Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5423326imm; Tue, 31 Jul 2018 10:37:29 -0700 (PDT) X-Google-Smtp-Source: AAOMgpf3Y69SZfztw+H/SBqJrB+kbAmRzQz0Pz+64de+dC6p3YbuabrUI4mQN/ZXZcAJ5OD1e9ky X-Received: by 2002:a17:902:22:: with SMTP id 31-v6mr21540356pla.190.1533058649499; Tue, 31 Jul 2018 10:37:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533058649; cv=none; d=google.com; s=arc-20160816; b=Rb129no0841lJSh002qt3gJ7GYUkl+sGGUXkh8BOgW+ZmTB/t0YZ4hECt17jV7/dMP y+On5Rv1ApjOUvETgfCOhmS9ZnH+SBHiN52Y7CdX4BPqOH0WJ1eo3VZQVmUWPnq7/xqi jIR2tPb6lR0HyvYbm2g9ECmZfE7DF8q3HcwSORucqw5a83uG3i77Z3+Rfm/I/oo5K06d /uBMTqIGinNSJQjCcpe7FVWeeP/SogMctAZY28vzKhsHHXcUSkkcWZ4dQxSsjvgrI5KF 3m8V7D016RzwsSpX+GgoBKwVLB8YbJTNUbsNlHPsv34evBNyEW0m3n90gIQqIvHj5AWf AUDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :mime-version:dkim-signature:arc-authentication-results; bh=JinvuXl4hZRvmQ4MiCXH09fuVomBkiUvNuwtC34RSY0=; b=ET4teJcopZJmCUk1rl4fakYTR+ePxHYKs6fvXAuyX+BgeXLUhm9egeu4Rjbj2TSdaR Q2RMMEuQbR3GFlAqNuAk3iSsQj9/JlyN9Sg6qg2YLsmtfLM67imF/qDz3qjb1G7bJ7sv SGI5GNEE6eXpXkDsOxrT/Bn84Oilm1H4vEFGxXAN+i5QITNl1jUaY4zPUkbyICtZjwpV woQoO0uYchfkKaWlCEY6iKZ9DWYJlHrDpOJK3TSDywE8CFjjMZNvWCni04KPaLbMxM5T Q+tPJ0Ggy3zzhXraBJvh/jU7SpPZ3iXW/hjL+aqynSAxqRslsLDJW4nZw4GWSwSdXXb8 tfrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OQkWlpx8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i35-v6si6748501plg.460.2018.07.31.10.37.14; Tue, 31 Jul 2018 10:37:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=OQkWlpx8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728607AbeGaTQe (ORCPT + 99 others); Tue, 31 Jul 2018 15:16:34 -0400 Received: from mail-yw0-f194.google.com ([209.85.161.194]:36890 "EHLO mail-yw0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728327AbeGaTQe (ORCPT ); Tue, 31 Jul 2018 15:16:34 -0400 Received: by mail-yw0-f194.google.com with SMTP id w76-v6so6091756ywg.4 for ; Tue, 31 Jul 2018 10:35:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=JinvuXl4hZRvmQ4MiCXH09fuVomBkiUvNuwtC34RSY0=; b=OQkWlpx8tn9uXBdaZhPGeEE2LdAuTQycMK1QopT/XmOSs59opkIDeKMC4Ol9dzG5Sd CT+Koat0MIgmzWG5ve/gK+vg+Q8xAqKzHSj92VOibKZZfOii4Sy2zcsbKwaSvz5CTsoe cCHguy/TqPwBupCOGxbufntHFvGLIbQ+OKpKE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JinvuXl4hZRvmQ4MiCXH09fuVomBkiUvNuwtC34RSY0=; b=KPxioSkRF7Ax8jS76DaLF5/V3bostAjR7C5s6QnTNONE6RfvsQI5elmuxlRq4vS2eB AP1vHaukBrMNLNJBCEERvRG1TX9AYSMbVk0cvSdzFtig/ZhU3SS6FpJT0NABg12qmIAV TakdGdC+FhKhi/nQAC0E0AGqpJDCMtEh2XcYP5sWxdkYIwi5oro4HpNSfCvANbGlRQZ7 tiuJvqgz04Hwn4NRrnTfEezO/M14ak1uNtu4INdBTWlgf/wccw0wX2Fz21+26ZG13h/N hh9AChYvy4JgIxZAt67RcQdy/T/bb2wfLMfisE4Y5wXbdOG8Kkn5W1eyokzAZTpKoDaa 87PA== X-Gm-Message-State: AOUpUlHku3w/sZdkNAKVeeAhdEseVmzvBxuFmnvMzVQJX3ZoK8qbRhAx rXmHMmOyLOxgzeilaWByqo4wIPiLbOdsofGhaRDfOw== X-Received: by 2002:a0d:c3c5:: with SMTP id f188-v6mr11366699ywd.328.1533058510833; Tue, 31 Jul 2018 10:35:10 -0700 (PDT) MIME-Version: 1.0 From: Micah Morton Date: Tue, 31 Jul 2018 10:34:59 -0700 Message-ID: Subject: [PATCH v2] security: Add LSM fixup hooks to set*gid syscalls. To: linux-security-module@vger.kernel.org, serge@hallyn.com, Kees Cook , linux-kernel@vger.kernel.org Content-Type: multipart/alternative; boundary="000000000000f560fd05724eff33" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000f560fd05724eff33 Content-Type: text/plain; charset="UTF-8" The set*uid system calls all call an LSM fixup hook called security_task_fix_setuid, which allows for altering the behavior of those calls by a security module. Comments explaining the LSM_SETID_* constants in /include/linux/security.h imply that the constants are to be used for both the set*uid and set*gid syscalls, but the set*gid syscalls do not have the relevant hooks, meaning a security module can only alter syscalls that change user identity attributes but not ones that change group identity attributes. This patch adds the necessary LSM hook, called security_task_fix_setgid, and calls the hook from the appropriate places in the set*gid syscalls.Tested by putting a print statement in the hook and seeing it triggered from the various set*gid syscalls. Signed-off-by: Micah Morton Acked-by: Kees Cook --- NOTE: the security_task_fix_setgid line in sys_setfsgid is over 80 characters, but I figured I'd just follow how it was done in sys_setfsuid rather than trying to wrap the line, since the functions are nearly identical. diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 8f1131c8dd54..a2166c812a97 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -599,6 +599,15 @@ * @old is the set of credentials that are being replaces * @flags contains one of the LSM_SETID_* values. * Return 0 on success. + * @task_fix_setgid: + * Update the module's state after setting one or more of the group + * identity attributes of the current process. The @flags parameter + * indicates which of the set*gid system calls invoked this hook. + * @new is the set of credentials that will be installed. Modifications + * should be made to this rather than to @current->cred. + * @old is the set of credentials that are being replaced + * @flags contains one of the LSM_SETID_* values. + * Return 0 on success. * @task_setpgid: * Check permission before setting the process group identifier of the * process @p to @pgid. @@ -1587,6 +1596,8 @@ union security_list_options { enum kernel_read_file_id id); int (*task_fix_setuid)(struct cred *new, const struct cred *old, int flags); + int (*task_fix_setgid)(struct cred *new, const struct cred *old, + int flags); int (*task_setpgid)(struct task_struct *p, pid_t pgid); int (*task_getpgid)(struct task_struct *p); int (*task_getsid)(struct task_struct *p); @@ -1876,6 +1887,7 @@ struct security_hook_heads { struct hlist_head kernel_post_read_file; struct hlist_head kernel_module_request; struct hlist_head task_fix_setuid; + struct hlist_head task_fix_setgid; struct hlist_head task_setpgid; struct hlist_head task_getpgid; struct hlist_head task_getsid; diff --git a/include/linux/security.h b/include/linux/security.h index 63030c85ee19..a82d97cf13ab 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -325,6 +325,8 @@ int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id); int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags); +int security_task_fix_setgid(struct cred *new, const struct cred *old, + int flags); int security_task_setpgid(struct task_struct *p, pid_t pgid); int security_task_getpgid(struct task_struct *p); int security_task_getsid(struct task_struct *p); @@ -929,6 +931,13 @@ static inline int security_task_fix_setuid(struct cred *new, return cap_task_fix_setuid(new, old, flags); } +static inline int security_task_fix_setgid(struct cred *new, + const struct cred *old, + int flags) +{ + return 0; +} + static inline int security_task_setpgid(struct task_struct *p, pid_t pgid) { return 0; diff --git a/kernel/sys.c b/kernel/sys.c index 38509dc1f77b..f6ef922c6815 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -392,6 +392,10 @@ long __sys_setregid(gid_t rgid, gid_t egid) new->sgid = new->egid; new->fsgid = new->egid; + retval = security_task_fix_setgid(new, old, LSM_SETID_RE); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -434,6 +438,10 @@ long __sys_setgid(gid_t gid) else goto error; + retval = security_task_fix_setgid(new, old, LSM_SETID_ID); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -755,6 +763,10 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) new->sgid = ksgid; new->fsgid = new->egid; + retval = security_task_fix_setgid(new, old, LSM_SETID_RES); + if (retval < 0) + goto error; + return commit_creds(new); error: @@ -861,7 +873,8 @@ long __sys_setfsgid(gid_t gid) ns_capable(old->user_ns, CAP_SETGID)) { if (!gid_eq(kgid, old->fsgid)) { new->fsgid = kgid; - goto change_okay; + if (security_task_fix_setgid(new, old, LSM_SETID_FS) == 0) + goto change_okay; } } diff --git a/security/security.c b/security/security.c index 68f46d849abe..587786fc0aaa 100644 --- a/security/security.c +++ b/security/security.c @@ -1062,6 +1062,12 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old, return call_int_hook(task_fix_setuid, 0, new, old, flags); } +int security_task_fix_setgid(struct cred *new, const struct cred *old, + int flags) +{ + return call_int_hook(task_fix_setgid, 0, new, old, flags); +} + int security_task_setpgid(struct task_struct *p, pid_t pgid) { return call_int_hook(task_setpgid, 0, p, pgid); -- 4.18-rc2 -- --000000000000f560fd05724eff33 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The set*uid system calls all call an LSM f= ixup hook called
security_task_fix_setuid, which allow= s for altering the behavior of those
calls by a securi= ty module. Comments explaining the LSM_SETID_* constants
in /include/linux/security.h imply that the constants are to be used for=
both the set*uid and set*gid syscalls, but the set*gi= d syscalls do not
have the relevant hooks, meaning a s= ecurity module can only alter syscalls
that change use= r identity attributes but not ones that change group
i= dentity attributes. This patch adds the necessary LSM hook, called
security_task_fix_setgid, and calls the hook from the appropri= ate places
in the set*gid syscalls.Tested by putting a= print statement in the hook and
seeing it triggered f= rom the various set*gid syscalls.

Signed-off-by: Micah Morton <mortonm@chromium.org>
---
=
NOTE: the security_task_fix_setgid line in sys_setfsgid is = over 80
characters, but I figured I'd just follow = how it was done in sys_setfsuid
rather than trying to = wrap the line, since the functions are nearly
identica= l.

diff --git a/include/linux/lsm_hooks.h b/i= nclude/linux/lsm_hooks.h
index 8f1131c8dd54..a2166c812= a97 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -599,6 +5= 99,15 @@
=C2=A0 *= @old is the set of credentials that are being replaces
=C2=A0 * @flags contai= ns one of the LSM_SETID_* values.
=C2=A0 * Return 0 on success.
+ * @task_fix_setgid:
+ *=C2=A0 =C2=A0 =C2=A0Update t= he module's state after setting one or more of the group
+ *=C2=A0 =C2=A0 =C2=A0identity attributes of the current process.= =C2=A0 The @flags parameter
+ *=C2=A0 =C2=A0 =C2=A0ind= icates which of the set*gid system calls invoked this hook.
+ *=C2=A0 =C2=A0 =C2=A0@new is the set of credentials that will be in= stalled.=C2=A0 Modifications
+ *=C2=A0 =C2=A0 =C2=A0sh= ould be made to this rather than to @current->cred.
+ *=C2=A0 =C2=A0 =C2=A0@old is the set of credentials that are being repla= ced
+ *=C2=A0 =C2=A0 =C2=A0@flags contains one of the = LSM_SETID_* values.
+ *=C2=A0 =C2=A0 =C2=A0Return 0 on= success.
=C2=A0 * @task_setpgid:
=C2=A0 * Check permission befo= re setting the process group identifier of the
=C2=A0 = * process @p to @pgid.
@@ -1587,6 +1596,8 @@ union security_list_options {
=C2=A0 =C2=A0 =C2= =A0 =C2=A0enum kernel_read_file_id id);
=C2=A0 int (*task_fix_setuid)(struct cred *ne= w, const struct cred *old,
=C2=A0 int flags);
+ int (*task_fix_setgid)(struct cred *new, con= st struct cred *old,
+ int flags);
=C2=A0 int (*task_setpgid)(struct task_struct *p, pid_t p= gid);
=C2=A0 int (*task_getpgid)(struct task_struct *p);
=C2=A0<= span style=3D"white-space:pre-wrap"> int (*task_getsid)(struct task_= struct *p);
@@ -1876,6 +1887,7 @@ struct security_hook= _heads {
=C2=A0 <= /span>struct hlist_head kernel_post_read_file;
=C2=A0<= span style=3D"white-space:pre-wrap"> struct hlist_head kernel_module= _request;
=C2=A0 = struct hlist_head task_fix_setuid;
+ struct hlist_head task_fix_setgid;
<= div style=3D"font-size:small;text-decoration-style:initial;text-decoration-= color:initial">=C2=A0 struct hl= ist_head task_setpgid;
=C2=A0 struct hlist_head task_getpgid;
= =C2=A0 struct hlist_head task_g= etsid;
diff --git a/include/linux/security.h b/include= /linux/security.h
index 63030c85ee19..a82d97cf13ab 100= 644
--- a/include/linux/security.h
@@ -325,6 +325,8 @@ i= nt security_kernel_post_read_file(struct file *file, char *buf, loff_t size= ,
=C2=A0 =C2=A0 =C2=A0enum kernel_read_file_id id);
=C2=A0int= security_task_fix_setuid(struct cred *new, const struct cred *old,
=C2=A0 =C2=A0 = =C2=A0 =C2=A0int flags);
+int security_task_fix_setgid= (struct cred *new, const struct cred *old,
+ =C2=A0 =C2=A0 =C2=A0int flags);
<= div style=3D"font-size:small;text-decoration-style:initial;text-decoration-= color:initial">=C2=A0int security_task_setpgid(struct task_struct *p, pid_t= pgid);
=C2=A0int security_task_getpgid(struct task_st= ruct *p);
=C2=A0int security_task_getsid(struct task_s= truct *p);
@@ -929,6 +931,13 @@ static inline int secu= rity_task_fix_setuid(struct cred *new,
=C2=A0 return cap_task_fix_setuid(new, old, fl= ags);
=C2=A0}
=C2=A0
+static inline int security_task_fix_setgid(struct cred *new,
+ =C2=A0 = =C2=A0const struct cred *old,
+ =C2=A0 =C2=A0int flags)
+{
+ return 0;=
+}
+
=C2=A0= static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)<= /div>
=C2=A0{
=C2=A0 return 0;
diff --git a/kerne= l/sys.c b/kernel/sys.c
index 38509dc1f77b..f6ef922c681= 5 100644
--- a/kernel/sys.c
+++ b= /kernel/sys.c
@@ -392,6 +392,10 @@ long __sys_setregid= (gid_t rgid, gid_t egid)
=C2=A0 new->sgid =3D new->egid;
= =C2=A0 new->fsgid =3D new-&g= t;egid;
=C2=A0
+ retval =3D security_task_fix_setgid(new, old, L= SM_SETID_RE);
+ <= /span>if (retval < 0)
+ goto error;
+
= =C2=A0 return commit_creds(new)= ;
=C2=A0
=C2=A0error:
@@ -434,6 +438,10 @@ long __sys_setgid(gid_t gid)
=C2=A0 else
=C2=A0 goto error;
=C2=A0
+ retval =3D security_task_fix_setgid(new, old, LSM_SETID_ID= );
+ if (r= etval < 0)
+ = goto error;
+
=C2=A0 return commit_creds(new);
=C2=A0
=C2=A0error:
@@= -755,6 +763,10 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)=
=C2=A0 n= ew->sgid =3D ksgid;
=C2=A0 new->fsgid =3D new->egid;
= =C2=A0
+ r= etval =3D security_task_fix_setgid(new, old, LSM_SETID_RES);
+ if (retval < 0)
+ goto error= ;
+
=C2=A0 return commit_creds(new);
=C2=A0=
=C2=A0error:
@@ -861,7 +873,8 @@= long __sys_setfsgid(gid_t gid)
=C2=A0 =C2=A0 =C2=A0 ns_capable(old->user_ns, CAP_= SETGID)) {
=C2=A0= if (!gid_eq(kgid, old->fsgid)) {
=C2=A0 new->fsgid =3D kgid;
- goto change_o= kay;
+ i= f (security_task_fix_setgid(new, old, LSM_SETID_FS) =3D=3D 0)
+ goto change_okay;<= /div>
=C2=A0 }<= /div>
=C2=A0 }
=C2=A0
diff --git a/security/secur= ity.c b/security/security.c
index 68f46d849abe..587786= fc0aaa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1062,6 +1062,12 @= @ int security_task_fix_setuid(struct cred *new, const struct cred *old,
=C2=A0 retur= n call_int_hook(task_fix_setuid, 0, new, old, flags);
= =C2=A0}
=C2=A0
+int security_task= _fix_setgid(struct cred *new, const struct cred *old,
= + =C2=A0 =C2=A0 =C2=A0int fla= gs)
+{
+ return call_int_hook(task_fix_setgid, 0, new, old, flag= s);
+}
+
=C2= =A0int security_task_setpgid(struct task_struct *p, pid_t pgid)
=C2=A0{
=C2=A0 return call_int_hook(task_setpgid, 0, p, pgid);

--
4.18-rc= 2

--

--000000000000f560fd05724eff33--