From: Andrey Savchenko <bircoph@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH v5] AltHa: handle setcap binaries in the same way as setuid ones
Date: Mon, 30 May 2022 20:08:12 +0300
Message-ID: <20220530200812.4234c6c313f06ebba5a89bab@altlinux.org> (raw)
In-Reply-To: <20220523134404.4178601-1-vseleznv@altlinux.org>
[-- Attachment #1: Type: text/plain, Size: 5064 bytes --]
On Mon, 23 May 2022 13:44:04 +0000 Vladimir D. Seleznev wrote:
> altha.nosuid facility controls what binaries can raise user privilleges.
> Prior to this commit it only handled setuid binaries, but it was still
> possible to raise privilleges via setcaps. Now it handles both setuid
> and setcap binaries.
>
> Signed-off-by: Vladimir D. Seleznev <vseleznv@altlinux.org>
> ---
> Documentation/admin-guide/LSM/AltHa.rst | 6 ++--
> security/altha/Kconfig | 2 +-
> security/altha/altha_lsm.c | 47 ++++++++++++++++++++-----
> 3 files changed, 43 insertions(+), 12 deletions(-)
>
> diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst
> index be698709d3f0..beda40601c9e 100644
> --- a/Documentation/admin-guide/LSM/AltHa.rst
> +++ b/Documentation/admin-guide/LSM/AltHa.rst
> @@ -3,7 +3,7 @@ AltHa
> ====
>
> AltHa is a Linux Security Module currently has three userspace hardening options:
> - * ignore SUID on binaries (with exceptions possible);
> + * ignore SUID and setcaps on binaries (with exceptions possible);
> * prevent running selected script interpreters in interactive mode;
> * disable open file unlinking in selected dirs.
> * enable kiosk mode
> @@ -15,12 +15,12 @@ through sysctls in ``/proc/sys/kernel/altha``.
>
> NoSUID
> ============
> -Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitly listed are system-wide ignored.
> +Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID and setcap binaries. When this submodule is enabled, SUID and setcap bits on all binaries except explicitly listed are system-wide ignored.
>
> Sysctl parameters and defaults:
>
> * ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable
> -* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
> +* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID and setcap binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
>
> RestrScript
> ============
> diff --git a/security/altha/Kconfig b/security/altha/Kconfig
> index 4bafdef4e58e..cd1dd69cc48d 100644
> --- a/security/altha/Kconfig
> +++ b/security/altha/Kconfig
> @@ -4,7 +4,7 @@ config SECURITY_ALTHA
> default n
> help
> Some hardening options:
> - * ignore SUID on binaries (with exceptions possible);
> + * ignore SUID and setcap on binaries (with exceptions possible);
> * prevent running selected script interprers in interactive move;
> * WxorX for filesystems (with exceptions possible);
>
> diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
> index c670ad7ed458..e597d722ab04 100644
> --- a/security/altha/altha_lsm.c
> +++ b/security/altha/altha_lsm.c
> @@ -11,6 +11,7 @@
>
> #include <linux/lsm_hooks.h>
> #include <linux/cred.h>
> +#include <linux/capability.h>
> #include <linux/sysctl.h>
> #include <linux/binfmts.h>
> #include <linux/file.h>
> @@ -241,6 +242,7 @@ int is_olock_dir(struct inode *inode)
> static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi)
> {
> struct altha_list_struct *node;
> + char *setuidcap_str = "setuid";
> /* when it's not a shebang issued script interpreter */
> if (rstrscript_enabled && bprm->executable == bprm->interpreter) {
> char *path_p;
> @@ -267,11 +269,37 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
> up_read(&interpreters_sem);
> kfree(path_buffer);
> }
> - if (unlikely(nosuid_enabled &&
> - !uid_eq(bprm->cred->uid, bprm->cred->euid))) {
> + if (nosuid_enabled) {
> char *path_p;
> char *path_buffer;
> - uid_t cur_uid;
> + int is_setuid = 0, is_setcap = 0;
> + uid_t cur_uid, cur_euid;
> +
> + /*
> + * While nosuid is supposed to prevent switching to superuser,
> + * it does not check swtiching to a non-privileged user because
> + * it is almost never user.
Looks like a typo. Did you mean "almost never used"?
Best regards,
Andrew Savchenko
[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-05-30 17:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 13:44 Vladimir D. Seleznev
2022-05-30 11:48 ` Vladimir D. Seleznev
2022-05-30 15:11 ` Vitaly Chikunov
2022-05-30 15:24 ` Vladimir D. Seleznev
2022-05-30 15:45 ` Dmitry V. Levin
2022-05-30 21:28 ` Vladimir D. Seleznev
2022-05-31 6:45 ` Dmitry V. Levin
2022-05-31 22:47 ` Vladimir D. Seleznev
2022-06-01 1:06 ` Vitaly Chikunov
2022-05-30 17:08 ` Andrey Savchenko [this message]
2022-05-30 21:29 ` Vladimir D. Seleznev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220530200812.4234c6c313f06ebba5a89bab@altlinux.org \
--to=bircoph@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git