Re: [PATCH] LSM: add SafeSetID module that gates setid calls

[PATCH] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2018-10-31
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-10-31
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2018-10-31
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-31
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-01
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · "Serge E. Hallyn" <serge@hallyn.com> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-08
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-08
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-09
[PATCH] LSM: generalize flag passing to security_capable · mortonm@chromium.org · 2018-11-09
[PATCH] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2018-11-21
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2018-12-06
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-12-06
[PATCH v2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2019-01-11
Re: [PATCH v2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-15
[PATCH v3 1/2] LSM: mark all set*uid call sites in kernel/sys.c · mortonm@chromium.org · 2019-01-15
Re: [PATCH v3 1/2] LSM: mark all set*uid call sites in kernel/sys.c · Kees Cook <hidden> · 2019-01-15
[PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2019-01-15
Re: [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-15
[PATCH v4 2/2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2019-01-15
Re: [PATCH v4 2/2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-15
[PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2019-01-16
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Casey Schaufler <casey@schaufler-ca.com> · 2019-01-16
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-22
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2019-01-22
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-22
[PATCH v3 1/2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2019-01-22
Re: [PATCH v3 1/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-25
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2019-01-25
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-25
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-28
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-28
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2019-01-28
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-28
[PATCH] LSM: Add 'name' field for SafeSetID in DEFINE_LSM · mortonm@chromium.org · 2019-01-28
Re: [PATCH] LSM: Add 'name' field for SafeSetID in DEFINE_LSM · James Morris <jmorris@namei.org> · 2019-01-28
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-28
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2019-01-29
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-29
Re: [PATCH v5 2/2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-30
[PATCH] LSM: SafeSetID: add selftest · mortonm@chromium.org · 2019-02-06
RE: [PATCH] LSM: SafeSetID: add selftest · Edwin Zimmerman <hidden> · 2019-02-06
Re: [PATCH] LSM: SafeSetID: add selftest · Micah Morton <mortonm@chromium.org> · 2019-02-07
Re: [PATCH] LSM: SafeSetID: add selftest · James Morris <jmorris@namei.org> · 2019-02-12
Re: [PATCH v3 2/2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-15
Re: [PATCH v2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-15
Re: [PATCH v2] LSM: add SafeSetID module that gates setid calls · Kees Cook <hidden> · 2019-01-15
Re: [PATCH v2] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2019-01-15
Re: [PATCH v2] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2019-01-15
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-02
[PATCH v2] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2018-11-06
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · James Morris <jmorris@namei.org> · 2018-11-06
[PATCH v3] LSM: add SafeSetID module that gates setid calls · mortonm@chromium.org · 2018-11-06
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Stephen Smalley <hidden> · 2018-11-02
Re: [PATCH] LSM: add SafeSetID module that gates setid calls · Micah Morton <mortonm@chromium.org> · 2018-11-02
[PATCH] [PATCH] LSM: generalize flag passing to security_capable · mortonm@chromium.org · 2018-11-19
Re: [PATCH] [PATCH] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2018-12-13
Re: [PATCH] [PATCH] LSM: generalize flag passing to security_capable · Casey Schaufler <casey@schaufler-ca.com> · 2018-12-13
Re: [PATCH] [PATCH] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2018-12-14
[PATCH v2] LSM: generalize flag passing to security_capable · mortonm@chromium.org · 2018-12-18
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-07
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Casey Schaufler <casey@schaufler-ca.com> · 2019-01-07
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-07
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Casey Schaufler <casey@schaufler-ca.com> · 2019-01-07
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-07
[PATCH v3] LSM: generalize flag passing to security_capable · mortonm@chromium.org · 2019-01-07
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Kees Cook <hidden> · 2019-01-07
[PATCH v4] LSM: generalize flag passing to security_capable · mortonm@chromium.org · 2019-01-08
Re: [PATCH v4] LSM: generalize flag passing to security_capable · Kees Cook <hidden> · 2019-01-08
Re: [PATCH v4] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-09
Re: [PATCH v4] LSM: generalize flag passing to security_capable · James Morris <jmorris@namei.org> · 2019-01-10
Re: [PATCH v4] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-10
Re: [PATCH v2] LSM: generalize flag passing to security_capable · Micah Morton <mortonm@chromium.org> · 2019-01-08

From: Micah Morton <mortonm@chromium.org>
Date: 2018-11-01 01:13:03

On Wed, Oct 31, 2018 at 3:37 PM Casey Schaufler [off-list ref] wrote:

On 10/31/2018 2:57 PM, Kees Cook wrote:

quoted

On Wed, Oct 31, 2018 at 2:02 PM, Serge E. Hallyn [off-list ref] wrote:

quoted

Just to be sure - your end-goal is to have a set of tasks which have
some privileges, including CAP_SETUID, but which cannot transition to
certain uids, perhaps including root?

Correct, only whitelisted uids can be switched to. This only pertains
to CAP_SETUID, other capabilities are not affected.

quoted

AIUI, the issue is that CAP_SETUID is TOO permissive. Instead, run
_without_ CAP_SETUID and still allow whitelisted uid transitions.

Kees is right that this LSM only pertains to a single capability:
CAP_SETUID (future work could tackle CAP_SETGID in the same fashion)
-- although the idea here is to put in per-user limitations on what a
process running as that user can do even when it _has_ CAP_SETUID. So
it doesn't grant any extra privileges to processes that don't have
CAP_SETUID, only restricts processes that _do_ have CAP_SETUID if the
user they are running under is restricted.

I don't like that thought at all at all. You need CAP_SETUID for
some transitions but not all. I can call setreuid() and restore
the saved UID to the effective UID. If this LSM works correctly
(I haven't examined it carefully yet) it should prevent restoring
the effective UID if there isn't an appropriate whitelist entry.

Yep, thats how it works. The idea here is that you still need
CAP_SETUID for all transitions, regardless of whether whitelist
policies exist or not.

It also violates the "additional restriction" model of LSMs.

That has the potential to introduce a failure when a process tries
to give up privilege. If 0:1000 isn't on the whitelist but 1000:0

As above, if a process drops CAP_SETUID it wouldn't be able to do any
transitions (if this is what you mean by give up privilege). The
whitelist is a one-way policy so if one wanted to restrict user 123
but let it switch to 456 and back, 2 policies would need to be added:
123 -> 456 and 456 -> 123.

is Bad Things can happen. A SUID root program would be unable to
give up its privilege by going back to the real UID in this case.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help