[PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls

Micah Morton mortonm at chromium.org
Mon Jan 28 19:47:10 UTC 2019 

I'm getting the following crash when booting after compiling a kernel
with this LSM enabled, so I'll have to figure out what is going on.
All the "core" functionality of this LSM has been tested thoroughly
(we're already using this LSM on ChromeOS), but looks like there's
some debugging of the initialization that still needs to be done.

[    0.174285] LSM: Security Framework initializing
[    0.175277] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000000
[    0.176272] #PF error: [normal kernel read fault]
[    0.176272] PGD 0 P4D 0
[    0.176272] Oops: 0000 [#1] SMP PTI
[    0.176272] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.0.0-rc3+ #5
[    0.176272] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[    0.176272] RIP: 0010:strcmp+0x4/0x20
[    0.176272] Code: 09 48 83 c2 01 80 3a 00 75 f7 48 83 c6 01 0f b6
4e ff 48 83 c2 01 84 c9 88 4a ff 75 ed f3 c3 0f 1f 80 00 00 00 00 48
83 c7 01 <0f> b6 47 ff 48 83 c6 01 3a 46 ff 75 07 84 c0 75 eb 31 c0 c3
19 c0
[    0.176272] RSP: 0000:ffffffff88a03eb0 EFLAGS: 00010202
[    0.176272] RAX: 00000000ffffffff RBX: ffffffff89079bb0 RCX: 0000000000000000
[    0.176272] RDX: ffffa3f087411ec5 RSI: ffffa3f087411ec0 RDI: 0000000000000001
[    0.176272] RBP: ffffffff88815d93 R08: 000000000000002c R09: ffffa3f087411ec4
[    0.176272] R10: 000000000000002c R11: 00726f6d72617070 R12: ffffa3f087411ec0
[    0.176272] R13: ffffa3f087411ec0 R14: 0000000000000000 R15: 0000000000000000
[    0.176272] FS:  0000000000000000(0000) GS:ffffa3f087800000(0000)
knlGS:0000000000000000
[    0.176272] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.176272] CR2: 0000000000000000 CR3: 0000000005c0e000 CR4: 00000000000006b0
[    0.176272] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    0.176272] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    0.176272] Call Trace:
[    0.176272]  ordered_lsm_parse+0x112/0x20b
[    0.176272]  security_init+0x9b/0x3ab
[    0.176272]  start_kernel+0x413/0x479
[    0.176272]  secondary_startup_64+0xa4/0xb0
[    0.176272] Modules linked in:
[    0.176272] CR2: 0000000000000000
[    0.176272] ---[ end trace f2a8342a377681d5 ]---
[    0.176272] RIP: 0010:strcmp+0x4/0x20
[    0.176272] Code: 09 48 83 c2 01 80 3a 00 75 f7 48 83 c6 01 0f b6
4e ff 48 83 c2 01 84 c9 88 4a ff 75 ed f3 c3 0f 1f 80 00 00 00 00 48
83 c7 01 <0f> b6 47 ff 48 83 c6 01 3a 46 ff 75 07 84 c0 75 eb 31 c0 c3
19 c0
[    0.176272] RSP: 0000:ffffffff88a03eb0 EFLAGS: 00010202
[    0.176272] RAX: 00000000ffffffff RBX: ffffffff89079bb0 RCX: 0000000000000000
[    0.176272] RDX: ffffa3f087411ec5 RSI: ffffa3f087411ec0 RDI: 0000000000000001
[    0.176272] RBP: ffffffff88815d93 R08: 000000000000002c R09: ffffa3f087411ec4
[    0.176272] R10: 000000000000002c R11: 00726f6d72617070 R12: ffffa3f087411ec0
[    0.176272] R13: ffffa3f087411ec0 R14: 0000000000000000 R15: 0000000000000000
[    0.176272] FS:  0000000000000000(0000) GS:ffffa3f087800000(0000)
knlGS:0000000000000000
[    0.176272] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.176272] CR2: 0000000000000000 CR3: 0000000005c0e000 CR4: 00000000000006b0
[    0.176272] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    0.176272] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    0.176272] Kernel panic - not syncing: Attempted to kill the idle task!
[    0.176272] ---[ end Kernel panic - not syncing: Attempted to kill
the idle task! ]---

On Fri, Jan 25, 2019 at 1:06 PM Micah Morton <mortonm at chromium.org> wrote:
>
> Thanks!
>
> On Fri, Jan 25, 2019 at 12:15 PM James Morris <jmorris at namei.org> wrote:
> >
> > On Wed, 16 Jan 2019, mortonm at chromium.org wrote:
> >
> > > From: Micah Morton <mortonm at chromium.org>
> > >
> > > SafeSetID gates the setid family of syscalls to restrict UID/GID
> > > transitions from a given UID/GID to only those approved by a
> > > system-wide whitelist. These restrictions also prohibit the given
> > > UIDs/GIDs from obtaining auxiliary privileges associated with
> > > CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
> > > mappings. For now, only gating the set*uid family of syscalls is
> > > supported, with support for set*gid coming in a future patch set.
> > >
> > > Signed-off-by: Micah Morton <mortonm at chromium.org>
> > > Acked-by: Kees Cook <keescook at chromium.org>
> >
> > Both applied to
> > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
> >
> >
> > --
> > James Morris
> > <jmorris at namei.org>
> >

More information about the Linux-security-module-archive mailing list