b7ed698cc9
8 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
David Howells
|
ee18d64c1f |
KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]
Add a keyctl to install a process's session keyring onto its parent. This replaces the parent's session keyring. Because the COW credential code does not permit one process to change another process's credentials directly, the change is deferred until userspace next starts executing again. Normally this will be after a wait*() syscall. To support this, three new security hooks have been provided: cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in the blank security creds and key_session_to_parent() - which asks the LSM if the process may replace its parent's session keyring. The replacement may only happen if the process has the same ownership details as its parent, and the process has LINK permission on the session keyring, and the session keyring is owned by the process, and the LSM permits it. Note that this requires alteration to each architecture's notify_resume path. This has been done for all arches barring blackfin, m68k* and xtensa, all of which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the replacement to be performed at the point the parent process resumes userspace execution. This allows the userspace AFS pioctl emulation to fully emulate newpag() and the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to alter the parent process's PAG membership. However, since kAFS doesn't use PAGs per se, but rather dumps the keys into the session keyring, the session keyring of the parent must be replaced if, for example, VIOCSETTOK is passed the newpag flag. This can be tested with the following program: #include <stdio.h> #include <stdlib.h> #include <keyutils.h> #define KEYCTL_SESSION_TO_PARENT 18 #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0) int main(int argc, char **argv) { key_serial_t keyring, key; long ret; keyring = keyctl_join_session_keyring(argv[1]); OSERROR(keyring, "keyctl_join_session_keyring"); key = add_key("user", "a", "b", 1, keyring); OSERROR(key, "add_key"); ret = keyctl(KEYCTL_SESSION_TO_PARENT); OSERROR(ret, "KEYCTL_SESSION_TO_PARENT"); return 0; } Compiled and linked with -lkeyutils, you should see something like: [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 355907932 --alswrv 4043 -1 \_ keyring: _uid.4043 [dhowells@andromeda ~]$ /tmp/newpag [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 1055658746 --alswrv 4043 4043 \_ user: a [dhowells@andromeda ~]$ /tmp/newpag hello [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: hello 340417692 --alswrv 4043 4043 \_ user: a Where the test program creates a new session keyring, sticks a user key named 'a' into it and then installs it on its parent. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> |
||
Tetsuo Handa
|
56f8c9bc41 |
TOMOYO: Remove next_domain from tomoyo_find_next_domain().
We can update bprm->cred->security inside tomoyo_find_next_domain(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
Tetsuo Handa
|
c3fa109a58 |
TOMOYO: Add description of lists and structures.
This patch adds some descriptions of lists and structures. This patch contains no code changes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
Herton Ronaldo Krzesinski
|
b1338d199d |
tomoyo: add missing call to cap_bprm_set_creds
cap_bprm_set_creds() has to be called from security_bprm_set_creds(). TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds() and suid executables were not being working. Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials properly inside tomoyo_bprm_set_creds(). Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
Tetsuo Handa
|
39826a1e17 |
tomoyo: version bump to 2.2.0.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
Tetsuo Handa
|
1581e7ddbd |
TOMOYO: Do not call tomoyo_realpath_init unless registered.
tomoyo_realpath_init() is unconditionally called by security_initcall(). But nobody will use realpath related functions if TOMOYO is not registered. So, let tomoyo_init() call tomoyo_realpath_init(). This patch saves 4KB of memory allocation if TOMOYO is not registered. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
Tetsuo Handa
|
35d50e60e8 |
tomoyo: fix sparse warning
Fix sparse warning.
$ make C=2 SUBDIRS=security/tomoyo CF="-D__cold__="
CHECK security/tomoyo/common.c
CHECK security/tomoyo/realpath.c
CHECK security/tomoyo/tomoyo.c
security/tomoyo/tomoyo.c:110:8: warning: symbol 'buf' shadows an earlier one
security/tomoyo/tomoyo.c💯7: originally declared here
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
|
||
Kentaro Takeda
|
f743324377 |
LSM adapter functions.
DAC's permissions and TOMOYO's permissions are not one-to-one mapping. Regarding DAC, there are "read", "write", "execute" permissions. Regarding TOMOYO, there are "allow_read", "allow_write", "allow_read/write", "allow_execute", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite", "allow_link", "allow_rename" permissions. +----------------------------------+----------------------------------+ | requested operation | required TOMOYO's permission | +----------------------------------+----------------------------------+ | sys_open(O_RDONLY) | allow_read | +----------------------------------+----------------------------------+ | sys_open(O_WRONLY) | allow_write | +----------------------------------+----------------------------------+ | sys_open(O_RDWR) | allow_read/write | +----------------------------------+----------------------------------+ | open_exec() from do_execve() | allow_execute | +----------------------------------+----------------------------------+ | open_exec() from !do_execve() | allow_read | +----------------------------------+----------------------------------+ | sys_read() | (none) | +----------------------------------+----------------------------------+ | sys_write() | (none) | +----------------------------------+----------------------------------+ | sys_mmap() | (none) | +----------------------------------+----------------------------------+ | sys_uselib() | allow_read | +----------------------------------+----------------------------------+ | sys_open(O_CREAT) | allow_create | +----------------------------------+----------------------------------+ | sys_open(O_TRUNC) | allow_truncate | +----------------------------------+----------------------------------+ | sys_truncate() | allow_truncate | +----------------------------------+----------------------------------+ | sys_ftruncate() | allow_truncate | +----------------------------------+----------------------------------+ | sys_open() without O_APPEND | allow_rewrite | +----------------------------------+----------------------------------+ | setfl() without O_APPEND | allow_rewrite | +----------------------------------+----------------------------------+ | sys_sysctl() for writing | allow_write | +----------------------------------+----------------------------------+ | sys_sysctl() for reading | allow_read | +----------------------------------+----------------------------------+ | sys_unlink() | allow_unlink | +----------------------------------+----------------------------------+ | sys_mknod(S_IFREG) | allow_create | +----------------------------------+----------------------------------+ | sys_mknod(0) | allow_create | +----------------------------------+----------------------------------+ | sys_mknod(S_IFIFO) | allow_mkfifo | +----------------------------------+----------------------------------+ | sys_mknod(S_IFSOCK) | allow_mksock | +----------------------------------+----------------------------------+ | sys_bind(AF_UNIX) | allow_mksock | +----------------------------------+----------------------------------+ | sys_mknod(S_IFBLK) | allow_mkblock | +----------------------------------+----------------------------------+ | sys_mknod(S_IFCHR) | allow_mkchar | +----------------------------------+----------------------------------+ | sys_symlink() | allow_symlink | +----------------------------------+----------------------------------+ | sys_mkdir() | allow_mkdir | +----------------------------------+----------------------------------+ | sys_rmdir() | allow_rmdir | +----------------------------------+----------------------------------+ | sys_link() | allow_link | +----------------------------------+----------------------------------+ | sys_rename() | allow_rename | +----------------------------------+----------------------------------+ TOMOYO requires "allow_execute" permission of a pathname passed to do_execve() but does not require "allow_read" permission of that pathname. Let's consider 3 patterns (statically linked, dynamically linked, shell script). This description is to some degree simplified. $ cat hello.c #include <stdio.h> int main() { printf("Hello\n"); return 0; } $ cat hello.sh #! /bin/sh echo "Hello" $ gcc -static -o hello-static hello.c $ gcc -o hello-dynamic hello.c $ chmod 755 hello.sh Case 1 -- Executing hello-static from bash. (1) The bash process calls fork() and the child process requests do_execve("hello-static"). (2) The kernel checks "allow_execute hello-static" from "bash" domain. (3) The kernel calculates "bash hello-static" as the domain to transit to. (4) The kernel overwrites the child process by "hello-static". (5) The child process transits to "bash hello-static" domain. (6) The "hello-static" starts and finishes. Case 2 -- Executing hello-dynamic from bash. (1) The bash process calls fork() and the child process requests do_execve("hello-dynamic"). (2) The kernel checks "allow_execute hello-dynamic" from "bash" domain. (3) The kernel calculates "bash hello-dynamic" as the domain to transit to. (4) The kernel checks "allow_read ld-linux.so" from "bash hello-dynamic" domain. I think permission to access ld-linux.so should be charged hello-dynamic program, for "hello-dynamic needs ld-linux.so" is not a fault of bash program. (5) The kernel overwrites the child process by "hello-dynamic". (6) The child process transits to "bash hello-dynamic" domain. (7) The "hello-dynamic" starts and finishes. Case 3 -- Executing hello.sh from bash. (1) The bash process calls fork() and the child process requests do_execve("hello.sh"). (2) The kernel checks "allow_execute hello.sh" from "bash" domain. (3) The kernel calculates "bash hello.sh" as the domain to transit to. (4) The kernel checks "allow_read /bin/sh" from "bash hello.sh" domain. I think permission to access /bin/sh should be charged hello.sh program, for "hello.sh needs /bin/sh" is not a fault of bash program. (5) The kernel overwrites the child process by "/bin/sh". (6) The child process transits to "bash hello.sh" domain. (7) The "/bin/sh" requests open("hello.sh"). (8) The kernel checks "allow_read hello.sh" from "bash hello.sh" domain. (9) The "/bin/sh" starts and finishes. Whether a file is interpreted as a program or not depends on an application. The kernel cannot know whether the file is interpreted as a program or not. Thus, TOMOYO treats "hello-static" "hello-dynamic" "ld-linux.so" "hello.sh" "/bin/sh" equally as merely files; no distinction between executable and non-executable. Therefore, TOMOYO doesn't check DAC's execute permission. TOMOYO checks "allow_read" permission instead. Calling do_execve() is a bold gesture that an old program's instance (i.e. current process) is ready to be overwritten by a new program and is ready to transfer control to the new program. To split purview of programs, TOMOYO requires "allow_execute" permission of the new program against the old program's instance and performs domain transition. If do_execve() succeeds, the old program is no longer responsible against the consequence of the new program's behavior. Only the new program is responsible for all consequences. But TOMOYO doesn't require "allow_read" permission of the new program. If TOMOYO requires "allow_read" permission of the new program, TOMOYO will allow an attacker (who hijacked the old program's instance) to open the new program and steal data from the new program. Requiring "allow_read" permission will widen purview of the old program. Not requiring "allow_read" permission of the new program against the old program's instance is my design for reducing purview of the old program. To be able to know whether the current process is in do_execve() or not, I want to add in_execve flag to "task_struct". Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> |