From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vseleznv@altlinux.org>
Date: Fri, 29 Apr 2022 02:24:16 +0300
From: "Vladimir D. Seleznev" <vseleznv@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Message-ID: <YmsiICxfIkdC4TyD@portlab>
References: <20220426094733.1872052-1-vseleznv@altlinux.org>
 <20220426094733.1872052-2-vseleznv@altlinux.org>
 <20220426210944.zio64lx5gg3ayq52@altlinux.org>
 <YmphnLHk5K+81M9g@portlab>
 <20220428221847.nt5wpvlbo6p4w3us@altlinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20220428221847.nt5wpvlbo6p4w3us@altlinux.org>
Subject: Re: [d-kernel] [PATCH] AltHa: nosuid handles capabilities as well
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 23:24:16 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/YmsiICxfIkdC4TyD@portlab/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

On Fri, Apr 29, 2022 at 01:18:47AM +0300, Vitaly Chikunov wrote:
> On Thu, Apr 28, 2022 at 12:42:52PM +0300, Vladimir D. Seleznev wrote:
> > On Wed, Apr 27, 2022 at 12:09:44AM +0300, Vitaly Chikunov wrote:
> > > Vladimir,
> > > 
> > > On Tue, Apr 26, 2022 at 09:47:33AM +0000, Vladimir D. Seleznev wrote:
> > > > Signed-off-by: Vladimir D. Seleznev <vseleznv@altlinux.org>
> > > > ---
> > > >  Documentation/admin-guide/LSM/AltHa.rst |  6 ++--
> > > >  security/altha/altha_lsm.c              | 37 ++++++++++++++++++++-----
> > > >  2 files changed, 33 insertions(+), 10 deletions(-)
> > > > 
> > > > diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst
> > > > index be698709d3f0..beda40601c9e 100644
> > > > --- a/Documentation/admin-guide/LSM/AltHa.rst
> > > > +++ b/Documentation/admin-guide/LSM/AltHa.rst
> > > > @@ -3,7 +3,7 @@ AltHa
> > > >  ====
> > > >  
> > > >  AltHa is a Linux Security Module currently has three userspace hardening options:
> > > > -    * ignore SUID on binaries (with exceptions possible);
> > > > +    * ignore SUID and setcaps on binaries (with exceptions possible);
> > > >      * prevent running selected script interpreters in interactive mode;
> > > >      * disable open file unlinking in selected dirs.
> > > >      * enable kiosk mode
> > > > @@ -15,12 +15,12 @@ through sysctls in ``/proc/sys/kernel/altha``.
> > > >  
> > > >  NoSUID
> > > >  ============
> > > > -Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitly listed are system-wide ignored.
> > > > +Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID and setcap binaries. When this submodule is enabled, SUID and setcap bits on all binaries except explicitly listed are system-wide ignored.
> > > >  
> > > >  Sysctl parameters and defaults:
> > > >  
> > > >  * ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable
> > > > -* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
> > > > +* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID and setcap binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
> > > >  
> > > >  RestrScript
> > > >  ============
> > > > diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
> > > > index c670ad7ed458..5f0505a51644 100644
> > > > --- a/security/altha/altha_lsm.c
> > > > +++ b/security/altha/altha_lsm.c
> > > > @@ -11,6 +11,7 @@
> > > >  
> > > >  #include <linux/lsm_hooks.h>
> > > >  #include <linux/cred.h>
> > > > +#include <linux/capability.h>
> > > >  #include <linux/sysctl.h>
> > > >  #include <linux/binfmts.h>
> > > >  #include <linux/file.h>
> > > > @@ -237,10 +238,20 @@ int is_olock_dir(struct inode *inode)
> > > >  	return 0;
> > > >  }
> > > >  
> > > > +static int has_any_caps(struct cred *cred)
> > > > +{
> > > > +	return !cap_isclear(cred->cap_permitted) ||
> > > > +	       !cap_isclear(cred->cap_effective);
> > > > +
> > > > +	return 0;
> > > > +}
> > > > +
> > > >  /* Hooks */
> > > >  static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi)
> > > >  {
> > > >  	struct altha_list_struct *node;
> > > > +	int is_set_caps = 0;
> > > > +	char *set_uid_cap = "setuid";
> > > >  	/* when it's not a shebang issued script interpreter */
> > > >  	if (rstrscript_enabled && bprm->executable == bprm->interpreter) {
> > > >  		char *path_p;
> > > > @@ -267,11 +278,18 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
> > > >  		up_read(&interpreters_sem);
> > > >  		kfree(path_buffer);
> > > >  	}
> > > > -	if (unlikely(nosuid_enabled &&
> > > > -		     !uid_eq(bprm->cred->uid, bprm->cred->euid))) {
> > > > +	if (nosuid_enabled) {
> > > >  		char *path_p;
> > > >  		char *path_buffer;
> > > >  		uid_t cur_uid;
> > > > +		uid_t cur_euid = from_kuid(bprm->cred->user_ns, bprm->cred->euid);
> > > > +		/* Check for any caps for non-superuser. */
> > > > +		if (cur_euid != (uid_t) 0
> > > > +		   && has_any_caps(bprm->cred)) {
> > > 
> > > Логика этого не понятна. Было бы неплохо чтоб она была пояснена в
> > > комментариях чтоб и простые люди могли её понять.
> > > 
> > > Почему caps проверяются только для non-superuser? Ведь и superuser может
> > > сбрасывать capabilities. У superuser может не быть каких-то capabilities
> > > вплоть до никаких, кроме его uid 0. Следовательно, установка new
> > > capabilities не должна зависеть от uid.
> > 
> > Вероятно, сбрасывать caps следует и для процессов с euid == 0, а
> > проверять для них их наличие полагаю излишним.
> > 
> > > Далее, capabilities могут устанавливаться не все, но если в этой
> > > проверке были обнаружены capabilities, то далее suid игнорируются
> > > и не сбрасываются если они были. Что будет если установлены
> > > одновременно и setcap, и suid?
> > 
> > Не понял этой мысли, по коду caps проверяются только есть *не* был
> > обнаружен suid.
> 
> Почему?

А зачем иначе? Тем более, что cap'ы сбрасываются безусловно.

-- 
   WBR,
   Vladimir D. Seleznev