tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux

Pull SafeSetID update from Micah Morton:
"Add additional LSM hooks for SafeSetID

SafeSetID is capable of making allow/deny decisions for set*uid calls
on a system, and we want to add similar functionality for set*gid
calls.

The work to do that is not yet complete, so probably won't make it in
for v5.8, but we are looking to get this simple patch in for v5.8
since we have it ready.

We are planning on the rest of the work for extending the SafeSetID
LSM being merged during the v5.9 merge window"

* tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux:
security: Add LSM hooks to set*gid syscalls

Linus Torvalds 4a87b197 9d645db8

+40 -1
+2
include/linux/lsm_hook_defs.h
··· 191 191 loff_t size, enum kernel_read_file_id id) 192 192 LSM_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old, 193 193 int flags) 194 + LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old, 195 + int flags) 194 196 LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) 195 197 LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) 196 198 LSM_HOOK(int, 0, task_getsid, struct task_struct *p)
+9
include/linux/lsm_hooks.h
··· 659 659 * @old is the set of credentials that are being replaces 660 660 * @flags contains one of the LSM_SETID_* values. 661 661 * Return 0 on success. 662 + * @task_fix_setgid: 663 + * Update the module's state after setting one or more of the group 664 + * identity attributes of the current process. The @flags parameter 665 + * indicates which of the set*gid system calls invoked this hook. 666 + * @new is the set of credentials that will be installed. Modifications 667 + * should be made to this rather than to @current->cred. 668 + * @old is the set of credentials that are being replaced. 669 + * @flags contains one of the LSM_SETID_* values. 670 + * Return 0 on success. 662 671 * @task_setpgid: 663 672 * Check permission before setting the process group identifier of the 664 673 * process @p to @pgid.
+9
include/linux/security.h
··· 392 392 enum kernel_read_file_id id); 393 393 int security_task_fix_setuid(struct cred *new, const struct cred *old, 394 394 int flags); 395 + int security_task_fix_setgid(struct cred *new, const struct cred *old, 396 + int flags); 395 397 int security_task_setpgid(struct task_struct *p, pid_t pgid); 396 398 int security_task_getpgid(struct task_struct *p); 397 399 int security_task_getsid(struct task_struct *p); ··· 1036 1034 int flags) 1037 1035 { 1038 1036 return cap_task_fix_setuid(new, old, flags); 1037 + } 1038 + 1039 + static inline int security_task_fix_setgid(struct cred *new, 1040 + const struct cred *old, 1041 + int flags) 1042 + { 1043 + return 0; 1039 1044 } 1040 1045 1041 1046 static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)
+14 -1
kernel/sys.c
··· 393 393 new->sgid = new->egid; 394 394 new->fsgid = new->egid; 395 395 396 + retval = security_task_fix_setgid(new, old, LSM_SETID_RE); 397 + if (retval < 0) 398 + goto error; 399 + 396 400 return commit_creds(new); 397 401 398 402 error: ··· 437 433 else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid)) 438 434 new->egid = new->fsgid = kgid; 439 435 else 436 + goto error; 437 + 438 + retval = security_task_fix_setgid(new, old, LSM_SETID_ID); 439 + if (retval < 0) 440 440 goto error; 441 441 442 442 return commit_creds(new); ··· 764 756 new->sgid = ksgid; 765 757 new->fsgid = new->egid; 766 758 759 + retval = security_task_fix_setgid(new, old, LSM_SETID_RES); 760 + if (retval < 0) 761 + goto error; 762 + 767 763 return commit_creds(new); 768 764 769 765 error: ··· 874 862 ns_capable(old->user_ns, CAP_SETGID)) { 875 863 if (!gid_eq(kgid, old->fsgid)) { 876 864 new->fsgid = kgid; 877 - goto change_okay; 865 + if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0) 866 + goto change_okay; 878 867 } 879 868 } 880 869
+6
security/security.c
··· 1696 1696 return call_int_hook(task_fix_setuid, 0, new, old, flags); 1697 1697 } 1698 1698 1699 + int security_task_fix_setgid(struct cred *new, const struct cred *old, 1700 + int flags) 1701 + { 1702 + return call_int_hook(task_fix_setgid, 0, new, old, flags); 1703 + } 1704 + 1699 1705 int security_task_setpgid(struct task_struct *p, pid_t pgid) 1700 1706 { 1701 1707 return call_int_hook(task_setpgid, 0, p, pgid);