linux/security/safesetid/securityfs.c
Micah Morton aeca4e2ca6 LSM: add SafeSetID module that gates setid calls
SafeSetID gates the setid family of syscalls to restrict UID/GID
transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given
UIDs/GIDs from obtaining auxiliary privileges associated with
CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
mappings. For now, only gating the set*uid family of syscalls is
supported, with support for set*gid coming in a future patch set.

Signed-off-by: Micah Morton <mortonm@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-25 11:22:45 -08:00

194 lines
4.3 KiB
C

// SPDX-License-Identifier: GPL-2.0
/*
* SafeSetID Linux Security Module
*
* Author: Micah Morton <mortonm@chromium.org>
*
* Copyright (C) 2018 The Chromium OS Authors.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, as
* published by the Free Software Foundation.
*
*/
#include <linux/security.h>
#include <linux/cred.h>
#include "lsm.h"
static struct dentry *safesetid_policy_dir;
struct safesetid_file_entry {
const char *name;
enum safesetid_whitelist_file_write_type type;
struct dentry *dentry;
};
static struct safesetid_file_entry safesetid_files[] = {
{.name = "add_whitelist_policy",
.type = SAFESETID_WHITELIST_ADD},
{.name = "flush_whitelist_policies",
.type = SAFESETID_WHITELIST_FLUSH},
};
/*
* In the case the input buffer contains one or more invalid UIDs, the kuid_t
* variables pointed to by 'parent' and 'child' will get updated but this
* function will return an error.
*/
static int parse_safesetid_whitelist_policy(const char __user *buf,
size_t len,
kuid_t *parent,
kuid_t *child)
{
char *kern_buf;
char *parent_buf;
char *child_buf;
const char separator[] = ":";
int ret;
size_t first_substring_length;
long parsed_parent;
long parsed_child;
/* Duplicate string from user memory and NULL-terminate */
kern_buf = memdup_user_nul(buf, len);
if (IS_ERR(kern_buf))
return PTR_ERR(kern_buf);
/*
* Format of |buf| string should be <UID>:<UID>.
* Find location of ":" in kern_buf (copied from |buf|).
*/
first_substring_length = strcspn(kern_buf, separator);
if (first_substring_length == 0 || first_substring_length == len) {
ret = -EINVAL;
goto free_kern;
}
parent_buf = kmemdup_nul(kern_buf, first_substring_length, GFP_KERNEL);
if (!parent_buf) {
ret = -ENOMEM;
goto free_kern;
}
ret = kstrtol(parent_buf, 0, &parsed_parent);
if (ret)
goto free_both;
child_buf = kern_buf + first_substring_length + 1;
ret = kstrtol(child_buf, 0, &parsed_child);
if (ret)
goto free_both;
*parent = make_kuid(current_user_ns(), parsed_parent);
if (!uid_valid(*parent)) {
ret = -EINVAL;
goto free_both;
}
*child = make_kuid(current_user_ns(), parsed_child);
if (!uid_valid(*child)) {
ret = -EINVAL;
goto free_both;
}
free_both:
kfree(parent_buf);
free_kern:
kfree(kern_buf);
return ret;
}
static ssize_t safesetid_file_write(struct file *file,
const char __user *buf,
size_t len,
loff_t *ppos)
{
struct safesetid_file_entry *file_entry =
file->f_inode->i_private;
kuid_t parent;
kuid_t child;
int ret;
if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))
return -EPERM;
if (*ppos != 0)
return -EINVAL;
switch (file_entry->type) {
case SAFESETID_WHITELIST_FLUSH:
flush_safesetid_whitelist_entries();
break;
case SAFESETID_WHITELIST_ADD:
ret = parse_safesetid_whitelist_policy(buf, len, &parent,
&child);
if (ret)
return ret;
ret = add_safesetid_whitelist_entry(parent, child);
if (ret)
return ret;
break;
default:
pr_warn("Unknown securityfs file %d\n", file_entry->type);
break;
}
/* Return len on success so caller won't keep trying to write */
return len;
}
static const struct file_operations safesetid_file_fops = {
.write = safesetid_file_write,
};
static void safesetid_shutdown_securityfs(void)
{
int i;
for (i = 0; i < ARRAY_SIZE(safesetid_files); ++i) {
struct safesetid_file_entry *entry =
&safesetid_files[i];
securityfs_remove(entry->dentry);
entry->dentry = NULL;
}
securityfs_remove(safesetid_policy_dir);
safesetid_policy_dir = NULL;
}
static int __init safesetid_init_securityfs(void)
{
int i;
int ret;
if (!safesetid_initialized)
return 0;
safesetid_policy_dir = securityfs_create_dir("safesetid", NULL);
if (!safesetid_policy_dir) {
ret = PTR_ERR(safesetid_policy_dir);
goto error;
}
for (i = 0; i < ARRAY_SIZE(safesetid_files); ++i) {
struct safesetid_file_entry *entry =
&safesetid_files[i];
entry->dentry = securityfs_create_file(
entry->name, 0200, safesetid_policy_dir,
entry, &safesetid_file_fops);
if (IS_ERR(entry->dentry)) {
ret = PTR_ERR(entry->dentry);
goto error;
}
}
return 0;
error:
safesetid_shutdown_securityfs();
return ret;
}
fs_initcall(safesetid_init_securityfs);