From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: "Vladimir D. Seleznev" To: devel-kernel@lists.altlinux.org Date: Thu, 28 Apr 2022 14:59:55 +0000 Message-Id: <20220428145955.909376-2-vseleznv@altlinux.org> X-Mailer: git-send-email 2.33.3 In-Reply-To: <20220428145955.909376-1-vseleznv@altlinux.org> References: <20220428145541.909063-1-vseleznv@altlinux.org> <20220428145955.909376-1-vseleznv@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH] AltHa: nosuid handles capabilities as well X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2022 15:00:00 -0000 Archived-At: List-Archive: List-Post: * Documentation/admin-guide/LSM/AltHa.rst: Update documentation. * security/altha/altha_lsm.c (altha_bprm_creds_from_file): Cover capabilities. (has_any_caps): New static function. Signed-off-by: Vladimir D. Seleznev --- Documentation/admin-guide/LSM/AltHa.rst | 6 ++-- security/altha/altha_lsm.c | 46 ++++++++++++++++++++----- 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst index be698709d3f0..beda40601c9e 100644 --- a/Documentation/admin-guide/LSM/AltHa.rst +++ b/Documentation/admin-guide/LSM/AltHa.rst @@ -3,7 +3,7 @@ AltHa ==== AltHa is a Linux Security Module currently has three userspace hardening options: - * ignore SUID on binaries (with exceptions possible); + * ignore SUID and setcaps on binaries (with exceptions possible); * prevent running selected script interpreters in interactive mode; * disable open file unlinking in selected dirs. * enable kiosk mode @@ -15,12 +15,12 @@ through sysctls in ``/proc/sys/kernel/altha``. NoSUID ============ -Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitly listed are system-wide ignored. +Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID and setcap binaries. When this submodule is enabled, SUID and setcap bits on all binaries except explicitly listed are system-wide ignored. Sysctl parameters and defaults: * ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable -* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv`` +* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID and setcap binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv`` RestrScript ============ diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c index c670ad7ed458..cdc9abdac0df 100644 --- a/security/altha/altha_lsm.c +++ b/security/altha/altha_lsm.c @@ -11,6 +11,7 @@ #include #include +#include #include #include #include @@ -237,10 +238,19 @@ int is_olock_dir(struct inode *inode) return 0; } +static int has_any_caps(struct cred *cred) +{ + return !cap_isclear(cred->cap_permitted) || + !cap_isclear(cred->cap_effective); + + return 0; +} + /* Hooks */ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi) { struct altha_list_struct *node; + char *setuidcap_srt = "setuid"; /* when it's not a shebang issued script interpreter */ if (rstrscript_enabled && bprm->executable == bprm->interpreter) { char *path_p; @@ -267,11 +277,27 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f up_read(&interpreters_sem); kfree(path_buffer); } - if (unlikely(nosuid_enabled && - !uid_eq(bprm->cred->uid, bprm->cred->euid))) { + if (nosuid_enabled) { char *path_p; char *path_buffer; - uid_t cur_uid; + int is_setuid = 0, is_setcap = 0; + uid_t cur_uid, cur_euid; + + is_setuid = !uid_eq(bprm->cred->uid, bprm->cred->euid); + + if (!is_setuid) + is_setcap = has_any_caps(bprm->cred); + + /* + * If no suid but it has any caps, change message string from + * setuid to setcap. + */ + if (is_setcap) + setuidcap_srt = "setcap"; + + /* If no suid and no caps detected, exit. */ + if (!is_setuid && !is_setcap) + return 0; path_buffer = kmalloc(PATH_MAX, GFP_KERNEL); if (!path_buffer) @@ -283,8 +309,8 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f list_for_each_entry(node, &nosuid_exceptions_list, list) { if (strcmp(path_p, node->spath) == 0) { pr_notice_ratelimited - ("AltHa/NoSUID: %s permitted to setuid from %d\n", - bprm->filename, cur_uid); + ("AltHa/NoSUID: %s permitted to %s from %d\n", + bprm->filename, setuidcap_srt, cur_uid); up_read(&nosuid_exceptions_sem); kfree(path_buffer); return 0; @@ -292,9 +318,13 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f } up_read(&nosuid_exceptions_sem); pr_notice_ratelimited - ("AltHa/NoSUID: %s prevented to setuid from %d\n", - bprm->filename, cur_uid); - bprm->cred->euid = bprm->cred->uid; + ("AltHa/NoSUID: %s prevented to %s from %d\n", + bprm->filename, setuidcap_srt, cur_uid); + if (is_setuid) + bprm->cred->euid = bprm->cred->uid; + cap_clear(bprm->cred->cap_inheritable); + cap_clear(bprm->cred->cap_permitted); + cap_clear(bprm->cred->cap_effective); kfree(path_buffer); } return 0; -- 2.33.3