[PATCH v2] LSM: add SafeSetID module that gates setid calls

Micah Morton mortonm at chromium.org
Tue Jan 15 19:42:54 UTC 2019


On Mon, Jan 14, 2019 at 8:07 PM James Morris <jmorris at namei.org> wrote:
>
> On Fri, 11 Jan 2019, mortonm at chromium.org wrote:
>
> > From: Micah Morton <mortonm at chromium.org>
> >
> > SafeSetID gates the setid family of syscalls to restrict UID/GID
> > transitions from a given UID/GID to only those approved by a
> > system-wide whitelist. These restrictions also prohibit the given
> > UIDs/GIDs from obtaining auxiliary privileges associated with
> > CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
> > mappings. For now, only gating the set*uid family of syscalls is
> > supported, with support for set*gid coming in a future patch set.
> >
>
> I can't recall if this has been mentioned, but is this code already
> shipping in any distros or products, and are any distros planning on
> enabling this feature?

It is shipping on ChromeOS (the hooking is done in our own LSM that we
maintain, but everything else is the same, and we have integration
tests for it). We use it to lock down a handful of system daemons that
need to switch to certain, predetermined UIDs on the system (but not
root). There look to be a few use cases for this LSM in Android as
well, which is a possibility in the future.

>
>
>
> - James
> --
> James Morris
> <jmorris at namei.org>
>



More information about the Linux-security-module-archive mailing list