Re: [PATCH] LSM: add SafeSetID module that gates setid calls
From: "Serge E. Hallyn" <serge@hallyn.com>
Date: 2018-10-31 21:10:07
Quoting mortonm@chromium.org (mortonm@chromium.org):
quoted hunk ↗ jump to hunk
From: Micah Morton <mortonm@chromium.org> SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. For now, only gating the set*uid family of syscalls is supported, with support for set*gid coming in a future patch set. Signed-off-by: Micah Morton <mortonm@chromium.org> --- NOTE: See the TODO above setuid_syscall() in lsm.c for an aspect of this code that likely needs improvement before being an acceptable approach. I'm specifically interested to see if there are better ideas for how this could be done. Documentation/admin-guide/LSM/SafeSetID.rst | 94 ++++++ Documentation/admin-guide/LSM/index.rst | 1 + arch/Kconfig | 5 + arch/arm/Kconfig | 1 + arch/arm64/Kconfig | 1 + arch/x86/Kconfig | 1 + security/Kconfig | 1 + security/Makefile | 2 + security/safesetid/Kconfig | 13 + security/safesetid/Makefile | 7 + security/safesetid/lsm.c | 334 ++++++++++++++++++++ security/safesetid/lsm.h | 30 ++ security/safesetid/securityfs.c | 189 +++++++++++ 13 files changed, 679 insertions(+) create mode 100644 Documentation/admin-guide/LSM/SafeSetID.rst create mode 100644 security/safesetid/Kconfig create mode 100644 security/safesetid/Makefile create mode 100644 security/safesetid/lsm.c create mode 100644 security/safesetid/lsm.h create mode 100644 security/safesetid/securityfs.cdiff --git a/Documentation/admin-guide/LSM/SafeSetID.rst b/Documentation/admin-guide/LSM/SafeSetID.rst new file mode 100644 index 000000000000..e7d072124424 --- /dev/null +++ b/Documentation/admin-guide/LSM/SafeSetID.rst@@ -0,0 +1,94 @@ +========= +SafeSetID +========= +SafeSetID is an LSM module that gates the setid family of syscalls to restrict +UID/GID transitions from a given UID/GID to only those approved by a +system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs +from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as +allowing a user to set up user namespace UID mappings. + + +Background +========== +In absence of file capabilities, processes spawned on a Linux system that need +to switch to a different user must be spawned with CAP_SETUID privileges. +CAP_SETUID is granted to programs running as root or those running as a non-root +user that have been explicitly given the CAP_SETUID runtime capability. It is +often preferable to use Linux runtime capabilities rather than file +capabilities, since using file capabilities to run a program with elevated +privileges opens up possible security holes since any user with access to the +file can exec() that program to gain the elevated privileges.
Not true, see inheritable capabilities. You also might look at ambient capabilities. Just to be sure - your end-goal is to have a set of tasks which have some privileges, including CAP_SETUID, but which cannot transition to certain uids, perhaps including root?