From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Fri, 29 Apr 2022 02:24:16 +0300 From: "Vladimir D. Seleznev" To: ALT Linux kernel packages development Message-ID: References: <20220426094733.1872052-1-vseleznv@altlinux.org> <20220426094733.1872052-2-vseleznv@altlinux.org> <20220426210944.zio64lx5gg3ayq52@altlinux.org> <20220428221847.nt5wpvlbo6p4w3us@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220428221847.nt5wpvlbo6p4w3us@altlinux.org> Subject: Re: [d-kernel] [PATCH] AltHa: nosuid handles capabilities as well X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Apr 2022 23:24:16 -0000 Archived-At: List-Archive: List-Post: On Fri, Apr 29, 2022 at 01:18:47AM +0300, Vitaly Chikunov wrote: > On Thu, Apr 28, 2022 at 12:42:52PM +0300, Vladimir D. Seleznev wrote: > > On Wed, Apr 27, 2022 at 12:09:44AM +0300, Vitaly Chikunov wrote: > > > Vladimir, > > > > > > On Tue, Apr 26, 2022 at 09:47:33AM +0000, Vladimir D. Seleznev wrote: > > > > Signed-off-by: Vladimir D. Seleznev > > > > --- > > > > Documentation/admin-guide/LSM/AltHa.rst | 6 ++-- > > > > security/altha/altha_lsm.c | 37 ++++++++++++++++++++----- > > > > 2 files changed, 33 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst > > > > index be698709d3f0..beda40601c9e 100644 > > > > --- a/Documentation/admin-guide/LSM/AltHa.rst > > > > +++ b/Documentation/admin-guide/LSM/AltHa.rst > > > > @@ -3,7 +3,7 @@ AltHa > > > > ==== > > > > > > > > AltHa is a Linux Security Module currently has three userspace hardening options: > > > > - * ignore SUID on binaries (with exceptions possible); > > > > + * ignore SUID and setcaps on binaries (with exceptions possible); > > > > * prevent running selected script interpreters in interactive mode; > > > > * disable open file unlinking in selected dirs. > > > > * enable kiosk mode > > > > @@ -15,12 +15,12 @@ through sysctls in ``/proc/sys/kernel/altha``. > > > > > > > > NoSUID > > > > ============ > > > > -Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitly listed are system-wide ignored. > > > > +Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there are plenty of them: uncounted and sometimes unnecessary. Privileged programms are always an attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enough granularity in SUID binaries management. This LSM module provides a single control point for all SUID and setcap binaries. When this submodule is enabled, SUID and setcap bits on all binaries except explicitly listed are system-wide ignored. > > > > > > > > Sysctl parameters and defaults: > > > > > > > > * ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable > > > > -* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv`` > > > > +* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID and setcap binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv`` > > > > > > > > RestrScript > > > > ============ > > > > diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c > > > > index c670ad7ed458..5f0505a51644 100644 > > > > --- a/security/altha/altha_lsm.c > > > > +++ b/security/altha/altha_lsm.c > > > > @@ -11,6 +11,7 @@ > > > > > > > > #include > > > > #include > > > > +#include > > > > #include > > > > #include > > > > #include > > > > @@ -237,10 +238,20 @@ int is_olock_dir(struct inode *inode) > > > > return 0; > > > > } > > > > > > > > +static int has_any_caps(struct cred *cred) > > > > +{ > > > > + return !cap_isclear(cred->cap_permitted) || > > > > + !cap_isclear(cred->cap_effective); > > > > + > > > > + return 0; > > > > +} > > > > + > > > > /* Hooks */ > > > > static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi) > > > > { > > > > struct altha_list_struct *node; > > > > + int is_set_caps = 0; > > > > + char *set_uid_cap = "setuid"; > > > > /* when it's not a shebang issued script interpreter */ > > > > if (rstrscript_enabled && bprm->executable == bprm->interpreter) { > > > > char *path_p; > > > > @@ -267,11 +278,18 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f > > > > up_read(&interpreters_sem); > > > > kfree(path_buffer); > > > > } > > > > - if (unlikely(nosuid_enabled && > > > > - !uid_eq(bprm->cred->uid, bprm->cred->euid))) { > > > > + if (nosuid_enabled) { > > > > char *path_p; > > > > char *path_buffer; > > > > uid_t cur_uid; > > > > + uid_t cur_euid = from_kuid(bprm->cred->user_ns, bprm->cred->euid); > > > > + /* Check for any caps for non-superuser. */ > > > > + if (cur_euid != (uid_t) 0 > > > > + && has_any_caps(bprm->cred)) { > > > > > > Логика этого не понятна. Было бы неплохо чтоб она была пояснена в > > > комментариях чтоб и простые люди могли её понять. > > > > > > Почему caps проверяются только для non-superuser? Ведь и superuser может > > > сбрасывать capabilities. У superuser может не быть каких-то capabilities > > > вплоть до никаких, кроме его uid 0. Следовательно, установка new > > > capabilities не должна зависеть от uid. > > > > Вероятно, сбрасывать caps следует и для процессов с euid == 0, а > > проверять для них их наличие полагаю излишним. > > > > > Далее, capabilities могут устанавливаться не все, но если в этой > > > проверке были обнаружены capabilities, то далее suid игнорируются > > > и не сбрасываются если они были. Что будет если установлены > > > одновременно и setcap, и suid? > > > > Не понял этой мысли, по коду caps проверяются только есть *не* был > > обнаружен suid. > > Почему? А зачем иначе? Тем более, что cap'ы сбрасываются безусловно. -- WBR, Vladimir D. Seleznev