free software; you can redistribute it and/or modify
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * it under the terms of the GNU General Public License version 2, as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * published by the Free Software Foundation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #define pr_fmt(fmt) "SafeSetID: " fmt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/lsm_hooks.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <linux/ptrace.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) #include <linux/sched/task_stack.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) #include <linux/security.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) #include "lsm.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) /* Flag indicating whether initialization completed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) int safesetid_initialized;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) struct setid_ruleset __rcu *safesetid_setuid_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) struct setid_ruleset __rcu *safesetid_setgid_rules;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) /* Compute a decision for a transition from @src to @dst under @policy. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) kid_t src, kid_t dst)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) struct setid_rule *rule;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) enum sid_policy_type result = SIDPOL_DEFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) if (policy->type == UID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) if (!uid_eq(rule->src_id.uid, src.uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) if (uid_eq(rule->dst_id.uid, dst.uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) return SIDPOL_ALLOWED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) result = SIDPOL_CONSTRAINED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) } else if (policy->type == GID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) if (!gid_eq(rule->src_id.gid, src.gid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) continue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) if (gid_eq(rule->dst_id.gid, dst.gid)){
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) return SIDPOL_ALLOWED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) result = SIDPOL_CONSTRAINED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) /* Should not reach here, report the ID as contrainsted */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) result = SIDPOL_CONSTRAINED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) return result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) * Compute a decision for a transition from @src to @dst under the active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) * policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) static enum sid_policy_type setid_policy_lookup(kid_t src, kid_t dst, enum setid_type new_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) enum sid_policy_type result = SIDPOL_DEFAULT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) struct setid_ruleset *pol;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) if (new_type == UID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) pol = rcu_dereference(safesetid_setuid_rules);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) else if (new_type == GID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) pol = rcu_dereference(safesetid_setgid_rules);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) else { /* Should not reach here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) result = SIDPOL_CONSTRAINED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) return result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) if (pol) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) pol->type = new_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) result = _setid_policy_lookup(pol, src, dst);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) return result;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) static int safesetid_security_capable(const struct cred *cred,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) struct user_namespace *ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) int cap,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) unsigned int opts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) /* We're only interested in CAP_SETUID and CAP_SETGID. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) if (cap != CAP_SETUID && cap != CAP_SETGID)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) * let it go through here; the real security check happens later, in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * task_fix_set{u/g}id hook.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) * NOTE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) * Until we add support for restricting setgroups() calls, GID security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) * policies offer no meaningful security since we always return 0 here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) * when called from within the setgroups() syscall and there is no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) * additional hook later on to enforce security policies for setgroups().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) if ((opts & CAP_OPT_INSETID) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) switch (cap) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) case CAP_SETUID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) * If no policy applies to this task, allow the use of CAP_SETUID for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) * other purposes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) if (setid_policy_lookup((kid_t){.uid = cred->uid}, INVALID_ID, UID) == SIDPOL_DEFAULT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) * Reject use of CAP_SETUID for functionality other than calling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) * set*uid() (e.g. setting up userns uid mappings).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) __kuid_val(cred->uid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) case CAP_SETGID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) * If no policy applies to this task, allow the use of CAP_SETGID for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) * other purposes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) if (setid_policy_lookup((kid_t){.gid = cred->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) * Reject use of CAP_SETUID for functionality other than calling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) * set*gid() (e.g. setting up userns gid mappings).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) __kuid_val(cred->uid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) /* Error, the only capabilities were checking for is CAP_SETUID/GID */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) * Check whether a caller with old credentials @old is allowed to switch to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) * credentials that contain @new_id.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) static bool id_permitted_for_cred(const struct cred *old, kid_t new_id, enum setid_type new_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) bool permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) /* If our old creds already had this ID in it, it's fine. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) if (new_type == UID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) if (uid_eq(new_id.uid, old->uid) || uid_eq(new_id.uid, old->euid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) uid_eq(new_id.uid, old->suid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) } else if (new_type == GID){
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) if (gid_eq(new_id.gid, old->gid) || gid_eq(new_id.gid, old->egid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) gid_eq(new_id.gid, old->sgid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) } else /* Error, new_type is an invalid type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) * Transitions to new UIDs require a check against the policy of the old
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) * RUID.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) permitted =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) setid_policy_lookup((kid_t){.uid = old->uid}, new_id, new_type) != SIDPOL_CONSTRAINED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) if (!permitted) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) if (new_type == UID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) __kuid_val(old->uid), __kuid_val(old->euid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) __kuid_val(old->suid), __kuid_val(new_id.uid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) } else if (new_type == GID) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) pr_warn("GID transition ((%d,%d,%d) -> %d) blocked\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) __kgid_val(old->gid), __kgid_val(old->egid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) __kgid_val(old->sgid), __kgid_val(new_id.gid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) } else /* Error, new_type is an invalid type */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) return permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) * Check whether there is either an exception for user under old cred struct to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) * set*uid to user under new cred struct, or the UID transition is allowed (by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) * Linux set*uid rules) even without CAP_SETUID.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) static int safesetid_task_fix_setuid(struct cred *new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) const struct cred *old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) /* Do nothing if there are no setuid restrictions for our old RUID. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) if (setid_policy_lookup((kid_t){.uid = old->uid}, INVALID_ID, UID) == SIDPOL_DEFAULT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) if (id_permitted_for_cred(old, (kid_t){.uid = new->uid}, UID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) id_permitted_for_cred(old, (kid_t){.uid = new->euid}, UID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) id_permitted_for_cred(old, (kid_t){.uid = new->suid}, UID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) id_permitted_for_cred(old, (kid_t){.uid = new->fsuid}, UID))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) * Kill this process to avoid potential security vulnerabilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) * that could arise from a missing allowlist entry preventing a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) * privileged process from dropping to a lesser-privileged one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) force_sig(SIGKILL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) static int safesetid_task_fix_setgid(struct cred *new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) const struct cred *old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) /* Do nothing if there are no setgid restrictions for our old RGID. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) if (id_permitted_for_cred(old, (kid_t){.gid = new->gid}, GID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) id_permitted_for_cred(old, (kid_t){.gid = new->egid}, GID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) id_permitted_for_cred(old, (kid_t){.gid = new->sgid}, GID) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) id_permitted_for_cred(old, (kid_t){.gid = new->fsgid}, GID))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) * Kill this process to avoid potential security vulnerabilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) * that could arise from a missing allowlist entry preventing a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) * privileged process from dropping to a lesser-privileged one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) force_sig(SIGKILL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) return -EACCES;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) static struct security_hook_list safesetid_security_hooks[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) LSM_HOOK_INIT(capable, safesetid_security_capable)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) static int __init safesetid_security_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) security_add_hooks(safesetid_security_hooks,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) ARRAY_SIZE(safesetid_security_hooks), "safesetid");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) /* Report that SafeSetID successfully initialized */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) safesetid_initialized = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) DEFINE_LSM(safesetid_security_init) = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) .init = safesetid_security_init,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) .name = "safesetid",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) };
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags