Commit 5294bac9 authored by Thomas Cedeno's avatar Thomas Cedeno Committed by Micah Morton

LSM: SafeSetID: Add GID security policy handling

The SafeSetID LSM has functionality for restricting setuid() calls based
on its configured security policies. This patch adds the analogous
functionality for setgid() calls. This is mostly a copy-and-paste change
with some code deduplication, plus slight modifications/name changes to
the policy-rule-related structs (now contain GID rules in addition to
the UID ones) and some type generalization since SafeSetID now needs to
deal with kgid_t and kuid_t types.
Signed-off-by: default avatarThomas Cedeno <thomascedeno@google.com>
Signed-off-by: default avatarMicah Morton <mortonm@chromium.org>
parent 111767c1
...@@ -3,9 +3,9 @@ SafeSetID ...@@ -3,9 +3,9 @@ SafeSetID
========= =========
SafeSetID is an LSM module that gates the setid family of syscalls to restrict SafeSetID is an LSM module that gates the setid family of syscalls to restrict
UID/GID transitions from a given UID/GID to only those approved by a UID/GID transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs system-wide allowlist. These restrictions also prohibit the given UIDs/GIDs
from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as
allowing a user to set up user namespace UID mappings. allowing a user to set up user namespace UID/GID mappings.
Background Background
...@@ -98,10 +98,21 @@ Directions for use ...@@ -98,10 +98,21 @@ Directions for use
================== ==================
This LSM hooks the setid syscalls to make sure transitions are allowed if an This LSM hooks the setid syscalls to make sure transitions are allowed if an
applicable restriction policy is in place. Policies are configured through applicable restriction policy is in place. Policies are configured through
securityfs by writing to the safesetid/add_whitelist_policy and securityfs by writing to the safesetid/uid_allowlist_policy and
safesetid/flush_whitelist_policies files at the location where securityfs is safesetid/gid_allowlist_policy files at the location where securityfs is
mounted. The format for adding a policy is '<UID>:<UID>', using literal mounted. The format for adding a policy is '<UID>:<UID>' or '<GID>:<GID>',
numbers, such as '123:456'. To flush the policies, any write to the file is using literal numbers, and ending with a newline character such as '123:456\n'.
sufficient. Again, configuring a policy for a UID will prevent that UID from Writing an empty string "" will flush the policy. Again, configuring a policy
obtaining auxiliary setid privileges, such as allowing a user to set up user for a UID/GID will prevent that UID/GID from obtaining auxiliary setid
namespace UID mappings. privileges, such as allowing a user to set up user namespace UID/GID mappings.
Note on GID policies and setgroups()
==================
In v5.9 we are adding support for limiting CAP_SETGID privileges as was done
previously for CAP_SETUID. However, for compatibility with common sandboxing
related code conventions in userspace, we currently allow arbitrary
setgroups() calls for processes with CAP_SETGID restrictions. Until we add
support in a future release for restricting setgroups() calls, these GID
policies add no meaningful security. setgroups() restrictions will be enforced
once we have the policy checking code in place, which will rely on GID policy
configuration code added in v5.9.
...@@ -24,20 +24,36 @@ ...@@ -24,20 +24,36 @@
/* Flag indicating whether initialization completed */ /* Flag indicating whether initialization completed */
int safesetid_initialized; int safesetid_initialized;
struct setuid_ruleset __rcu *safesetid_setuid_rules; struct setid_ruleset __rcu *safesetid_setuid_rules;
struct setid_ruleset __rcu *safesetid_setgid_rules;
/* Compute a decision for a transition from @src to @dst under @policy. */ /* Compute a decision for a transition from @src to @dst under @policy. */
enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
kuid_t src, kuid_t dst) kid_t src, kid_t dst)
{ {
struct setuid_rule *rule; struct setid_rule *rule;
enum sid_policy_type result = SIDPOL_DEFAULT; enum sid_policy_type result = SIDPOL_DEFAULT;
hash_for_each_possible(policy->rules, rule, next, __kuid_val(src)) { if (policy->type == UID) {
if (!uid_eq(rule->src_uid, src)) hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) {
if (!uid_eq(rule->src_id.uid, src.uid))
continue;
if (uid_eq(rule->dst_id.uid, dst.uid))
return SIDPOL_ALLOWED;
result = SIDPOL_CONSTRAINED;
}
} else if (policy->type == GID) {
hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) {
if (!gid_eq(rule->src_id.gid, src.gid))
continue; continue;
if (uid_eq(rule->dst_uid, dst)) if (gid_eq(rule->dst_id.gid, dst.gid)){
return SIDPOL_ALLOWED; return SIDPOL_ALLOWED;
}
result = SIDPOL_CONSTRAINED;
}
} else {
/* Should not reach here, report the ID as contrainsted */
result = SIDPOL_CONSTRAINED; result = SIDPOL_CONSTRAINED;
} }
return result; return result;
...@@ -47,15 +63,26 @@ enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, ...@@ -47,15 +63,26 @@ enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy,
* Compute a decision for a transition from @src to @dst under the active * Compute a decision for a transition from @src to @dst under the active
* policy. * policy.
*/ */
static enum sid_policy_type setuid_policy_lookup(kuid_t src, kuid_t dst) static enum sid_policy_type setid_policy_lookup(kid_t src, kid_t dst, enum setid_type new_type)
{ {
enum sid_policy_type result = SIDPOL_DEFAULT; enum sid_policy_type result = SIDPOL_DEFAULT;
struct setuid_ruleset *pol; struct setid_ruleset *pol;
rcu_read_lock(); rcu_read_lock();
if (new_type == UID)
pol = rcu_dereference(safesetid_setuid_rules); pol = rcu_dereference(safesetid_setuid_rules);
if (pol) else if (new_type == GID)
result = _setuid_policy_lookup(pol, src, dst); pol = rcu_dereference(safesetid_setgid_rules);
else { /* Should not reach here */
result = SIDPOL_CONSTRAINED;
rcu_read_unlock();
return result;
}
if (pol) {
pol->type = new_type;
result = _setid_policy_lookup(pol, src, dst);
}
rcu_read_unlock(); rcu_read_unlock();
return result; return result;
} }
...@@ -65,25 +92,32 @@ static int safesetid_security_capable(const struct cred *cred, ...@@ -65,25 +92,32 @@ static int safesetid_security_capable(const struct cred *cred,
int cap, int cap,
unsigned int opts) unsigned int opts)
{ {
/* We're only interested in CAP_SETUID. */ /* We're only interested in CAP_SETUID and CAP_SETGID. */
if (cap != CAP_SETUID) if (cap != CAP_SETUID && cap != CAP_SETGID)
return 0; return 0;
/* /*
* If CAP_SETUID is currently used for a set*uid() syscall, we want to * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
* let it go through here; the real security check happens later, in the * let it go through here; the real security check happens later, in the
* task_fix_setuid hook. * task_fix_set{u/g}id hook.
*
* NOTE:
* Until we add support for restricting setgroups() calls, GID security
* policies offer no meaningful security since we always return 0 here
* when called from within the setgroups() syscall and there is no
* additional hook later on to enforce security policies for setgroups().
*/ */
if ((opts & CAP_OPT_INSETID) != 0) if ((opts & CAP_OPT_INSETID) != 0)
return 0; return 0;
switch (cap) {
case CAP_SETUID:
/* /*
* If no policy applies to this task, allow the use of CAP_SETUID for * If no policy applies to this task, allow the use of CAP_SETUID for
* other purposes. * other purposes.
*/ */
if (setuid_policy_lookup(cred->uid, INVALID_UID) == SIDPOL_DEFAULT) if (setid_policy_lookup((kid_t)cred->uid, INVALID_ID, UID) == SIDPOL_DEFAULT)
return 0; return 0;
/* /*
* Reject use of CAP_SETUID for functionality other than calling * Reject use of CAP_SETUID for functionality other than calling
* set*uid() (e.g. setting up userns uid mappings). * set*uid() (e.g. setting up userns uid mappings).
...@@ -91,31 +125,68 @@ static int safesetid_security_capable(const struct cred *cred, ...@@ -91,31 +125,68 @@ static int safesetid_security_capable(const struct cred *cred,
pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
__kuid_val(cred->uid)); __kuid_val(cred->uid));
return -EPERM; return -EPERM;
break;
case CAP_SETGID:
/*
* If no policy applies to this task, allow the use of CAP_SETGID for
* other purposes.
*/
if (setid_policy_lookup((kid_t)cred->gid, INVALID_ID, GID) == SIDPOL_DEFAULT)
return 0;
/*
* Reject use of CAP_SETUID for functionality other than calling
* set*gid() (e.g. setting up userns gid mappings).
*/
pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
__kuid_val(cred->uid));
return -EPERM;
break;
default:
/* Error, the only capabilities were checking for is CAP_SETUID/GID */
return 0;
break;
}
return 0;
} }
/* /*
* Check whether a caller with old credentials @old is allowed to switch to * Check whether a caller with old credentials @old is allowed to switch to
* credentials that contain @new_uid. * credentials that contain @new_id.
*/ */
static bool uid_permitted_for_cred(const struct cred *old, kuid_t new_uid) static bool id_permitted_for_cred(const struct cred *old, kid_t new_id, enum setid_type new_type)
{ {
bool permitted; bool permitted;
/* If our old creds already had this UID in it, it's fine. */ /* If our old creds already had this ID in it, it's fine. */
if (uid_eq(new_uid, old->uid) || uid_eq(new_uid, old->euid) || if (new_type == UID) {
uid_eq(new_uid, old->suid)) if (uid_eq(new_id.uid, old->uid) || uid_eq(new_id.uid, old->euid) ||
uid_eq(new_id.uid, old->suid))
return true;
} else if (new_type == GID){
if (gid_eq(new_id.gid, old->gid) || gid_eq(new_id.gid, old->egid) ||
gid_eq(new_id.gid, old->sgid))
return true; return true;
} else /* Error, new_type is an invalid type */
return false;
/* /*
* Transitions to new UIDs require a check against the policy of the old * Transitions to new UIDs require a check against the policy of the old
* RUID. * RUID.
*/ */
permitted = permitted =
setuid_policy_lookup(old->uid, new_uid) != SIDPOL_CONSTRAINED; setid_policy_lookup((kid_t)old->uid, new_id, new_type) != SIDPOL_CONSTRAINED;
if (!permitted) { if (!permitted) {
if (new_type == UID) {
pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n", pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n",
__kuid_val(old->uid), __kuid_val(old->euid), __kuid_val(old->uid), __kuid_val(old->euid),
__kuid_val(old->suid), __kuid_val(new_uid)); __kuid_val(old->suid), __kuid_val(new_id.uid));
} else if (new_type == GID) {
pr_warn("GID transition ((%d,%d,%d) -> %d) blocked\n",
__kgid_val(old->gid), __kgid_val(old->egid),
__kgid_val(old->sgid), __kgid_val(new_id.gid));
} else /* Error, new_type is an invalid type */
return false;
} }
return permitted; return permitted;
} }
...@@ -131,18 +202,42 @@ static int safesetid_task_fix_setuid(struct cred *new, ...@@ -131,18 +202,42 @@ static int safesetid_task_fix_setuid(struct cred *new,
{ {
/* Do nothing if there are no setuid restrictions for our old RUID. */ /* Do nothing if there are no setuid restrictions for our old RUID. */
if (setuid_policy_lookup(old->uid, INVALID_UID) == SIDPOL_DEFAULT) if (setid_policy_lookup((kid_t)old->uid, INVALID_ID, UID) == SIDPOL_DEFAULT)
return 0;
if (id_permitted_for_cred(old, (kid_t)new->uid, UID) &&
id_permitted_for_cred(old, (kid_t)new->euid, UID) &&
id_permitted_for_cred(old, (kid_t)new->suid, UID) &&
id_permitted_for_cred(old, (kid_t)new->fsuid, UID))
return 0;
/*
* Kill this process to avoid potential security vulnerabilities
* that could arise from a missing allowlist entry preventing a
* privileged process from dropping to a lesser-privileged one.
*/
force_sig(SIGKILL);
return -EACCES;
}
static int safesetid_task_fix_setgid(struct cred *new,
const struct cred *old,
int flags)
{
/* Do nothing if there are no setgid restrictions for our old RGID. */
if (setid_policy_lookup((kid_t)old->gid, INVALID_ID, GID) == SIDPOL_DEFAULT)
return 0; return 0;
if (uid_permitted_for_cred(old, new->uid) && if (id_permitted_for_cred(old, (kid_t)new->gid, GID) &&
uid_permitted_for_cred(old, new->euid) && id_permitted_for_cred(old, (kid_t)new->egid, GID) &&
uid_permitted_for_cred(old, new->suid) && id_permitted_for_cred(old, (kid_t)new->sgid, GID) &&
uid_permitted_for_cred(old, new->fsuid)) id_permitted_for_cred(old, (kid_t)new->fsgid, GID))
return 0; return 0;
/* /*
* Kill this process to avoid potential security vulnerabilities * Kill this process to avoid potential security vulnerabilities
* that could arise from a missing whitelist entry preventing a * that could arise from a missing allowlist entry preventing a
* privileged process from dropping to a lesser-privileged one. * privileged process from dropping to a lesser-privileged one.
*/ */
force_sig(SIGKILL); force_sig(SIGKILL);
...@@ -151,6 +246,7 @@ static int safesetid_task_fix_setuid(struct cred *new, ...@@ -151,6 +246,7 @@ static int safesetid_task_fix_setuid(struct cred *new,
static struct security_hook_list safesetid_security_hooks[] = { static struct security_hook_list safesetid_security_hooks[] = {
LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
LSM_HOOK_INIT(capable, safesetid_security_capable) LSM_HOOK_INIT(capable, safesetid_security_capable)
}; };
......
...@@ -27,27 +27,47 @@ enum sid_policy_type { ...@@ -27,27 +27,47 @@ enum sid_policy_type {
SIDPOL_ALLOWED /* target ID explicitly allowed */ SIDPOL_ALLOWED /* target ID explicitly allowed */
}; };
typedef union {
kuid_t uid;
kgid_t gid;
} kid_t;
enum setid_type {
UID,
GID
};
/* /*
* Hash table entry to store safesetid policy signifying that 'src_uid' * Hash table entry to store safesetid policy signifying that 'src_id'
* can setuid to 'dst_uid'. * can set*id to 'dst_id'.
*/ */
struct setuid_rule { struct setid_rule {
struct hlist_node next; struct hlist_node next;
kuid_t src_uid; kid_t src_id;
kuid_t dst_uid; kid_t dst_id;
/* Flag to signal if rule is for UID's or GID's */
enum setid_type type;
}; };
#define SETID_HASH_BITS 8 /* 256 buckets in hash table */ #define SETID_HASH_BITS 8 /* 256 buckets in hash table */
struct setuid_ruleset { /* Extension of INVALID_UID/INVALID_GID for kid_t type */
#define INVALID_ID (kid_t){.uid = INVALID_UID}
struct setid_ruleset {
DECLARE_HASHTABLE(rules, SETID_HASH_BITS); DECLARE_HASHTABLE(rules, SETID_HASH_BITS);
char *policy_str; char *policy_str;
struct rcu_head rcu; struct rcu_head rcu;
//Flag to signal if ruleset is for UID's or GID's
enum setid_type type;
}; };
enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy, enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
kuid_t src, kuid_t dst); kid_t src, kid_t dst);
extern struct setuid_ruleset __rcu *safesetid_setuid_rules; extern struct setid_ruleset __rcu *safesetid_setuid_rules;
extern struct setid_ruleset __rcu *safesetid_setgid_rules;
#endif /* _SAFESETID_H */ #endif /* _SAFESETID_H */
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment