On Wed, May 27, 2015 at 04:47:59PM -0700, Andy Lutomirski wrote:
> Per Andrew Morgan's request, add a securebit to allow admins to
> disable PR_CAP_AMBIENT_RAISE. This securebit will prevent processes
> from adding capabilities to their ambient set.
>
> For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather
> than just disabling setting previously cleared bits.
>
> Acked-By: Andrew G. Morgan <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: Christoph Lameter <[email protected]>
> Cc: Serge Hallyn <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
> Cc: Andy Lutomirski <[email protected]>
> Cc: Jonathan Corbet <[email protected]>
> Cc: Aaron Jones <[email protected]>
> CC: Ted Ts'o <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: Andrew G. Morgan <[email protected]>
> Cc: Mimi Zohar <[email protected]>
> Cc: Austin S Hemmelgarn <[email protected]>
> Cc: Markku Savela <[email protected]>
> Cc: Jarkko Sakkinen <[email protected]>
> Cc: Michael Kerrisk <[email protected]>
> Signed-off-by: Andy Lutomirski <[email protected]>
> ---
> include/uapi/linux/securebits.h | 11 ++++++++++-
> security/commoncap.c | 3 ++-
> 2 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h
> index 985aac9e6bf8..35ac35cef217 100644
> --- a/include/uapi/linux/securebits.h
> +++ b/include/uapi/linux/securebits.h
> @@ -43,9 +43,18 @@
> #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
> #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
>
> +/* When set, a process cannot add new capabilities to its ambient set. */
> +#define SECURE_NO_CAP_AMBIENT_RAISE 6
> +#define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */
> +
> +#define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
> +#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \
> + (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED))
> +
> #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
> issecure_mask(SECURE_NO_SETUID_FIXUP) | \
> - issecure_mask(SECURE_KEEP_CAPS))
> + issecure_mask(SECURE_KEEP_CAPS) | \
> + issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
> #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
>
> #endif /* _UAPI_LINUX_SECUREBITS_H */
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 835a7584f7ea..22b7b91c5eae 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -987,7 +987,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> if (arg2 == PR_CAP_AMBIENT_RAISE &&
> (!cap_raised(current_cred()->cap_permitted, arg3) ||
> !cap_raised(current_cred()->cap_inheritable,
> - arg3)))
> + arg3) ||
> + issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
> return -EPERM;
>
> new = prepare_creds();
> --
> 2.1.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/