Merge tag 'safesetid-6.0' of https://github.com/micah-morton/linux

Pull SafeSetID updates from Micah Morton: "This contains one commit that touches common kernel code, one that adds functionality internal to the SafeSetID LSM code, and a few other commits that only modify the SafeSetID LSM selftest. The commit that touches common kernel code simply adds an LSM hook in the setgroups() syscall that mirrors what is done for the existing LSM hooks in the setuid() and setgid() syscalls. This commit combined with the SafeSetID-specific one allow the LSM to filter setgroups() calls according to configured rule sets in the same way that is already done for setuid() and setgid()" * tag 'safesetid-6.0' of https://github.com/micah-morton/linux: LSM: SafeSetID: add setgroups() testing to selftest LSM: SafeSetID: Add setgroups() security policy handling security: Add LSM hook to setgroups() syscall LSM: SafeSetID: add GID testing to selftest LSM: SafeSetID: selftest cleanup and prepare for GIDs LSM: SafeSetID: fix userns bug in selftest

Merge tag 'safesetid-6.0' of https://github.com/micah-morton/linux
Pull SafeSetID updates from Micah Morton: "This contains one commit that touches common kernel code, one that adds functionality internal to the SafeSetID LSM code, and a few other commits that only modify the SafeSetID LSM selftest. The commit that touches common kernel code simply adds an LSM hook in the setgroups() syscall that mirrors what is done for the existing LSM hooks in the setuid() and setgid() syscalls. This commit combined with the SafeSetID-specific one allow the LSM to filter setgroups() calls according to configured rule sets in the same way that is already done for setuid() and setgid()" * tag 'safesetid-6.0' of https://github.com/micah-morton/linux: LSM: SafeSetID: add setgroups() testing to selftest LSM: SafeSetID: Add setgroups() security policy handling security: Add LSM hook to setgroups() syscall LSM: SafeSetID: add GID testing to selftest LSM: SafeSetID: selftest cleanup and prepare for GIDs LSM: SafeSetID: fix userns bug in selftest
87fe1adb · Linus Torvalds · ea7099d5 · 64b63483 · 87fe1adb · 87fe1adb
Commit 87fe1adb authored Aug 02, 2022 by Linus Torvalds
8 changed files
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -201,6 +201,7 @@ LSM_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old,
 	 int flags)
 LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old,
 	 int flags)
+LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old)
 LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid)
 LSM_HOOK(int, 0, task_getpgid, struct task_struct *p)
 LSM_HOOK(int, 0, task_getsid, struct task_struct *p)

--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -702,6 +702,13 @@
 *	@old is the set of credentials that are being replaced.
 *	@flags contains one of the LSM_SETID_* values.
 *	Return 0 on success.
+ * @task_fix_setgroups:
+ *	Update the module's state after setting the supplementary group
+ *	identity attributes of the current process.
+ *	@new is the set of credentials that will be installed.  Modifications
+ *	should be made to this rather than to @current->cred.
+ *	@old is the set of credentials that are being replaced.
+ *	Return 0 on success.
 * @task_setpgid:
 *	Check permission before setting the process group identifier of the
 *	process @p to @pgid.

--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -416,6 +416,7 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old,
 			     int flags);
 int security_task_fix_setgid(struct cred *new, const struct cred *old,
 			     int flags);
+int security_task_fix_setgroups(struct cred *new, const struct cred *old);
 int security_task_setpgid(struct task_struct *p, pid_t pgid);
 int security_task_getpgid(struct task_struct *p);
 int security_task_getsid(struct task_struct *p);
@@ -1100,6 +1101,12 @@ static inline int security_task_fix_setgid(struct cred *new,
 	return 0;
 }

+static inline int security_task_fix_setgroups(struct cred *new,
+					   const struct cred *old)
+{
+	return 0;
+}
+
 static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)
 {
 	return 0;

--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -134,13 +134,26 @@ EXPORT_SYMBOL(set_groups);
 int set_current_groups(struct group_info *group_info)
 {
 	struct cred *new;
+	const struct cred *old;
+	int retval;

 	new = prepare_creds();
 	if (!new)
 		return -ENOMEM;

+	old = current_cred();
+
 	set_groups(new, group_info);
+
+	retval = security_task_fix_setgroups(new, old);
+	if (retval < 0)
+		goto error;
+
 	return commit_creds(new);
+
+error:
+	abort_creds(new);
+	return retval;
 }

 EXPORT_SYMBOL(set_current_groups);

--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
@@ -97,15 +97,9 @@ static int safesetid_security_capable(const struct cred *cred,
 		return 0;

 	/*
-	 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to
-	 * let it go through here; the real security check happens later, in the
-	 * task_fix_set{u/g}id hook.
-         *
-         * NOTE:
-         * Until we add support for restricting setgroups() calls, GID security
-         * policies offer no meaningful security since we always return 0 here
-         * when called from within the setgroups() syscall and there is no
-         * additional hook later on to enforce security policies for setgroups().
+	 * If CAP_SET{U/G}ID is currently used for a setid or setgroups syscall, we
+	 * want to let it go through here; the real security check happens later, in
+	 * the task_fix_set{u/g}id or task_fix_setgroups hooks.
 	 */
 	if ((opts & CAP_OPT_INSETID) != 0)
 		return 0;
@@ -241,9 +235,36 @@ static int safesetid_task_fix_setgid(struct cred *new,
 	return -EACCES;
 }

+static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old)
+{
+	int i;
+
+	/* Do nothing if there are no setgid restrictions for our old RGID. */
+	if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)
+		return 0;
+
+	get_group_info(new->group_info);
+	for (i = 0; i < new->group_info->ngroups; i++) {
+		if (!id_permitted_for_cred(old, (kid_t){.gid = new->group_info->gid[i]}, GID)) {
+			put_group_info(new->group_info);
+			/*
+			 * Kill this process to avoid potential security vulnerabilities
+			 * that could arise from a missing allowlist entry preventing a
+			 * privileged process from dropping to a lesser-privileged one.
+			 */
+			force_sig(SIGKILL);
+			return -EACCES;
+		}
+	}
+
+	put_group_info(new->group_info);
+	return 0;
+}
+
 static struct security_hook_list safesetid_security_hooks[] = {
 	LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
 	LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
+	LSM_HOOK_INIT(task_fix_setgroups, safesetid_task_fix_setgroups),
 	LSM_HOOK_INIT(capable, safesetid_security_capable)
 };


--- a/security/security.c
+++ b/security/security.c
@@ -1804,6 +1804,11 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old,
 	return call_int_hook(task_fix_setgid, 0, new, old, flags);
 }

+int security_task_fix_setgroups(struct cred *new, const struct cred *old)
+{
+	return call_int_hook(task_fix_setgroups, 0, new, old);
+}
+
 int security_task_setpgid(struct task_struct *p, pid_t pgid)
 {
 	return call_int_hook(task_setpgid, 0, p, pgid);

--- a/tools/testing/selftests/safesetid/Makefile
+++ b/tools/testing/selftests/safesetid/Makefile
 # SPDX-License-Identifier: GPL-2.0
-# Makefile for mount selftests.
+# Makefile for SafeSetID selftest.
 CFLAGS = -Wall -O2
 LDLIBS = -lcap


--- a/tools/testing/selftests/safesetid/safesetid-test.c
+++ b/tools/testing/selftests/safesetid/safesetid-test.c