Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4449901ybi; Mon, 15 Jul 2019 09:05:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqyuPO28in34a3twL82M7nWrlZ/1oGyc+TfF/CoF/E4XwJj5SzcZd0pvadcs5uvKZtNrd7vy X-Received: by 2002:a17:902:100a:: with SMTP id b10mr3490201pla.338.1563206737380; Mon, 15 Jul 2019 09:05:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563206737; cv=none; d=google.com; s=arc-20160816; b=xrK6UZiAPDLD8YnUWOrYCVMXOn6Ir1h6a2cGNg4H/EGSCF9pZUekb7E92KFSHF8wl7 yVBR8/VvLAIWIA7DT5Lu1A+V7MatY7fGpSbfpd9qCV5VomsELc5zKed91XHicC0rwPkF 0ZWTacIHviZ/QoWcutmhbMHzf0wYelh/YKAY5xdGh6KZyBqvOdCNkIhtIUYhZcp4qnLP XIrzXIqW2w/GFtn6vfc+m3QJ2elNlSNDY7VUjaBlK+7oWAw0pjN6phhUUJfg9XzVLidK Cza6zLlWI7iwXSzofhfBYVkPalzqznJMUutt8U56qmRAc67l3bJeqhAaDzchxDcP5hOz OLmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :mime-version:dkim-signature; bh=abd3MzgGdND+mibf+9QP7+SAzCXmIg9aBJBUAlhxoSE=; b=OvMb+tyO5mhProePDfg0FVQ6wgEemGzpYnyJh1QhcFyMHrVz5kPvH96XDgajvTRBJg bTS+CVROQ/HTaE/PdtnJW79OKFi31q7qCK2NqzEbjVi2pBZMqf/cx/HeFc0JCW7aH9gt DOSRUlyCXw/7Mg6TYWELVovlyTIhhY8wzLRmPeadFAPL130mXeUt2WO//setUh0yY8cY 4R7/betN9lrl4tnbFIY8nSgOpn0TPMYFE9YS1rKjeJPJrIlpZw1LjYEqhwCRnNBfHYyw 7HSDGgQ3a7ILbkXCCTEGZBM8yuWdY0fca6s0n9GMdVfY5FUp2/hv66mazIiuLcD7u89S aeRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Vx5UHmP4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u21si6484137pgm.431.2019.07.15.09.05.20; Mon, 15 Jul 2019 09:05:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Vx5UHmP4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729784AbfGOQFA (ORCPT + 99 others); Mon, 15 Jul 2019 12:05:00 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:42961 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729603AbfGOQFA (ORCPT ); Mon, 15 Jul 2019 12:05:00 -0400 Received: by mail-io1-f66.google.com with SMTP id e20so4603164iob.9 for ; Mon, 15 Jul 2019 09:04:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=abd3MzgGdND+mibf+9QP7+SAzCXmIg9aBJBUAlhxoSE=; b=Vx5UHmP4FSl+2sW2xSMATHmt/TstgDDB2D2BYOmRytxQn8jrzjv9CHvBN6ziokACKV yzABsXIgYMdyMShtxK0HrEeZ6yqmlt1ErRBouLjdWGCgNDX8nI3gIQGZ6TbZfGsRZAHQ G91t8osAi33e15JefGOz/Q8Tfy03uYvccBxHc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=abd3MzgGdND+mibf+9QP7+SAzCXmIg9aBJBUAlhxoSE=; b=bdTGJlfNNCcdr1SHPNc96CVXfROyD+H+uln81kNP6OXqlEC9xY8LlVHVKwvez5Xqng LMeF89tpaMUyj8qOR6HMPr6ueANWnW6axSxyrqrumvHkSngdYSsCSxovRN5Av4yp2b4X AjuTXDQkI5Go9uso9h85jkomchxcPC7Il8OC1NftHsF2qB6z+kt+P3vmJeJVhSju9F5d UrVrzy5yK00gmx7rRYiY9XQOvKK0IF2nMni8Ta2iq0cTeqGSiG0RW4aLnk1wCKWlxlKy uL18GgEnYeFnrNI5RPXPKgbks1ysedTm2dOSqZMoCApLfwSEYcXQmiWNdro28QX0omU/ /8hQ== X-Gm-Message-State: APjAAAUw7hc2IwVWepZIGe+phulf0dNNfzEKWpH4x1gHXp+g7crMJuN4 cFmNpGSCmPvD6LjqccjbXgmV56csf8znXR7YV9oHKA== X-Received: by 2002:a05:6638:81:: with SMTP id v1mr27332807jao.72.1563206699374; Mon, 15 Jul 2019 09:04:59 -0700 (PDT) MIME-Version: 1.0 From: Micah Morton Date: Mon, 15 Jul 2019 09:04:48 -0700 Message-ID: Subject: [GIT PULL] SafeSetID LSM changes for 5.3 To: torvalds@linux-foundation.org, Linux Kernel Mailing List , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, I'm maintaining the new SafeSetID LSM and was told to set up my own tree for sending pull requests rather than sending my changes through James Morris and the security subsystem tree. This is my first time doing one of these pull requests so hopefully I didn't screw something up. Thanks, Micah --- The following changes since commit fec88ab0af9706b2201e5daf377c5031c62d11f7: Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma (2019-07-14 19:42:11 -0700) are available in the Git repository at: https://github.com/micah-morton/linux.git tags/safesetid-5.3 for you to fetch changes up to e10337daefecb47209fd2af5f4fab0d1a370737f: LSM: SafeSetID: fix use of literal -1 in capable hook (2019-07-15 08:08:03 -0700) ---------------------------------------------------------------- SafeSetID patches for 5.3 These changes from Jann Horn fix a couple issues in the recently added SafeSetID LSM: (1) There was a simple logic bug in one of the hooks for the LSM where the code was incorrectly returning early in some cases before all security checks had been passed. (2) There was a more high level issue with how this LSM gets configured that could allow for a program to bypass the security restrictions by switching to an allowed UID and then again to any other UID on the system if the target UID of the first transition is unconstrained on the system. Luckily this is an easy fix that we now enforce at the time the LSM gets configured. There are also some changes from Jann that make policy updates for this LSM atomic. Kees Cook, Jann and myself have reviewed these changes and they look good from our point of view. Signed-off-by: Micah Morton ---------------------------------------------------------------- Jann Horn (10): LSM: SafeSetID: fix pr_warn() to include newline LSM: SafeSetID: fix check for setresuid(new1, new2, new3) LSM: SafeSetID: refactor policy hash table LSM: SafeSetID: refactor safesetid_security_capable() LSM: SafeSetID: refactor policy parsing LSM: SafeSetID: fix userns handling in securityfs LSM: SafeSetID: rewrite userspace API to atomic updates LSM: SafeSetID: add read handler LSM: SafeSetID: verify transitive constrainedness LSM: SafeSetID: fix use of literal -1 in capable hook security/safesetid/lsm.c | 276 +++++++++++++----------------------------- security/safesetid/lsm.h | 34 ++++-- security/safesetid/securityfs.c | 307 +++++++++++++++++++++++++++++------------------ tools/testing/selftests/safesetid/safesetid-test.c | 18 ++- 4 files changed, 306 insertions(+), 329 deletions(-)