From patchwork Wed Jun 1 19:27:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9148065 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0A74560777 for ; Wed, 1 Jun 2016 19:28:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED548200E7 for ; Wed, 1 Jun 2016 19:28:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E256726FA0; Wed, 1 Jun 2016 19:28:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4CF8A200E7 for ; Wed, 1 Jun 2016 19:28:30 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,402,1459814400"; d="scan'208";a="16573893" IronPort-PHdr: =?us-ascii?q?9a23=3APnGWvhMIcKeKNjqRpU4l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0Kf/yrarrMEGX3/hxlliBBdydsKIVzbeJ+Pm7AiQp2tWojjMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JTmkb3tsMSIOE1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4iAPH?= =?us-ascii?q?BTeryjNcFzxO00kAPw+QyCrfFsP1sy3npq9m1SKHJ8zqXPUxXji/66pDVhDlkm?= =?us-ascii?q?EEOiQ//WWRjdZ/2uYTghukqgc35onOeoCOfK58e6THZ9IBbWxIW8tQEStbDdXv?= =?us-ascii?q?QZEICr8qNP1VvsHGrFsHsBW6CBPkUOjm0TJZrmT93aQn3eAsC0TN1UorGNdY4y?= =?us-ascii?q?ecl8n8KKpHCbP996LP1ziWKqoPgTo=3D?= X-IPAS-Result: =?us-ascii?q?A2ECAwCHNk9X/wHyM5BdGwEBAYMfgQFSEKkRkkE4IYcvTAE?= =?us-ascii?q?BAQEBAQICYieCMAkBOQYEMgEBAQEBAQEBAQEBAQEBAQEZAkQMASICJBMGAQEMI?= =?us-ascii?q?AsBAgMJAhcKHwgIAwEtFAEJDgEHBQYCAQEBGASHdAMXrzSFKAEBBYg+A4QpAQE?= =?us-ascii?q?BAQYBAQEBAQEZCBMChAaEAwiGYBEBhXYBjl2JXoh4hg6BA4dYFwmFOQJFhW6JG?= =?us-ascii?q?WKEDU6JAoE1AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Jun 2016 19:28:25 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u51JRFYX002024; Wed, 1 Jun 2016 15:27:40 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u51JRD4C023404 for ; Wed, 1 Jun 2016 15:27:13 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u51JRC7G002022 for ; Wed, 1 Jun 2016 15:27:13 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BoAwCHNk9XeorVi2JdHAEBhCBSEKkRjmyEF4YRgTVMAQEBAQEBEwEBCQsLCR+EeiYEGQEBNwExAwImAkcKDgEMBgIBAYgRAxevNGeEQQEBBYg+A4QpAQEBAQEBBAEBAQEbCBMCbIMahAMIig+CWY5eiV6IeIYOgQOHWCCFOQJFhW6JGYJbghROijcBAQE X-IPAS-Result: A1BoAwCHNk9XeorVi2JdHAEBhCBSEKkRjmyEF4YRgTVMAQEBAQEBEwEBCQsLCR+EeiYEGQEBNwExAwImAkcKDgEMBgIBAYgRAxevNGeEQQEBBYg+A4QpAQEBAQEBBAEBAQEbCBMCbIMahAMIig+CWY5eiV6IeIYOgQOHWCCFOQJFhW6JGYJbghROijcBAQE X-IronPort-AV: E=Sophos;i="5.26,402,1459828800"; d="scan'208";a="5482640" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 01 Jun 2016 15:27:12 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AReNY5B9xs24Ip/9uRHKM819IXTAuvvDOBiVQ1KB8?= =?us-ascii?q?0e8cTK2v8tzYMVDF4r011RmSDdSdtq0P0rGN+4nbGkU+or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuSt+U0pv8jrvps7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjN92Mq+kSLm?= =?us-ascii?q?BV+L530BQiANnxFVGQnZ/VT/WZvstibSqOVwwm+ZMNfwQLRyXi6tueMjahbthT?= =?us-ascii?q?xPEjkj6mDMwphyiaVBuhO6jxp2xoPVJoaPO6wtULnaeIYxTHFMT45qXCxIH424?= =?us-ascii?q?YpFHW+EIJutJh5L2p1ITox+zH0ynDaXkzToe1Sy+5rEzz+l0SVKO5wcnBd9b9S?= =?us-ascii?q?2M9Ng=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FjAgCHNk9XeorVi2JdHAEBhCBSEKkRj?= =?us-ascii?q?myDVUKGEYE1TAEBAQEBAQICDwEBCQsLCR8xgjAJATkGBDIBAQEBAQEBAQEBAQE?= =?us-ascii?q?BAQEBGQJEDAEBHSYEGQEBNwExAwImAkcKDgEMBgIBAYgRAxevNGeEQQEBBYg+A?= =?us-ascii?q?4QpAQEBAQEBBAEBAQEBARkIEwJsgxqEAwiKD4JZjl6JXoh4hg6BA4dYIIU5AkW?= =?us-ascii?q?FbokZgluCFE6KNwEBAQ?= X-IPAS-Result: =?us-ascii?q?A0FjAgCHNk9XeorVi2JdHAEBhCBSEKkRjmyDVUKGEYE1TAE?= =?us-ascii?q?BAQEBAQICDwEBCQsLCR8xgjAJATkGBDIBAQEBAQEBAQEBAQEBAQEBGQJEDAEBH?= =?us-ascii?q?SYEGQEBNwExAwImAkcKDgEMBgIBAYgRAxevNGeEQQEBBYg+A4QpAQEBAQEBBAE?= =?us-ascii?q?BAQEBARkIEwJsgxqEAwiKD4JZjl6JXoh4hg6BA4dYIIU5AkWFbokZgluCFE6KN?= =?us-ascii?q?wEBAQ?= X-IronPort-AV: E=Sophos;i="5.26,402,1459814400"; d="scan'208";a="16573816" Received: from nm18-vm0.bullet.mail.bf1.yahoo.com ([98.139.213.138]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 01 Jun 2016 19:27:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1464809230; bh=GAtkOjPOhBN8i+x7GZ+ZQ9RHUpNVZrYZ6A+PfqVFEKY=; h=From:Subject:To:Cc:Date:From:Subject; b=ovXA3yi4zTcCjOnqikW2fZ68Wmiekif3vNtnvcWtWLp9nQOVhGiEwj2yzlcmKJ6mjd2Sdegg7tsfVBq+QyhgWn516mpLE9VFdyWCQyBu9DSbGIGmb99rFdUoOoee/euXDiKdagY0HWr6xFGG4W5qMFCM3wKelBx/n7SuLnY+WsAJlPX7813F4EYtedOJmAiKMWvWb5HqbrETktL+lvEUMExbw3Hu9wQX8gzcMy0Ttj3sYW7F0Q3GaZyi1MCW0dmz6f/QZbkQiMwlfkl/b/xSFTtiGTJk6csI/lTbkY6p5eEEzUiUD1F4IbZYnbp46s938nMIXde2ihu9g/rk0Dw3Pg== Received: from [98.139.215.141] by nm18.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jun 2016 19:27:10 -0000 Received: from [98.139.211.161] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 01 Jun 2016 19:27:10 -0000 Received: from [127.0.0.1] by smtp218.mail.bf1.yahoo.com with NNFMP; 01 Jun 2016 19:27:10 -0000 X-Yahoo-Newman-Id: 844733.33939.bm@smtp218.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: dpGL0.QVM1kHFc_rp1bqK67uGQbDrzZkXcOvYuqHsnfIv8p AtmXiWe58Wv8TJsQRmkedNwcr9peQ6PBDejObTG2M5YsGTM4oAjQ95IIxTG0 HqHdDO7fbDYMcjQOLFGNls8tDi4emFY9y.yB4XNxAtrJgWfdurKQ.ozusf.X TwoA1tros8yyp8yBuGL3zB5WqKOlhnpRkrBnyZx0Inks9BmicD5XXIQyMszU 5PWxNOiQK7vzs5gJaNZ_Ebd.26tzaZ1M0tPubIZzzBveZpdRYfqGhOYQDMwk kP1IS5hYXY93fQn_mqgCFhtS9y8H2jL99s4gljY5I7FShA_Y9gJHrnP7kwXl butM8Czhg30bXfq._a_9FCBWuQlk1CJ3nsOZ1lWBFuD7.2wLE3YCnLDnnmsX aN0fL7uYT8.PtMA.y1csL201bFLDXCy5lObdgopcz1vf.qcIdOQDiqfDBxV1 wyWYRi.x1TpUfqIIIh.vt_zdKS9EdJNzePdckGd40A7B6QdUahxLd.IyJrK4 LrpEiCD4OBXp0Gg0QyHwriF7Q3gy9rJYhA_3HujaX2I0mv_J3UV3MKsdtF44 - X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- From: Casey Schaufler Subject: [PATCH] LSM: Reorder security_capset to do access checks properly To: LSM , James Morris Message-ID: <0243a591-a6e1-8827-3f03-884c3ad331d0@schaufler-ca.com> Date: Wed, 1 Jun 2016 12:27:02 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: LKLM , SE Linux Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH] LSM: Reorder security_capset to do access checks properly The security module hooks that check whether a process should be able to set a new capset are currently called after the new values are set in cap_capset(). This change reverses the order. The capability module no longer adds cap_capset to the module list. Instead, it is invoked directly by the LSM infrastructure. This isn't an approach that generalizes well. Signed-off-by: Casey Schaufler --- security/commoncap.c | 2 +- security/security.c | 24 ++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 48071ed..f5bce18 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1073,7 +1073,7 @@ struct security_hook_list capability_hooks[] = { LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme), LSM_HOOK_INIT(capget, cap_capget), - LSM_HOOK_INIT(capset, cap_capset), + /* Carefull! Do not include cap_capset! */ LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds), LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec), LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv), diff --git a/security/security.c b/security/security.c index 92cd1d8..1610be8 100644 --- a/security/security.c +++ b/security/security.c @@ -177,8 +177,28 @@ int security_capset(struct cred *new, const struct cred *old, const kernel_cap_t *inheritable, const kernel_cap_t *permitted) { - return call_int_hook(capset, 0, new, old, - effective, inheritable, permitted); + struct security_hook_list *hp; + int rc; + + /* + * Special case handling because the "new" capabilities + * should not be set until it has been determined that + * all modules approve of the change. Passing NULL pointers + * to all modules except the capabilty module as it is + * expected that only the capability modules needs the + * result pointers. + * + * cap_capset() must not be in the capability module hook list! + */ + list_for_each_entry(hp, &security_hook_heads.capset, list) { + rc = hp->hook.capset(new, old, NULL, NULL, NULL); + if (rc != 0) + return rc; + } + /* + * Call cap_capset now to update the new capset. + */ + return cap_capset(new, old, effective, inheritable, permitted); } int security_capable(const struct cred *cred, struct user_namespace *ns,