Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/security/safesetid?h=master 2022-07-15T18:24:42Z 2022-07-15T18:24:42Z Micah Morton mortonm@chromium.org 2022-06-08T22:27:27Z urn:sha1:3e3374d382ff250502fbc4407001ac793d5c4e7f The SafeSetID LSM has functionality for restricting setuid()/setgid() syscalls based on its configured security policies. This patch adds the analogous functionality for the setgroups() syscall. Security policy for the setgroups() syscall follows the same policies that are installed on the system for setgid() syscalls. Signed-off-by: Micah Morton <mortonm@chromium.org> 2021-06-10T16:52:32Z Austin Kim austindh.kim@gmail.com 2021-06-08T23:09:29Z urn:sha1:1b8b719229197b7afa1b1191e083fb41ace095c5 Mark safesetid_initialized as __initdata since it is only used in initialization routine. Signed-off-by: Austin Kim <austindh.kim@gmail.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2021-04-26T23:36:50Z Yanwei Gao gaoyanwei.tx@gmail.com 2021-03-10T06:52:12Z urn:sha1:1ca86ac1ec8d201478e9616565d4df5d51595cfc First, the code is found to be irregular through checkpatch.pl. Then I found break is really useless here. Signed-off-by: Yanwei Gao <gaoyanwei.tx@gmail.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2020-10-13T16:17:36Z Thomas Cedeno thomascedeno@google.com 2020-08-11T15:39:51Z urn:sha1:03ca0ec138927b16fab0dad7b869f42eb2849c94 Fix multiple cast-to-union warnings related to casting kuid_t and kgid_t types to kid_t union type. Also fix incompatible type warning that arises from accidental omission of "__rcu" qualifier on the struct setid_ruleset pointer in the argument list for safesetid_file_read(). Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Thomas Cedeno <thomascedeno@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2020-10-13T16:17:35Z Thomas Cedeno thomascedeno@google.com 2020-07-16T19:52:01Z urn:sha1:5294bac97e12bdabbb97e9adf44d388612a700b8 The SafeSetID LSM has functionality for restricting setuid() calls based on its configured security policies. This patch adds the analogous functionality for setgid() calls. This is mostly a copy-and-paste change with some code deduplication, plus slight modifications/name changes to the policy-rule-related structs (now contain GID rules in addition to the UID ones) and some type generalization since SafeSetID now needs to deal with kgid_t and kuid_t types. Signed-off-by: Thomas Cedeno <thomascedeno@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2019-10-30T15:45:57Z Paul E. McKenney paulmck@kernel.org 2019-10-04T22:07:09Z urn:sha1:a60a5746004d7dbb68cbccd4c16d0529e2b2d1d9 This commit replaces the use of rcu_swap_protected() with the more intuitively appealing rcu_replace_pointer() as a step towards removing rcu_swap_protected(). Link: https://lore.kernel.org/lkml/CAHk-=wiAsJLw1egFEE=Z7-GGtM6wcvtyytXZA1+BHqta4gg6Hw@mail.gmail.com/ Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: Reported-by: kbuild test robot <lkp@intel.com> [ paulmck: From rcu_replace() to rcu_replace_pointer() per Ingo Molnar. ] Signed-off-by: Paul E. McKenney <paulmck@kernel.org> Cc: Micah Morton <mortonm@chromium.org> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: <linux-security-module@vger.kernel.org> 2019-09-17T18:27:05Z Micah Morton mortonm@chromium.org 2019-09-17T18:27:05Z urn:sha1:21ab8580b383f27b7f59b84ac1699cb26d6c3d69 The first time a rule set is configured for SafeSetID, we shouldn't be trying to release the previously configured ruleset, since there isn't one. Currently, the pointer that would point to a previously configured ruleset is uninitialized on first rule set configuration, leading to a crash when we try to call release_ruleset with that pointer. Acked-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2019-07-15T15:08:03Z Jann Horn jannh@google.com 2019-04-10T16:56:27Z urn:sha1:e10337daefecb47209fd2af5f4fab0d1a370737f The capable() hook returns an error number. -EPERM is actually the same as -1, so this doesn't make a difference in behavior. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2019-07-15T15:07:51Z Jann Horn jannh@google.com 2019-04-11T20:12:43Z urn:sha1:4f72123da579655855301b591535a1415224f123 Someone might write a ruleset like the following, expecting that it securely constrains UID 1 to UIDs 1, 2 and 3: 1:2 1:3 However, because no constraints are applied to UIDs 2 and 3, an attacker with UID 1 can simply first switch to UID 2, then switch to any UID from there. The secure way to write this ruleset would be: 1:2 1:3 2:2 3:3 , which uses "transition to self" as a way to inhibit the default-allow policy without allowing anything specific. This is somewhat unintuitive. To make sure that policy authors don't accidentally write insecure policies because of this, let the kernel verify that a new ruleset does not contain any entries that are constrained, but transitively unconstrained. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2019-07-15T15:07:40Z Jann Horn jannh@google.com 2019-04-11T20:11:54Z urn:sha1:fbd9acb2dc2aa55902c48a83f157082849209fba For debugging a running system, it is very helpful to be able to see what policy the system is using. Add a read handler that can dump out a copy of the loaded policy. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org>