[PATCH] LSM: add SafeSetID module that gates setid calls
Casey Schaufler
casey at schaufler-ca.com
Wed Oct 31 22:37:47 UTC 2018
On 10/31/2018 2:57 PM, Kees Cook wrote:
> On Wed, Oct 31, 2018 at 2:02 PM, Serge E. Hallyn <serge at hallyn.com> wrote:
>> Just to be sure - your end-goal is to have a set of tasks which have
>> some privileges, including CAP_SETUID, but which cannot transition to
>> certain uids, perhaps including root?
> AIUI, the issue is that CAP_SETUID is TOO permissive. Instead, run
> _without_ CAP_SETUID and still allow whitelisted uid transitions.
I don't like that thought at all at all. You need CAP_SETUID for
some transitions but not all. I can call setreuid() and restore
the saved UID to the effective UID. If this LSM works correctly
(I haven't examined it carefully yet) it should prevent restoring
the effective UID if there isn't an appropriate whitelist entry.
It also violates the "additional restriction" model of LSMs.
That has the potential to introduce a failure when a process tries
to give up privilege. If 0:1000 isn't on the whitelist but 1000:0
is Bad Things can happen. A SUID root program would be unable to
give up its privilege by going back to the real UID in this case.
More information about the Linux-security-module-archive
mailing list