From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 Date: Mon, 30 May 2022 20:08:12 +0300 From: Andrey Savchenko To: ALT Linux kernel packages development Message-Id: <20220530200812.4234c6c313f06ebba5a89bab@altlinux.org> In-Reply-To: <20220523134404.4178601-1-vseleznv@altlinux.org> References: <20220523134404.4178601-1-vseleznv@altlinux.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-alt-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Mon__30_May_2022_20_08_12_+0300_QV62Cpk_L=iTC+Ex" Subject: Re: [d-kernel] [PATCH v5] AltHa: handle setcap binaries in the same way as setuid ones X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2022 17:08:24 -0000 Archived-At: List-Archive: List-Post: --Signature=_Mon__30_May_2022_20_08_12_+0300_QV62Cpk_L=iTC+Ex Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 23 May 2022 13:44:04 +0000 Vladimir D. Seleznev wrote: > altha.nosuid facility controls what binaries can raise user privilleges. > Prior to this commit it only handled setuid binaries, but it was still > possible to raise privilleges via setcaps. Now it handles both setuid > and setcap binaries. >=20 > Signed-off-by: Vladimir D. Seleznev > --- > Documentation/admin-guide/LSM/AltHa.rst | 6 ++-- > security/altha/Kconfig | 2 +- > security/altha/altha_lsm.c | 47 ++++++++++++++++++++----- > 3 files changed, 43 insertions(+), 12 deletions(-) >=20 > diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admi= n-guide/LSM/AltHa.rst > index be698709d3f0..beda40601c9e 100644 > --- a/Documentation/admin-guide/LSM/AltHa.rst > +++ b/Documentation/admin-guide/LSM/AltHa.rst > @@ -3,7 +3,7 @@ AltHa > =3D=3D=3D=3D > =20 > AltHa is a Linux Security Module currently has three userspace hardening= options: > - * ignore SUID on binaries (with exceptions possible); > + * ignore SUID and setcaps on binaries (with exceptions possible); > * prevent running selected script interpreters in interactive mode; > * disable open file unlinking in selected dirs. > * enable kiosk mode > @@ -15,12 +15,12 @@ through sysctls in ``/proc/sys/kernel/altha``. > =20 > NoSUID > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > -Modern Linux systems can be used with minimal (or even zero at least for= OWL and ALT) usage of SUID programms, but in many cases in full-featured d= esktop or server systems there are plenty of them: uncounted and sometimes = unnecessary. Privileged programms are always an attack surface, but mountin= g filesystems with ``nosuid`` flag doesn't provide enough granularity in SU= ID binaries management. This LSM module provides a single control point for= all SUID binaries. When this submodule is enabled, SUID bits on all binari= es except explicitly listed are system-wide ignored. > +Modern Linux systems can be used with minimal (or even zero at least for= OWL and ALT) usage of SUID programms, but in many cases in full-featured d= esktop or server systems there are plenty of them: uncounted and sometimes = unnecessary. Privileged programms are always an attack surface, but mountin= g filesystems with ``nosuid`` flag doesn't provide enough granularity in SU= ID binaries management. This LSM module provides a single control point for= all SUID and setcap binaries. When this submodule is enabled, SUID and set= cap bits on all binaries except explicitly listed are system-wide ignored. > =20 > Sysctl parameters and defaults: > =20 > * ``kernel.altha.nosuid.enabled =3D 0``, set to 1 to enable > -* ``kernel.altha.nosuid.exceptions =3D``, colon-separated list of enable= d SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-pri= v`` > +* ``kernel.altha.nosuid.exceptions =3D``, colon-separated list of enable= d SUID and setcap binaries, for example: ``/bin/su:/usr/libexec/hasher-priv= /hasher-priv`` > =20 > RestrScript > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > diff --git a/security/altha/Kconfig b/security/altha/Kconfig > index 4bafdef4e58e..cd1dd69cc48d 100644 > --- a/security/altha/Kconfig > +++ b/security/altha/Kconfig > @@ -4,7 +4,7 @@ config SECURITY_ALTHA > default n > help > Some hardening options: > - * ignore SUID on binaries (with exceptions possible); > + * ignore SUID and setcap on binaries (with exceptions possible); > * prevent running selected script interprers in interactive move; > * WxorX for filesystems (with exceptions possible); > =20 > diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c > index c670ad7ed458..e597d722ab04 100644 > --- a/security/altha/altha_lsm.c > +++ b/security/altha/altha_lsm.c > @@ -11,6 +11,7 @@ > =20 > #include > #include > +#include > #include > #include > #include > @@ -241,6 +242,7 @@ int is_olock_dir(struct inode *inode) > static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct = file * fi) > { > struct altha_list_struct *node; > + char *setuidcap_str =3D "setuid"; > /* when it's not a shebang issued script interpreter */ > if (rstrscript_enabled && bprm->executable =3D=3D bprm->interpreter) { > char *path_p; > @@ -267,11 +269,37 @@ static int altha_bprm_creds_from_file(struct linux_= binprm *bprm, struct file * f > up_read(&interpreters_sem); > kfree(path_buffer); > } > - if (unlikely(nosuid_enabled && > - !uid_eq(bprm->cred->uid, bprm->cred->euid))) { > + if (nosuid_enabled) { > char *path_p; > char *path_buffer; > - uid_t cur_uid; > + int is_setuid =3D 0, is_setcap =3D 0; > + uid_t cur_uid, cur_euid; > + > + /* > + * While nosuid is supposed to prevent switching to superuser, > + * it does not check swtiching to a non-privileged user because > + * it is almost never user. Looks like a typo. Did you mean "almost never used"? Best regards, Andrew Savchenko --Signature=_Mon__30_May_2022_20_08_12_+0300_QV62Cpk_L=iTC+Ex Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAmKU+fwACgkQ9lNaM7oe 5I0eGw/+MIbbb7ldlazRoECvlRKcn2eKzk4rZuP/e7s2+vq6NDaUclmgeHDhg+On 4RxykwLn5wbGIPp12ZfKlYwlFA5lyaXuOCMsl44n5zuvlr5vMgJS/kLRigBv9Bv7 6zBl6GZCE3Tsjd78+JsbHxPWtLZdJ06v/oXzZxKiNdiyjKfDLY5UT75JjgjZ7nmO /ZA8BycMp+D/ivJUabtZMD0/PaR303ly5wZLDz8BWS5u2i/LYQ9rVv6kGsefQ3Ho /05KAIhuYSguJdIs4U8sPCaSH2Y5ipSCIAO6uOTFAQf4Wi3yajhhEvs+KItWnL7k khnxjaazexrpSKJxEGNV+49c4e4l3wKlaogXPSaPW6HMQpHuz24a6lfDUhtcsw0E IOACwtKXMJWXfLB2q6RM3e8tBc402qpJxg6IzSTaC6B773FOSAMDxVmSW9DZA9CW ZSOws2ZfbAR6uFBnUCb2jtEaBp5ICBgX8JnQxdbV6aqE1N6MI3mJbjKFtH9WlekP Q18b1QweICwLH1XarJgXENXJREdHpW68phoiz3pOCLQzH/BVWJimlp43Y/5Jb8Vk cSmNtIYFvGGRzLCsy5bkuzF503in4JVMRCqETfYehy6+7wkYlhTwJsMlmIfc7c2H n+ZRaO/i+d7Id1AjQbD2XVYjoZHg08ZQgP+aiYnjR7VKofEn+KM= =uwBu -----END PGP SIGNATURE----- --Signature=_Mon__30_May_2022_20_08_12_+0300_QV62Cpk_L=iTC+Ex--