1 // SPDX-License-Identifier: GPL-2.0
3 * SafeSetID Linux Security Module
5 * Author: Micah Morton <mortonm@chromium.org>
7 * Copyright (C) 2018 The Chromium OS Authors.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2, as
11 * published by the Free Software Foundation.
15 #define pr_fmt(fmt) "SafeSetID: " fmt
17 #include <linux/lsm_hooks.h>
18 #include <linux/module.h>
19 #include <linux/ptrace.h>
20 #include <linux/sched/task_stack.h>
21 #include <linux/security.h>
24 /* Flag indicating whether initialization completed */
25 int safesetid_initialized __initdata
;
27 struct setid_ruleset __rcu
*safesetid_setuid_rules
;
28 struct setid_ruleset __rcu
*safesetid_setgid_rules
;
31 /* Compute a decision for a transition from @src to @dst under @policy. */
32 enum sid_policy_type
_setid_policy_lookup(struct setid_ruleset
*policy
,
35 struct setid_rule
*rule
;
36 enum sid_policy_type result
= SIDPOL_DEFAULT
;
38 if (policy
->type
== UID
) {
39 hash_for_each_possible(policy
->rules
, rule
, next
, __kuid_val(src
.uid
)) {
40 if (!uid_eq(rule
->src_id
.uid
, src
.uid
))
42 if (uid_eq(rule
->dst_id
.uid
, dst
.uid
))
43 return SIDPOL_ALLOWED
;
44 result
= SIDPOL_CONSTRAINED
;
46 } else if (policy
->type
== GID
) {
47 hash_for_each_possible(policy
->rules
, rule
, next
, __kgid_val(src
.gid
)) {
48 if (!gid_eq(rule
->src_id
.gid
, src
.gid
))
50 if (gid_eq(rule
->dst_id
.gid
, dst
.gid
)){
51 return SIDPOL_ALLOWED
;
53 result
= SIDPOL_CONSTRAINED
;
56 /* Should not reach here, report the ID as contrainsted */
57 result
= SIDPOL_CONSTRAINED
;
63 * Compute a decision for a transition from @src to @dst under the active
66 static enum sid_policy_type
setid_policy_lookup(kid_t src
, kid_t dst
, enum setid_type new_type
)
68 enum sid_policy_type result
= SIDPOL_DEFAULT
;
69 struct setid_ruleset
*pol
;
73 pol
= rcu_dereference(safesetid_setuid_rules
);
74 else if (new_type
== GID
)
75 pol
= rcu_dereference(safesetid_setgid_rules
);
76 else { /* Should not reach here */
77 result
= SIDPOL_CONSTRAINED
;
84 result
= _setid_policy_lookup(pol
, src
, dst
);
90 static int safesetid_security_capable(const struct cred
*cred
,
91 struct user_namespace
*ns
,
95 /* We're only interested in CAP_SETUID and CAP_SETGID. */
96 if (cap
!= CAP_SETUID
&& cap
!= CAP_SETGID
)
100 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
101 * let it go through here; the real security check happens later, in the
102 * task_fix_set{u/g}id hook.
105 * Until we add support for restricting setgroups() calls, GID security
106 * policies offer no meaningful security since we always return 0 here
107 * when called from within the setgroups() syscall and there is no
108 * additional hook later on to enforce security policies for setgroups().
110 if ((opts
& CAP_OPT_INSETID
) != 0)
116 * If no policy applies to this task, allow the use of CAP_SETUID for
119 if (setid_policy_lookup((kid_t
){.uid
= cred
->uid
}, INVALID_ID
, UID
) == SIDPOL_DEFAULT
)
122 * Reject use of CAP_SETUID for functionality other than calling
123 * set*uid() (e.g. setting up userns uid mappings).
125 pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",
126 __kuid_val(cred
->uid
));
130 * If no policy applies to this task, allow the use of CAP_SETGID for
133 if (setid_policy_lookup((kid_t
){.gid
= cred
->gid
}, INVALID_ID
, GID
) == SIDPOL_DEFAULT
)
136 * Reject use of CAP_SETUID for functionality other than calling
137 * set*gid() (e.g. setting up userns gid mappings).
139 pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n",
140 __kuid_val(cred
->uid
));
143 /* Error, the only capabilities were checking for is CAP_SETUID/GID */
150 * Check whether a caller with old credentials @old is allowed to switch to
151 * credentials that contain @new_id.
153 static bool id_permitted_for_cred(const struct cred
*old
, kid_t new_id
, enum setid_type new_type
)
157 /* If our old creds already had this ID in it, it's fine. */
158 if (new_type
== UID
) {
159 if (uid_eq(new_id
.uid
, old
->uid
) || uid_eq(new_id
.uid
, old
->euid
) ||
160 uid_eq(new_id
.uid
, old
->suid
))
162 } else if (new_type
== GID
){
163 if (gid_eq(new_id
.gid
, old
->gid
) || gid_eq(new_id
.gid
, old
->egid
) ||
164 gid_eq(new_id
.gid
, old
->sgid
))
166 } else /* Error, new_type is an invalid type */
170 * Transitions to new UIDs require a check against the policy of the old
174 setid_policy_lookup((kid_t
){.uid
= old
->uid
}, new_id
, new_type
) != SIDPOL_CONSTRAINED
;
177 if (new_type
== UID
) {
178 pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n",
179 __kuid_val(old
->uid
), __kuid_val(old
->euid
),
180 __kuid_val(old
->suid
), __kuid_val(new_id
.uid
));
181 } else if (new_type
== GID
) {
182 pr_warn("GID transition ((%d,%d,%d) -> %d) blocked\n",
183 __kgid_val(old
->gid
), __kgid_val(old
->egid
),
184 __kgid_val(old
->sgid
), __kgid_val(new_id
.gid
));
185 } else /* Error, new_type is an invalid type */
192 * Check whether there is either an exception for user under old cred struct to
193 * set*uid to user under new cred struct, or the UID transition is allowed (by
194 * Linux set*uid rules) even without CAP_SETUID.
196 static int safesetid_task_fix_setuid(struct cred
*new,
197 const struct cred
*old
,
201 /* Do nothing if there are no setuid restrictions for our old RUID. */
202 if (setid_policy_lookup((kid_t
){.uid
= old
->uid
}, INVALID_ID
, UID
) == SIDPOL_DEFAULT
)
205 if (id_permitted_for_cred(old
, (kid_t
){.uid
= new->uid
}, UID
) &&
206 id_permitted_for_cred(old
, (kid_t
){.uid
= new->euid
}, UID
) &&
207 id_permitted_for_cred(old
, (kid_t
){.uid
= new->suid
}, UID
) &&
208 id_permitted_for_cred(old
, (kid_t
){.uid
= new->fsuid
}, UID
))
212 * Kill this process to avoid potential security vulnerabilities
213 * that could arise from a missing allowlist entry preventing a
214 * privileged process from dropping to a lesser-privileged one.
220 static int safesetid_task_fix_setgid(struct cred
*new,
221 const struct cred
*old
,
225 /* Do nothing if there are no setgid restrictions for our old RGID. */
226 if (setid_policy_lookup((kid_t
){.gid
= old
->gid
}, INVALID_ID
, GID
) == SIDPOL_DEFAULT
)
229 if (id_permitted_for_cred(old
, (kid_t
){.gid
= new->gid
}, GID
) &&
230 id_permitted_for_cred(old
, (kid_t
){.gid
= new->egid
}, GID
) &&
231 id_permitted_for_cred(old
, (kid_t
){.gid
= new->sgid
}, GID
) &&
232 id_permitted_for_cred(old
, (kid_t
){.gid
= new->fsgid
}, GID
))
236 * Kill this process to avoid potential security vulnerabilities
237 * that could arise from a missing allowlist entry preventing a
238 * privileged process from dropping to a lesser-privileged one.
244 static struct security_hook_list safesetid_security_hooks
[] = {
245 LSM_HOOK_INIT(task_fix_setuid
, safesetid_task_fix_setuid
),
246 LSM_HOOK_INIT(task_fix_setgid
, safesetid_task_fix_setgid
),
247 LSM_HOOK_INIT(capable
, safesetid_security_capable
)
250 static int __init
safesetid_security_init(void)
252 security_add_hooks(safesetid_security_hooks
,
253 ARRAY_SIZE(safesetid_security_hooks
), "safesetid");
255 /* Report that SafeSetID successfully initialized */
256 safesetid_initialized
= 1;
261 DEFINE_LSM(safesetid_security_init
) = {
262 .init
= safesetid_security_init
,