14eaddc967
Fix a regression in cap_capable() due to: commit 5ff7711e635b32f0a1e558227d030c7e45b4a465 Author: David Howells <dhowells@redhat.com> Date: Wed Dec 31 02:52:28 2008 +0000 CRED: Differentiate objective and effective subjective credentials on a task The problem is that the above patch allows a process to have two sets of credentials, and for the most part uses the subjective credentials when accessing current's creds. There is, however, one exception: cap_capable(), and thus capable(), uses the real/objective credentials of the target task, whether or not it is the current task. Ordinarily this doesn't matter, since usually the two cred pointers in current point to the same set of creds. However, sys_faccessat() makes use of this facility to override the credentials of the calling process to make its test, without affecting the creds as seen from other processes. One of the things sys_faccessat() does is to make an adjustment to the effective capabilities mask, which cap_capable(), as it stands, then ignores. The affected capability check is in generic_permission(): if (!(mask & MAY_EXEC) || execute_ok(inode)) if (capable(CAP_DAC_OVERRIDE)) return 0; This change splits capable() from has_capability() down into the commoncap and SELinux code. The capable() security op now only deals with the current process, and uses the current process's subjective creds. A new security op - task_capable() - is introduced that can check any task's objective creds. strictly the capable() security op is superfluous with the presence of the task_capable() op, however it should be faster to call the capable() op since two fewer arguments need be passed down through the various layers. This can be tested by compiling the following program from the XFS testsuite: /* * t_access_root.c - trivial test program to show permission bug. * * Written by Michael Kerrisk - copyright ownership not pursued. * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html */ #include <limits.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define UID 500 #define GID 100 #define PERM 0 #define TESTPATH "/tmp/t_access" static void errExit(char *msg) { perror(msg); exit(EXIT_FAILURE); } /* errExit */ static void accessTest(char *file, int mask, char *mstr) { printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask)); } /* accessTest */ int main(int argc, char *argv[]) { int fd, perm, uid, gid; char *testpath; char cmd[PATH_MAX + 20]; testpath = (argc > 1) ? argv[1] : TESTPATH; perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM; uid = (argc > 3) ? atoi(argv[3]) : UID; gid = (argc > 4) ? atoi(argv[4]) : GID; unlink(testpath); fd = open(testpath, O_RDWR | O_CREAT, 0); if (fd == -1) errExit("open"); if (fchown(fd, uid, gid) == -1) errExit("fchown"); if (fchmod(fd, perm) == -1) errExit("fchmod"); close(fd); snprintf(cmd, sizeof(cmd), "ls -l %s", testpath); system(cmd); if (seteuid(uid) == -1) errExit("seteuid"); accessTest(testpath, 0, "0"); accessTest(testpath, R_OK, "R_OK"); accessTest(testpath, W_OK, "W_OK"); accessTest(testpath, X_OK, "X_OK"); accessTest(testpath, R_OK | W_OK, "R_OK | W_OK"); accessTest(testpath, R_OK | X_OK, "R_OK | X_OK"); accessTest(testpath, W_OK | X_OK, "W_OK | X_OK"); accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK"); exit(EXIT_SUCCESS); } /* main */ This can be run against an Ext3 filesystem as well as against an XFS filesystem. If successful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns 0 access(/tmp/xxx, W_OK) returns 0 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns 0 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 If unsuccessful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns -1 access(/tmp/xxx, W_OK) returns -1 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns -1 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 I've also tested the fix with the SELinux and syscalls LTP testsuites. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
104 lines
2.7 KiB
C
104 lines
2.7 KiB
C
/*
|
|
* Root Plug sample LSM module
|
|
*
|
|
* Originally written for a Linux Journal.
|
|
*
|
|
* Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
|
|
*
|
|
* Prevents any programs running with egid == 0 if a specific USB device
|
|
* is not present in the system. Yes, it can be gotten around, but is a
|
|
* nice starting point for people to play with, and learn the LSM
|
|
* interface.
|
|
*
|
|
* If you want to turn this into something with a semblance of security,
|
|
* you need to hook the task_* functions also.
|
|
*
|
|
* See http://www.linuxjournal.com/article.php?sid=6279 for more information
|
|
* about this code.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/init.h>
|
|
#include <linux/security.h>
|
|
#include <linux/usb.h>
|
|
#include <linux/moduleparam.h>
|
|
|
|
/* default is a generic type of usb to serial converter */
|
|
static int vendor_id = 0x0557;
|
|
static int product_id = 0x2008;
|
|
|
|
module_param(vendor_id, uint, 0400);
|
|
module_param(product_id, uint, 0400);
|
|
|
|
/* should we print out debug messages */
|
|
static int debug = 0;
|
|
|
|
module_param(debug, bool, 0600);
|
|
|
|
#define MY_NAME "root_plug"
|
|
|
|
#define root_dbg(fmt, arg...) \
|
|
do { \
|
|
if (debug) \
|
|
printk(KERN_DEBUG "%s: %s: " fmt , \
|
|
MY_NAME , __func__ , \
|
|
## arg); \
|
|
} while (0)
|
|
|
|
static int rootplug_bprm_check_security (struct linux_binprm *bprm)
|
|
{
|
|
struct usb_device *dev;
|
|
|
|
root_dbg("file %s, e_uid = %d, e_gid = %d\n",
|
|
bprm->filename, bprm->cred->euid, bprm->cred->egid);
|
|
|
|
if (bprm->cred->egid == 0) {
|
|
dev = usb_find_device(vendor_id, product_id);
|
|
if (!dev) {
|
|
root_dbg("e_gid = 0, and device not found, "
|
|
"task not allowed to run...\n");
|
|
return -EPERM;
|
|
}
|
|
usb_put_dev(dev);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct security_operations rootplug_security_ops = {
|
|
/* Use the capability functions for some of the hooks */
|
|
.ptrace_may_access = cap_ptrace_may_access,
|
|
.ptrace_traceme = cap_ptrace_traceme,
|
|
.capget = cap_capget,
|
|
.capset = cap_capset,
|
|
.capable = cap_capable,
|
|
.task_capable = cap_task_capable,
|
|
|
|
.bprm_set_creds = cap_bprm_set_creds,
|
|
|
|
.task_fix_setuid = cap_task_fix_setuid,
|
|
.task_prctl = cap_task_prctl,
|
|
|
|
.bprm_check_security = rootplug_bprm_check_security,
|
|
};
|
|
|
|
static int __init rootplug_init (void)
|
|
{
|
|
/* register ourselves with the security framework */
|
|
if (register_security (&rootplug_security_ops)) {
|
|
printk (KERN_INFO
|
|
"Failure registering Root Plug module with the kernel\n");
|
|
return -EINVAL;
|
|
}
|
|
printk (KERN_INFO "Root Plug module initialized, "
|
|
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
|
|
return 0;
|
|
}
|
|
|
|
security_initcall (rootplug_init);
|