xref: /OK3568_Linux_fs/kernel/security/safesetid/lsm.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * SafeSetID Linux Security Module
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * Author: Micah Morton <mortonm@chromium.org>
6*4882a593Smuzhiyun  *
7*4882a593Smuzhiyun  * Copyright (C) 2018 The Chromium OS Authors.
8*4882a593Smuzhiyun  *
9*4882a593Smuzhiyun  * This program is free software; you can redistribute it and/or modify
10*4882a593Smuzhiyun  * it under the terms of the GNU General Public License version 2, as
11*4882a593Smuzhiyun  * published by the Free Software Foundation.
12*4882a593Smuzhiyun  *
13*4882a593Smuzhiyun  */
14*4882a593Smuzhiyun 
15*4882a593Smuzhiyun #define pr_fmt(fmt) "SafeSetID: " fmt
16*4882a593Smuzhiyun 
17*4882a593Smuzhiyun #include <linux/lsm_hooks.h>
18*4882a593Smuzhiyun #include <linux/module.h>
19*4882a593Smuzhiyun #include <linux/ptrace.h>
20*4882a593Smuzhiyun #include <linux/sched/task_stack.h>
21*4882a593Smuzhiyun #include <linux/security.h>
22*4882a593Smuzhiyun #include "lsm.h"
23*4882a593Smuzhiyun 
24*4882a593Smuzhiyun /* Flag indicating whether initialization completed */
25*4882a593Smuzhiyun int safesetid_initialized;
26*4882a593Smuzhiyun 
27*4882a593Smuzhiyun struct setid_ruleset __rcu *safesetid_setuid_rules;
28*4882a593Smuzhiyun struct setid_ruleset __rcu *safesetid_setgid_rules;
29*4882a593Smuzhiyun 
30*4882a593Smuzhiyun 
31*4882a593Smuzhiyun /* Compute a decision for a transition from @src to @dst under @policy. */
_setid_policy_lookup(struct setid_ruleset * policy,kid_t src,kid_t dst)32*4882a593Smuzhiyun enum sid_policy_type _setid_policy_lookup(struct setid_ruleset *policy,
33*4882a593Smuzhiyun 		kid_t src, kid_t dst)
34*4882a593Smuzhiyun {
35*4882a593Smuzhiyun 	struct setid_rule *rule;
36*4882a593Smuzhiyun 	enum sid_policy_type result = SIDPOL_DEFAULT;
37*4882a593Smuzhiyun 
38*4882a593Smuzhiyun 	if (policy->type == UID) {
39*4882a593Smuzhiyun 		hash_for_each_possible(policy->rules, rule, next, __kuid_val(src.uid)) {
40*4882a593Smuzhiyun 			if (!uid_eq(rule->src_id.uid, src.uid))
41*4882a593Smuzhiyun 				continue;
42*4882a593Smuzhiyun 			if (uid_eq(rule->dst_id.uid, dst.uid))
43*4882a593Smuzhiyun 				return SIDPOL_ALLOWED;
44*4882a593Smuzhiyun 			result = SIDPOL_CONSTRAINED;
45*4882a593Smuzhiyun 		}
46*4882a593Smuzhiyun 	} else if (policy->type == GID) {
47*4882a593Smuzhiyun 		hash_for_each_possible(policy->rules, rule, next, __kgid_val(src.gid)) {
48*4882a593Smuzhiyun 			if (!gid_eq(rule->src_id.gid, src.gid))
49*4882a593Smuzhiyun 				continue;
50*4882a593Smuzhiyun 			if (gid_eq(rule->dst_id.gid, dst.gid)){
51*4882a593Smuzhiyun 				return SIDPOL_ALLOWED;
52*4882a593Smuzhiyun 			}
53*4882a593Smuzhiyun 			result = SIDPOL_CONSTRAINED;
54*4882a593Smuzhiyun 		}
55*4882a593Smuzhiyun 	} else {
56*4882a593Smuzhiyun 		/* Should not reach here, report the ID as contrainsted */
57*4882a593Smuzhiyun 		result = SIDPOL_CONSTRAINED;
58*4882a593Smuzhiyun 	}
59*4882a593Smuzhiyun 	return result;
60*4882a593Smuzhiyun }
61*4882a593Smuzhiyun 
62*4882a593Smuzhiyun /*
63*4882a593Smuzhiyun  * Compute a decision for a transition from @src to @dst under the active
64*4882a593Smuzhiyun  * policy.
65*4882a593Smuzhiyun  */
setid_policy_lookup(kid_t src,kid_t dst,enum setid_type new_type)66*4882a593Smuzhiyun static enum sid_policy_type setid_policy_lookup(kid_t src, kid_t dst, enum setid_type new_type)
67*4882a593Smuzhiyun {
68*4882a593Smuzhiyun 	enum sid_policy_type result = SIDPOL_DEFAULT;
69*4882a593Smuzhiyun 	struct setid_ruleset *pol;
70*4882a593Smuzhiyun 
71*4882a593Smuzhiyun 	rcu_read_lock();
72*4882a593Smuzhiyun 	if (new_type == UID)
73*4882a593Smuzhiyun 		pol = rcu_dereference(safesetid_setuid_rules);
74*4882a593Smuzhiyun 	else if (new_type == GID)
75*4882a593Smuzhiyun 		pol = rcu_dereference(safesetid_setgid_rules);
76*4882a593Smuzhiyun 	else { /* Should not reach here */
77*4882a593Smuzhiyun 		result = SIDPOL_CONSTRAINED;
78*4882a593Smuzhiyun 		rcu_read_unlock();
79*4882a593Smuzhiyun 		return result;
80*4882a593Smuzhiyun 	}
81*4882a593Smuzhiyun 
82*4882a593Smuzhiyun 	if (pol) {
83*4882a593Smuzhiyun 		pol->type = new_type;
84*4882a593Smuzhiyun 		result = _setid_policy_lookup(pol, src, dst);
85*4882a593Smuzhiyun 	}
86*4882a593Smuzhiyun 	rcu_read_unlock();
87*4882a593Smuzhiyun 	return result;
88*4882a593Smuzhiyun }
89*4882a593Smuzhiyun 
safesetid_security_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)90*4882a593Smuzhiyun static int safesetid_security_capable(const struct cred *cred,
91*4882a593Smuzhiyun 				      struct user_namespace *ns,
92*4882a593Smuzhiyun 				      int cap,
93*4882a593Smuzhiyun 				      unsigned int opts)
94*4882a593Smuzhiyun {
95*4882a593Smuzhiyun 	/* We're only interested in CAP_SETUID and CAP_SETGID. */
96*4882a593Smuzhiyun 	if (cap != CAP_SETUID && cap != CAP_SETGID)
97*4882a593Smuzhiyun 		return 0;
98*4882a593Smuzhiyun 
99*4882a593Smuzhiyun 	/*
100*4882a593Smuzhiyun 	 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
101*4882a593Smuzhiyun 	 * let it go through here; the real security check happens later, in the
102*4882a593Smuzhiyun 	 * task_fix_set{u/g}id hook.
103*4882a593Smuzhiyun          *
104*4882a593Smuzhiyun          * NOTE:
105*4882a593Smuzhiyun          * Until we add support for restricting setgroups() calls, GID security
106*4882a593Smuzhiyun          * policies offer no meaningful security since we always return 0 here
107*4882a593Smuzhiyun          * when called from within the setgroups() syscall and there is no
108*4882a593Smuzhiyun          * additional hook later on to enforce security policies for setgroups().
109*4882a593Smuzhiyun 	 */
110*4882a593Smuzhiyun 	if ((opts & CAP_OPT_INSETID) != 0)
111*4882a593Smuzhiyun 		return 0;
112*4882a593Smuzhiyun 
113*4882a593Smuzhiyun 	switch (cap) {
114*4882a593Smuzhiyun 	case CAP_SETUID:
115*4882a593Smuzhiyun 		/*
116*4882a593Smuzhiyun 		* If no policy applies to this task, allow the use of CAP_SETUID for
117*4882a593Smuzhiyun 		* other purposes.
118*4882a593Smuzhiyun 		*/
119*4882a593Smuzhiyun 		if (setid_policy_lookup((kid_t){.uid = cred->uid}, INVALID_ID, UID) == SIDPOL_DEFAULT)
120*4882a593Smuzhiyun 			return 0;
121*4882a593Smuzhiyun 		/*
122*4882a593Smuzhiyun 		 * Reject use of CAP_SETUID for functionality other than calling
123*4882a593Smuzhiyun 		 * set*uid() (e.g. setting up userns uid mappings).
124*4882a593Smuzhiyun 		 */
125*4882a593Smuzhiyun 		pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
126*4882a593Smuzhiyun 			__kuid_val(cred->uid));
127*4882a593Smuzhiyun 		return -EPERM;
128*4882a593Smuzhiyun 		break;
129*4882a593Smuzhiyun 	case CAP_SETGID:
130*4882a593Smuzhiyun 		/*
131*4882a593Smuzhiyun 		* If no policy applies to this task, allow the use of CAP_SETGID for
132*4882a593Smuzhiyun 		* other purposes.
133*4882a593Smuzhiyun 		*/
134*4882a593Smuzhiyun 		if (setid_policy_lookup((kid_t){.gid = cred->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
135*4882a593Smuzhiyun 			return 0;
136*4882a593Smuzhiyun 		/*
137*4882a593Smuzhiyun 		 * Reject use of CAP_SETUID for functionality other than calling
138*4882a593Smuzhiyun 		 * set*gid() (e.g. setting up userns gid mappings).
139*4882a593Smuzhiyun 		 */
140*4882a593Smuzhiyun 		pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
141*4882a593Smuzhiyun 			__kuid_val(cred->uid));
142*4882a593Smuzhiyun 		return -EPERM;
143*4882a593Smuzhiyun 		break;
144*4882a593Smuzhiyun 	default:
145*4882a593Smuzhiyun 		/* Error, the only capabilities were checking for is CAP_SETUID/GID */
146*4882a593Smuzhiyun 		return 0;
147*4882a593Smuzhiyun 		break;
148*4882a593Smuzhiyun 	}
149*4882a593Smuzhiyun 	return 0;
150*4882a593Smuzhiyun }
151*4882a593Smuzhiyun 
152*4882a593Smuzhiyun /*
153*4882a593Smuzhiyun  * Check whether a caller with old credentials @old is allowed to switch to
154*4882a593Smuzhiyun  * credentials that contain @new_id.
155*4882a593Smuzhiyun  */
id_permitted_for_cred(const struct cred * old,kid_t new_id,enum setid_type new_type)156*4882a593Smuzhiyun static bool id_permitted_for_cred(const struct cred *old, kid_t new_id, enum setid_type new_type)
157*4882a593Smuzhiyun {
158*4882a593Smuzhiyun 	bool permitted;
159*4882a593Smuzhiyun 
160*4882a593Smuzhiyun 	/* If our old creds already had this ID in it, it's fine. */
161*4882a593Smuzhiyun 	if (new_type == UID) {
162*4882a593Smuzhiyun 		if (uid_eq(new_id.uid, old->uid) || uid_eq(new_id.uid, old->euid) ||
163*4882a593Smuzhiyun 			uid_eq(new_id.uid, old->suid))
164*4882a593Smuzhiyun 			return true;
165*4882a593Smuzhiyun 	} else if (new_type == GID){
166*4882a593Smuzhiyun 		if (gid_eq(new_id.gid, old->gid) || gid_eq(new_id.gid, old->egid) ||
167*4882a593Smuzhiyun 			gid_eq(new_id.gid, old->sgid))
168*4882a593Smuzhiyun 			return true;
169*4882a593Smuzhiyun 	} else /* Error, new_type is an invalid type */
170*4882a593Smuzhiyun 		return false;
171*4882a593Smuzhiyun 
172*4882a593Smuzhiyun 	/*
173*4882a593Smuzhiyun 	 * Transitions to new UIDs require a check against the policy of the old
174*4882a593Smuzhiyun 	 * RUID.
175*4882a593Smuzhiyun 	 */
176*4882a593Smuzhiyun 	permitted =
177*4882a593Smuzhiyun 	    setid_policy_lookup((kid_t){.uid = old->uid}, new_id, new_type) != SIDPOL_CONSTRAINED;
178*4882a593Smuzhiyun 
179*4882a593Smuzhiyun 	if (!permitted) {
180*4882a593Smuzhiyun 		if (new_type == UID) {
181*4882a593Smuzhiyun 			pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n",
182*4882a593Smuzhiyun 				__kuid_val(old->uid), __kuid_val(old->euid),
183*4882a593Smuzhiyun 				__kuid_val(old->suid), __kuid_val(new_id.uid));
184*4882a593Smuzhiyun 		} else if (new_type == GID) {
185*4882a593Smuzhiyun 			pr_warn("GID transition ((%d,%d,%d) -> %d) blocked\n",
186*4882a593Smuzhiyun 				__kgid_val(old->gid), __kgid_val(old->egid),
187*4882a593Smuzhiyun 				__kgid_val(old->sgid), __kgid_val(new_id.gid));
188*4882a593Smuzhiyun 		} else /* Error, new_type is an invalid type */
189*4882a593Smuzhiyun 			return false;
190*4882a593Smuzhiyun 	}
191*4882a593Smuzhiyun 	return permitted;
192*4882a593Smuzhiyun }
193*4882a593Smuzhiyun 
194*4882a593Smuzhiyun /*
195*4882a593Smuzhiyun  * Check whether there is either an exception for user under old cred struct to
196*4882a593Smuzhiyun  * set*uid to user under new cred struct, or the UID transition is allowed (by
197*4882a593Smuzhiyun  * Linux set*uid rules) even without CAP_SETUID.
198*4882a593Smuzhiyun  */
safesetid_task_fix_setuid(struct cred * new,const struct cred * old,int flags)199*4882a593Smuzhiyun static int safesetid_task_fix_setuid(struct cred *new,
200*4882a593Smuzhiyun 				     const struct cred *old,
201*4882a593Smuzhiyun 				     int flags)
202*4882a593Smuzhiyun {
203*4882a593Smuzhiyun 
204*4882a593Smuzhiyun 	/* Do nothing if there are no setuid restrictions for our old RUID. */
205*4882a593Smuzhiyun 	if (setid_policy_lookup((kid_t){.uid = old->uid}, INVALID_ID, UID) == SIDPOL_DEFAULT)
206*4882a593Smuzhiyun 		return 0;
207*4882a593Smuzhiyun 
208*4882a593Smuzhiyun 	if (id_permitted_for_cred(old, (kid_t){.uid = new->uid}, UID) &&
209*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.uid = new->euid}, UID) &&
210*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.uid = new->suid}, UID) &&
211*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.uid = new->fsuid}, UID))
212*4882a593Smuzhiyun 		return 0;
213*4882a593Smuzhiyun 
214*4882a593Smuzhiyun 	/*
215*4882a593Smuzhiyun 	 * Kill this process to avoid potential security vulnerabilities
216*4882a593Smuzhiyun 	 * that could arise from a missing allowlist entry preventing a
217*4882a593Smuzhiyun 	 * privileged process from dropping to a lesser-privileged one.
218*4882a593Smuzhiyun 	 */
219*4882a593Smuzhiyun 	force_sig(SIGKILL);
220*4882a593Smuzhiyun 	return -EACCES;
221*4882a593Smuzhiyun }
222*4882a593Smuzhiyun 
safesetid_task_fix_setgid(struct cred * new,const struct cred * old,int flags)223*4882a593Smuzhiyun static int safesetid_task_fix_setgid(struct cred *new,
224*4882a593Smuzhiyun 				     const struct cred *old,
225*4882a593Smuzhiyun 				     int flags)
226*4882a593Smuzhiyun {
227*4882a593Smuzhiyun 
228*4882a593Smuzhiyun 	/* Do nothing if there are no setgid restrictions for our old RGID. */
229*4882a593Smuzhiyun 	if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
230*4882a593Smuzhiyun 		return 0;
231*4882a593Smuzhiyun 
232*4882a593Smuzhiyun 	if (id_permitted_for_cred(old, (kid_t){.gid = new->gid}, GID) &&
233*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.gid = new->egid}, GID) &&
234*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.gid = new->sgid}, GID) &&
235*4882a593Smuzhiyun 	    id_permitted_for_cred(old, (kid_t){.gid = new->fsgid}, GID))
236*4882a593Smuzhiyun 		return 0;
237*4882a593Smuzhiyun 
238*4882a593Smuzhiyun 	/*
239*4882a593Smuzhiyun 	 * Kill this process to avoid potential security vulnerabilities
240*4882a593Smuzhiyun 	 * that could arise from a missing allowlist entry preventing a
241*4882a593Smuzhiyun 	 * privileged process from dropping to a lesser-privileged one.
242*4882a593Smuzhiyun 	 */
243*4882a593Smuzhiyun 	force_sig(SIGKILL);
244*4882a593Smuzhiyun 	return -EACCES;
245*4882a593Smuzhiyun }
246*4882a593Smuzhiyun 
247*4882a593Smuzhiyun static struct security_hook_list safesetid_security_hooks[] = {
248*4882a593Smuzhiyun 	LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
249*4882a593Smuzhiyun 	LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
250*4882a593Smuzhiyun 	LSM_HOOK_INIT(capable, safesetid_security_capable)
251*4882a593Smuzhiyun };
252*4882a593Smuzhiyun 
safesetid_security_init(void)253*4882a593Smuzhiyun static int __init safesetid_security_init(void)
254*4882a593Smuzhiyun {
255*4882a593Smuzhiyun 	security_add_hooks(safesetid_security_hooks,
256*4882a593Smuzhiyun 			   ARRAY_SIZE(safesetid_security_hooks), "safesetid");
257*4882a593Smuzhiyun 
258*4882a593Smuzhiyun 	/* Report that SafeSetID successfully initialized */
259*4882a593Smuzhiyun 	safesetid_initialized = 1;
260*4882a593Smuzhiyun 
261*4882a593Smuzhiyun 	return 0;
262*4882a593Smuzhiyun }
263*4882a593Smuzhiyun 
264*4882a593Smuzhiyun DEFINE_LSM(safesetid_security_init) = {
265*4882a593Smuzhiyun 	.init = safesetid_security_init,
266*4882a593Smuzhiyun 	.name = "safesetid",
267*4882a593Smuzhiyun };
268