[PATCH] LSM: add SafeSetID module that gates setid calls
Serge E. Hallyn
serge at hallyn.com
Wed Oct 31 21:02:45 UTC 2018
Quoting mortonm at chromium.org (mortonm at chromium.org):
> From: Micah Morton <mortonm at chromium.org>
>
> SafeSetID gates the setid family of syscalls to restrict UID/GID
> transitions from a given UID/GID to only those approved by a
> system-wide whitelist. These restrictions also prohibit the given
> UIDs/GIDs from obtaining auxiliary privileges associated with
> CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
> mappings. For now, only gating the set*uid family of syscalls is
> supported, with support for set*gid coming in a future patch set.
>
> Signed-off-by: Micah Morton <mortonm at chromium.org>
> ---
>
> NOTE: See the TODO above setuid_syscall() in lsm.c for an aspect of this
> code that likely needs improvement before being an acceptable approach.
> I'm specifically interested to see if there are better ideas for how
> this could be done.
>
> Documentation/admin-guide/LSM/SafeSetID.rst | 94 ++++++
> Documentation/admin-guide/LSM/index.rst | 1 +
> arch/Kconfig | 5 +
> arch/arm/Kconfig | 1 +
> arch/arm64/Kconfig | 1 +
> arch/x86/Kconfig | 1 +
> security/Kconfig | 1 +
> security/Makefile | 2 +
> security/safesetid/Kconfig | 13 +
> security/safesetid/Makefile | 7 +
> security/safesetid/lsm.c | 334 ++++++++++++++++++++
> security/safesetid/lsm.h | 30 ++
> security/safesetid/securityfs.c | 189 +++++++++++
> 13 files changed, 679 insertions(+)
> create mode 100644 Documentation/admin-guide/LSM/SafeSetID.rst
> create mode 100644 security/safesetid/Kconfig
> create mode 100644 security/safesetid/Makefile
> create mode 100644 security/safesetid/lsm.c
> create mode 100644 security/safesetid/lsm.h
> create mode 100644 security/safesetid/securityfs.c
>
> diff --git a/Documentation/admin-guide/LSM/SafeSetID.rst b/Documentation/admin-guide/LSM/SafeSetID.rst
> new file mode 100644
> index 000000000000..e7d072124424
> --- /dev/null
> +++ b/Documentation/admin-guide/LSM/SafeSetID.rst
> @@ -0,0 +1,94 @@
> +=========
> +SafeSetID
> +=========
> +SafeSetID is an LSM module that gates the setid family of syscalls to restrict
> +UID/GID transitions from a given UID/GID to only those approved by a
> +system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs
> +from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as
> +allowing a user to set up user namespace UID mappings.
> +
> +
> +Background
> +==========
> +In absence of file capabilities, processes spawned on a Linux system that need
> +to switch to a different user must be spawned with CAP_SETUID privileges.
> +CAP_SETUID is granted to programs running as root or those running as a non-root
> +user that have been explicitly given the CAP_SETUID runtime capability. It is
> +often preferable to use Linux runtime capabilities rather than file
> +capabilities, since using file capabilities to run a program with elevated
> +privileges opens up possible security holes since any user with access to the
> +file can exec() that program to gain the elevated privileges.
Not true, see inheritable capabilities. You also might look at ambient
capabilities.
Just to be sure - your end-goal is to have a set of tasks which have
some privileges, including CAP_SETUID, but which cannot transition to
certain uids, perhaps including root?
More information about the Linux-security-module-archive
mailing list