1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
// SPDX-License-Identifier: GPL-2.0
/*
* SafeSetID Linux Security Module
*
* Author: Micah Morton <mortonm@chromium.org>
*
* Copyright (C) 2018 The Chromium OS Authors.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, as
* published by the Free Software Foundation.
*
*/
#define pr_fmt(fmt) "SafeSetID: " fmt
#include <linux/security.h>
#include <linux/cred.h>
#include "lsm.h"
static DEFINE_MUTEX(uid_policy_update_lock);
static DEFINE_MUTEX(gid_policy_update_lock);
/*
* In the case the input buffer contains one or more invalid IDs, the kid_t
* variables pointed to by @parent and @child will get updated but this
* function will return an error.
* Contents of @buf may be modified.
*/
static int parse_policy_line(struct file *file, char *buf,
struct setid_rule *rule)
{
char *child_str;
int ret;
u32 parsed_parent, parsed_child;
/* Format of |buf| string should be <UID>:<UID> or <GID>:<GID> */
child_str = strchr(buf, ':');
if (child_str == NULL)
return -EINVAL;
*child_str = '\0';
child_str++;
ret = kstrtou32(buf, 0, &parsed_parent);
if (ret)
return ret;
ret = kstrtou32(child_str, 0, &parsed_child);
if (ret)
return ret;
if (rule->type == UID){
rule->src_id.uid = make_kuid(file->f_cred->user_ns, parsed_parent);
rule->dst_id.uid = make_kuid(file->f_cred->user_ns, parsed_child);
if (!uid_valid(rule->src_id.uid) || !uid_valid(rule->dst_id.uid))
return -EINVAL;
} else if (rule->type == GID){
rule->src_id.gid = make_kgid(file->f_cred->user_ns, parsed_parent);
rule->dst_id.gid = make_kgid(file->f_cred->user_ns, parsed_child);
if (!gid_valid(rule->src_id.gid) || !gid_valid(rule->dst_id.gid))
return -EINVAL;
} else {
/* Error, rule->type is an invalid type */
return -EINVAL;
}
return 0;
}
static void __release_ruleset(struct rcu_head *rcu)
{
struct setid_ruleset *pol =
container_of(rcu, struct setid_ruleset, rcu);
int bucket;
struct setid_rule *rule;
struct hlist_node *tmp;
hash_for_each_safe(pol->rules, bucket, tmp, rule, next)
kfree(rule);
kfree(pol->policy_str);
kfree(pol);
}
static void release_ruleset(struct setid_ruleset *pol){
call_rcu(&pol->rcu, __release_ruleset);
}
static void insert_rule(struct setid_ruleset *pol, struct setid_rule *rule)
{
if (pol->type == UID)
hash_add(pol->rules, &rule->next, __kuid_val(rule->src_id.uid));
else if (pol->type == GID)
hash_add(pol->rules, &rule->next, __kgid_val(rule->src_id.gid));
else /* Error, pol->type is neither UID or GID */
return;
}
static int verify_ruleset(struct setid_ruleset *pol)
{
int bucket;
struct setid_rule *rule, *nrule;
int res = 0;
hash_for_each(pol->rules, bucket, rule, next) {
if (_setid_policy_lookup(pol, rule->dst_id, INVALID_ID) == SIDPOL_DEFAULT) {
if (pol->type == UID) {
pr_warn("insecure policy detected: uid %d is constrained but transitively unconstrained through uid %d\n",
__kuid_val(rule->src_id.uid),
__kuid_val(rule->dst_id.uid));
} else if (pol->type == GID) {
pr_warn("insecure policy detected: gid %d is constrained but transitively unconstrained through gid %d\n",
__kgid_val(rule->src_id.gid),
__kgid_val(rule->dst_id.gid));
} else { /* pol->type is an invalid type */
res = -EINVAL;
return res;
}
res = -EINVAL;
/* fix it up */
nrule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL);
if (!nrule)
return -ENOMEM;
if (pol->type == UID){
nrule->src_id.uid = rule->dst_id.uid;
nrule->dst_id.uid = rule->dst_id.uid;
nrule->type = UID;
} else { /* pol->type must be GID if we've made it to here */
nrule->src_id.gid = rule->dst_id.gid;
nrule->dst_id.gid = rule->dst_id.gid;
nrule->type = GID;
}
insert_rule(pol, nrule);
}
}
return res;
}
static ssize_t handle_policy_update(struct file *file,
const char __user *ubuf, size_t len, enum setid_type policy_type)
{
struct setid_ruleset *pol;
char *buf, *p, *end;
int err;
pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
if (!pol)
return -ENOMEM;
pol->policy_str = NULL;
pol->type = policy_type;
hash_init(pol->rules);
p = buf = memdup_user_nul(ubuf, len);
if (IS_ERR(buf)) {
err = PTR_ERR(buf);
goto out_free_pol;
}
pol->policy_str = kstrdup(buf, GFP_KERNEL);
if (pol->policy_str == NULL) {
err = -ENOMEM;
goto out_free_buf;
}
/* policy lines, including the last one, end with \n */
while (*p != '\0') {
struct setid_rule *rule;
end = strchr(p, '\n');
if (end == NULL) {
err = -EINVAL;
goto out_free_buf;
}
*end = '\0';
rule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL);
if (!rule) {
err = -ENOMEM;
goto out_free_buf;
}
rule->type = policy_type;
err = parse_policy_line(file, p, rule);
if (err)
goto out_free_rule;
if (_setid_policy_lookup(pol, rule->src_id, rule->dst_id) == SIDPOL_ALLOWED) {
pr_warn("bad policy: duplicate entry\n");
err = -EEXIST;
goto out_free_rule;
}
insert_rule(pol, rule);
p = end + 1;
continue;
out_free_rule:
kfree(rule);
goto out_free_buf;
}
err = verify_ruleset(pol);
/* bogus policy falls through after fixing it up */
if (err && err != -EINVAL)
goto out_free_buf;
/*
* Everything looks good, apply the policy and release the old one.
* What we really want here is an xchg() wrapper for RCU, but since that
* doesn't currently exist, just use a spinlock for now.
*/
if (policy_type == UID) {
mutex_lock(&uid_policy_update_lock);
pol = rcu_replace_pointer(safesetid_setuid_rules, pol,
lockdep_is_held(&uid_policy_update_lock));
mutex_unlock(&uid_policy_update_lock);
} else if (policy_type == GID) {
mutex_lock(&gid_policy_update_lock);
pol = rcu_replace_pointer(safesetid_setgid_rules, pol,
lockdep_is_held(&gid_policy_update_lock));
mutex_unlock(&gid_policy_update_lock);
} else {
/* Error, policy type is neither UID or GID */
pr_warn("error: bad policy type");
}
err = len;
out_free_buf:
kfree(buf);
out_free_pol:
if (pol)
release_ruleset(pol);
return err;
}
static ssize_t safesetid_uid_file_write(struct file *file,
const char __user *buf,
size_t len,
loff_t *ppos)
{
if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN))
return -EPERM;
if (*ppos != 0)
return -EINVAL;
return handle_policy_update(file, buf, len, UID);
}
static ssize_t safesetid_gid_file_write(struct file *file,
const char __user *buf,
size_t len,
loff_t *ppos)
{
if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN))
return -EPERM;
if (*ppos != 0)
return -EINVAL;
return handle_policy_update(file, buf, len, GID);
}
static ssize_t safesetid_file_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset)
{
ssize_t res = 0;
struct setid_ruleset *pol;
const char *kbuf;
mutex_lock(policy_update_lock);
pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock));
if (pol) {
kbuf = pol->policy_str;
res = simple_read_from_buffer(buf, len, ppos,
kbuf, strlen(kbuf));
}
mutex_unlock(policy_update_lock);
return res;
}
static ssize_t safesetid_uid_file_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos)
{
return safesetid_file_read(file, buf, len, ppos,
&uid_policy_update_lock, safesetid_setuid_rules);
}
static ssize_t safesetid_gid_file_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos)
{
return safesetid_file_read(file, buf, len, ppos,
&gid_policy_update_lock, safesetid_setgid_rules);
}
static const struct file_operations safesetid_uid_file_fops = {
.read = safesetid_uid_file_read,
.write = safesetid_uid_file_write,
};
static const struct file_operations safesetid_gid_file_fops = {
.read = safesetid_gid_file_read,
.write = safesetid_gid_file_write,
};
static int __init safesetid_init_securityfs(void)
{
int ret;
struct dentry *policy_dir;
struct dentry *uid_policy_file;
struct dentry *gid_policy_file;
if (!safesetid_initialized)
return 0;
policy_dir = securityfs_create_dir("safesetid", NULL);
if (IS_ERR(policy_dir)) {
ret = PTR_ERR(policy_dir);
goto error;
}
uid_policy_file = securityfs_create_file("uid_allowlist_policy", 0600,
policy_dir, NULL, &safesetid_uid_file_fops);
if (IS_ERR(uid_policy_file)) {
ret = PTR_ERR(uid_policy_file);
goto error;
}
gid_policy_file = securityfs_create_file("gid_allowlist_policy", 0600,
policy_dir, NULL, &safesetid_gid_file_fops);
if (IS_ERR(gid_policy_file)) {
ret = PTR_ERR(gid_policy_file);
goto error;
}
return 0;
error:
securityfs_remove(policy_dir);
return ret;
}
fs_initcall(safesetid_init_securityfs);
|
