Merge tag 'safesetid-5.3' of git://github.com/micah-morton/linux

#define pr_fmt(fmt) "SafeSetID: " fmt

#include <linux/hashtable.h>

#include <linux/lsm_hooks.h>

#include <linux/module.h>

#include <linux/ptrace.h>

#include <linux/sched/task_stack.h>

#include <linux/security.h>

#include "lsm.h"

/* Flag indicating whether initialization completed */

int safesetid_initialized;

#define NUM_BITS 8 /* 128 buckets in hash table */

struct setuid_ruleset __rcu *safesetid_setuid_rules;

static DEFINE_HASHTABLE(safesetid_whitelist_hashtable, NUM_BITS);

/*

 * Hash table entry to store safesetid policy signifying that 'parent' user

 * can setid to 'child' user.

 */

struct entry {

	struct hlist_node next;

	struct hlist_node dlist; /* for deletion cleanup */

	uint64_t parent_kuid;

	uint64_t child_kuid;

};

static DEFINE_SPINLOCK(safesetid_whitelist_hashtable_spinlock);

static bool check_setuid_policy_hashtable_key(kuid_t parent)

/* Compute a decision for a transition from @src to @dst under @policy. */

enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy,

		kuid_t src, kuid_t dst)

{

	struct entry *entry;

	struct setuid_rule *rule;

	enum sid_policy_type result = SIDPOL_DEFAULT;

	rcu_read_lock();

	hash_for_each_possible_rcu(safesetid_whitelist_hashtable,

				   entry, next, __kuid_val(parent)) {

		if (entry->parent_kuid == __kuid_val(parent)) {

			rcu_read_unlock();

			return true;

	hash_for_each_possible(policy->rules, rule, next, __kuid_val(src)) {

		if (!uid_eq(rule->src_uid, src))

			continue;

		if (uid_eq(rule->dst_uid, dst))

			return SIDPOL_ALLOWED;

		result = SIDPOL_CONSTRAINED;

	}

	return result;

}

	rcu_read_unlock();

	return false;

}

static bool check_setuid_policy_hashtable_key_value(kuid_t parent,

						    kuid_t child)

/*

 * Compute a decision for a transition from @src to @dst under the active

 * policy.

 */

static enum sid_policy_type setuid_policy_lookup(kuid_t src, kuid_t dst)

{

	struct entry *entry;

	enum sid_policy_type result = SIDPOL_DEFAULT;

	struct setuid_ruleset *pol;

	rcu_read_lock();

	hash_for_each_possible_rcu(safesetid_whitelist_hashtable,

				   entry, next, __kuid_val(parent)) {

		if (entry->parent_kuid == __kuid_val(parent) &&

		    entry->child_kuid == __kuid_val(child)) {

	pol = rcu_dereference(safesetid_setuid_rules);

	if (pol)

		result = _setuid_policy_lookup(pol, src, dst);

	rcu_read_unlock();

			return true;

		}

	}

	rcu_read_unlock();

	return false;

	return result;

}

static int safesetid_security_capable(const struct cred *cred,

				      int cap,

				      unsigned int opts)

{

	if (cap == CAP_SETUID &&

	    check_setuid_policy_hashtable_key(cred->uid)) {

		if (!(opts & CAP_OPT_INSETID)) {

			/*

			 * Deny if we're not in a set*uid() syscall to avoid

			 * giving powers gated by CAP_SETUID that are related

			 * to functionality other than calling set*uid() (e.g.

			 * allowing user to set up userns uid mappings).

			 */

			pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions",

				__kuid_val(cred->uid));

			return -1;

		}

	}

	/* We're only interested in CAP_SETUID. */

	if (cap != CAP_SETUID)

		return 0;

}

static int check_uid_transition(kuid_t parent, kuid_t child)

{

	if (check_setuid_policy_hashtable_key_value(parent, child))

		return 0;

	pr_warn("UID transition (%d -> %d) blocked",

		__kuid_val(parent),

		__kuid_val(child));

	/*

	 * Kill this process to avoid potential security vulnerabilities

	 * that could arise from a missing whitelist entry preventing a

	 * privileged process from dropping to a lesser-privileged one.

	 * If CAP_SETUID is currently used for a set*uid() syscall, we want to

	 * let it go through here; the real security check happens later, in the

	 * task_fix_setuid hook.

	 */

	force_sig(SIGKILL);

	return -EACCES;

}

	if ((opts & CAP_OPT_INSETID) != 0)

		return 0;

	/*

 * Check whether there is either an exception for user under old cred struct to

 * set*uid to user under new cred struct, or the UID transition is allowed (by

 * Linux set*uid rules) even without CAP_SETUID.

	 * If no policy applies to this task, allow the use of CAP_SETUID for

	 * other purposes.

	 */

static int safesetid_task_fix_setuid(struct cred *new,

				     const struct cred *old,

				     int flags)

{

	/* Do nothing if there are no setuid restrictions for this UID. */

	if (!check_setuid_policy_hashtable_key(old->uid))

	if (setuid_policy_lookup(cred->uid, INVALID_UID) == SIDPOL_DEFAULT)

		return 0;

	switch (flags) {

	case LSM_SETID_RE:

		/*

		 * Users for which setuid restrictions exist can only set the

		 * real UID to the real UID or the effective UID, unless an

		 * explicit whitelist policy allows the transition.

		 */

		if (!uid_eq(old->uid, new->uid) &&

			!uid_eq(old->euid, new->uid)) {

			return check_uid_transition(old->uid, new->uid);

		}

	/*

		 * Users for which setuid restrictions exist can only set the

		 * effective UID to the real UID, the effective UID, or the

		 * saved set-UID, unless an explicit whitelist policy allows

		 * the transition.

	 * Reject use of CAP_SETUID for functionality other than calling

	 * set*uid() (e.g. setting up userns uid mappings).

	 */

		if (!uid_eq(old->uid, new->euid) &&

			!uid_eq(old->euid, new->euid) &&

			!uid_eq(old->suid, new->euid)) {

			return check_uid_transition(old->euid, new->euid);

	pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n",

		__kuid_val(cred->uid));

	return -EPERM;

}

		break;

	case LSM_SETID_ID:

/*

		 * Users for which setuid restrictions exist cannot change the

		 * real UID or saved set-UID unless an explicit whitelist

		 * policy allows the transition.

 * Check whether a caller with old credentials @old is allowed to switch to

 * credentials that contain @new_uid.

 */

		if (!uid_eq(old->uid, new->uid))

			return check_uid_transition(old->uid, new->uid);

		if (!uid_eq(old->suid, new->suid))

			return check_uid_transition(old->suid, new->suid);

		break;

	case LSM_SETID_RES:

static bool uid_permitted_for_cred(const struct cred *old, kuid_t new_uid)

{

	bool permitted;

	/* If our old creds already had this UID in it, it's fine. */

	if (uid_eq(new_uid, old->uid) || uid_eq(new_uid, old->euid) ||

	    uid_eq(new_uid, old->suid))

		return true;

	/*

		 * Users for which setuid restrictions exist cannot change the

		 * real UID, effective UID, or saved set-UID to anything but

		 * one of: the current real UID, the current effective UID or

		 * the current saved set-user-ID unless an explicit whitelist

		 * policy allows the transition.

	 * Transitions to new UIDs require a check against the policy of the old

	 * RUID.

	 */

		if (!uid_eq(new->uid, old->uid) &&

			!uid_eq(new->uid, old->euid) &&

			!uid_eq(new->uid, old->suid)) {

			return check_uid_transition(old->uid, new->uid);

	permitted =

	    setuid_policy_lookup(old->uid, new_uid) != SIDPOL_CONSTRAINED;

	if (!permitted) {

		pr_warn("UID transition ((%d,%d,%d) -> %d) blocked\n",

			__kuid_val(old->uid), __kuid_val(old->euid),

			__kuid_val(old->suid), __kuid_val(new_uid));

	}

		if (!uid_eq(new->euid, old->uid) &&

			!uid_eq(new->euid, old->euid) &&

			!uid_eq(new->euid, old->suid)) {

			return check_uid_transition(old->euid, new->euid);

	return permitted;

}

		if (!uid_eq(new->suid, old->uid) &&

			!uid_eq(new->suid, old->euid) &&

			!uid_eq(new->suid, old->suid)) {

			return check_uid_transition(old->suid, new->suid);

		}

		break;

	case LSM_SETID_FS:

/*

		 * Users for which setuid restrictions exist cannot change the

		 * filesystem UID to anything but one of: the current real UID,

		 * the current effective UID or the current saved set-UID

		 * unless an explicit whitelist policy allows the transition.

 * Check whether there is either an exception for user under old cred struct to

 * set*uid to user under new cred struct, or the UID transition is allowed (by

 * Linux set*uid rules) even without CAP_SETUID.

 */

		if (!uid_eq(new->fsuid, old->uid)  &&

			!uid_eq(new->fsuid, old->euid)  &&

			!uid_eq(new->fsuid, old->suid) &&

			!uid_eq(new->fsuid, old->fsuid)) {

			return check_uid_transition(old->fsuid, new->fsuid);

		}

		break;

	default:

		pr_warn("Unknown setid state %d\n", flags);

		force_sig(SIGKILL);

		return -EINVAL;

	}

	return 0;

}

int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child)

static int safesetid_task_fix_setuid(struct cred *new,

				     const struct cred *old,

				     int flags)

{

	struct entry *new;

	/* Return if entry already exists */

	if (check_setuid_policy_hashtable_key_value(parent, child))

	/* Do nothing if there are no setuid restrictions for our old RUID. */

	if (setuid_policy_lookup(old->uid, INVALID_UID) == SIDPOL_DEFAULT)

		return 0;

	new = kzalloc(sizeof(struct entry), GFP_KERNEL);

	if (!new)

		return -ENOMEM;

	new->parent_kuid = __kuid_val(parent);

	new->child_kuid = __kuid_val(child);

	spin_lock(&safesetid_whitelist_hashtable_spinlock);

	hash_add_rcu(safesetid_whitelist_hashtable,

		     &new->next,

		     __kuid_val(parent));

	spin_unlock(&safesetid_whitelist_hashtable_spinlock);

	if (uid_permitted_for_cred(old, new->uid) &&

	    uid_permitted_for_cred(old, new->euid) &&

	    uid_permitted_for_cred(old, new->suid) &&

	    uid_permitted_for_cred(old, new->fsuid))

		return 0;

}

void flush_safesetid_whitelist_entries(void)

{

	struct entry *entry;

	struct hlist_node *hlist_node;

	unsigned int bkt_loop_cursor;

	HLIST_HEAD(free_list);

	/*

	 * Could probably use hash_for_each_rcu here instead, but this should

	 * be fine as well.

	 * Kill this process to avoid potential security vulnerabilities

	 * that could arise from a missing whitelist entry preventing a

	 * privileged process from dropping to a lesser-privileged one.

	 */

	spin_lock(&safesetid_whitelist_hashtable_spinlock);

	hash_for_each_safe(safesetid_whitelist_hashtable, bkt_loop_cursor,

			   hlist_node, entry, next) {

		hash_del_rcu(&entry->next);

		hlist_add_head(&entry->dlist, &free_list);

	}

	spin_unlock(&safesetid_whitelist_hashtable_spinlock);

	synchronize_rcu();

	hlist_for_each_entry_safe(entry, hlist_node, &free_list, dlist) {

		hlist_del(&entry->dlist);

		kfree(entry);

	}

	force_sig(SIGKILL);

	return -EACCES;

}

static struct security_hook_list safesetid_security_hooks[] = {

#define _SAFESETID_H

#include <linux/types.h>

#include <linux/uidgid.h>

#include <linux/hashtable.h>

/* Flag indicating whether initialization completed */

extern int safesetid_initialized;

/* Function type. */

enum safesetid_whitelist_file_write_type {

	SAFESETID_WHITELIST_ADD, /* Add whitelist policy. */

	SAFESETID_WHITELIST_FLUSH, /* Flush whitelist policies. */

enum sid_policy_type {

	SIDPOL_DEFAULT, /* source ID is unaffected by policy */

	SIDPOL_CONSTRAINED, /* source ID is affected by policy */

	SIDPOL_ALLOWED /* target ID explicitly allowed */

};

/* Add entry to safesetid whitelist to allow 'parent' to setid to 'child'. */

int add_safesetid_whitelist_entry(kuid_t parent, kuid_t child);

/*

 * Hash table entry to store safesetid policy signifying that 'src_uid'

 * can setuid to 'dst_uid'.

 */

struct setuid_rule {

	struct hlist_node next;

	kuid_t src_uid;

	kuid_t dst_uid;

};

#define SETID_HASH_BITS 8 /* 256 buckets in hash table */

struct setuid_ruleset {

	DECLARE_HASHTABLE(rules, SETID_HASH_BITS);

	char *policy_str;

	struct rcu_head rcu;

};

enum sid_policy_type _setuid_policy_lookup(struct setuid_ruleset *policy,

		kuid_t src, kuid_t dst);

void flush_safesetid_whitelist_entries(void);

extern struct setuid_ruleset __rcu *safesetid_setuid_rules;

#endif /* _SAFESETID_H */

 * published by the Free Software Foundation.

 *

 */

#define pr_fmt(fmt) "SafeSetID: " fmt

#include <linux/security.h>

#include <linux/cred.h>

#include "lsm.h"

static struct dentry *safesetid_policy_dir;

struct safesetid_file_entry {

	const char *name;

	enum safesetid_whitelist_file_write_type type;

	struct dentry *dentry;

};

static struct safesetid_file_entry safesetid_files[] = {

	{.name = "add_whitelist_policy",

	 .type = SAFESETID_WHITELIST_ADD},

	{.name = "flush_whitelist_policies",

	 .type = SAFESETID_WHITELIST_FLUSH},

};

static DEFINE_MUTEX(policy_update_lock);

/*

 * In the case the input buffer contains one or more invalid UIDs, the kuid_t

 * variables pointed to by 'parent' and 'child' will get updated but this

 * variables pointed to by @parent and @child will get updated but this

 * function will return an error.

 * Contents of @buf may be modified.

 */

static int parse_safesetid_whitelist_policy(const char __user *buf,

					    size_t len,

					    kuid_t *parent,

					    kuid_t *child)

static int parse_policy_line(struct file *file, char *buf,

	struct setuid_rule *rule)

{

	char *kern_buf;

	char *parent_buf;

	char *child_buf;

	const char separator[] = ":";

	char *child_str;

	int ret;

	size_t first_substring_length;

	long parsed_parent;

	long parsed_child;

	u32 parsed_parent, parsed_child;

	/* Duplicate string from user memory and NULL-terminate */

	kern_buf = memdup_user_nul(buf, len);

	if (IS_ERR(kern_buf))

		return PTR_ERR(kern_buf);

	/* Format of |buf| string should be <UID>:<UID>. */

	child_str = strchr(buf, ':');

	if (child_str == NULL)

		return -EINVAL;

	*child_str = '\0';

	child_str++;

	/*

	 * Format of |buf| string should be <UID>:<UID>.

	 * Find location of ":" in kern_buf (copied from |buf|).

	 */

	first_substring_length = strcspn(kern_buf, separator);

	if (first_substring_length == 0 || first_substring_length == len) {

		ret = -EINVAL;

		goto free_kern;

	ret = kstrtou32(buf, 0, &parsed_parent);

	if (ret)

		return ret;

	ret = kstrtou32(child_str, 0, &parsed_child);

	if (ret)

		return ret;

	rule->src_uid = make_kuid(file->f_cred->user_ns, parsed_parent);

	rule->dst_uid = make_kuid(file->f_cred->user_ns, parsed_child);

	if (!uid_valid(rule->src_uid) || !uid_valid(rule->dst_uid))

		return -EINVAL;

	return 0;

}

	parent_buf = kmemdup_nul(kern_buf, first_substring_length, GFP_KERNEL);

	if (!parent_buf) {

		ret = -ENOMEM;

		goto free_kern;

static void __release_ruleset(struct rcu_head *rcu)

{

	struct setuid_ruleset *pol =

		container_of(rcu, struct setuid_ruleset, rcu);

	int bucket;

	struct setuid_rule *rule;

	struct hlist_node *tmp;

	hash_for_each_safe(pol->rules, bucket, tmp, rule, next)

		kfree(rule);

	kfree(pol->policy_str);

	kfree(pol);

}

	ret = kstrtol(parent_buf, 0, &parsed_parent);

	if (ret)

		goto free_both;

static void release_ruleset(struct setuid_ruleset *pol)

{

	call_rcu(&pol->rcu, __release_ruleset);

}

	child_buf = kern_buf + first_substring_length + 1;

	ret = kstrtol(child_buf, 0, &parsed_child);

	if (ret)

		goto free_both;

static void insert_rule(struct setuid_ruleset *pol, struct setuid_rule *rule)

{

	hash_add(pol->rules, &rule->next, __kuid_val(rule->src_uid));

}

	*parent = make_kuid(current_user_ns(), parsed_parent);

	if (!uid_valid(*parent)) {

		ret = -EINVAL;

		goto free_both;

static int verify_ruleset(struct setuid_ruleset *pol)

{

	int bucket;

	struct setuid_rule *rule, *nrule;

	int res = 0;

	hash_for_each(pol->rules, bucket, rule, next) {

		if (_setuid_policy_lookup(pol, rule->dst_uid, INVALID_UID) ==

		    SIDPOL_DEFAULT) {

			pr_warn("insecure policy detected: uid %d is constrained but transitively unconstrained through uid %d\n",

				__kuid_val(rule->src_uid),

				__kuid_val(rule->dst_uid));

			res = -EINVAL;

			/* fix it up */

			nrule = kmalloc(sizeof(struct setuid_rule), GFP_KERNEL);

			if (!nrule)

				return -ENOMEM;

			nrule->src_uid = rule->dst_uid;

			nrule->dst_uid = rule->dst_uid;

			insert_rule(pol, nrule);

		}

	}

	return res;

}

static ssize_t handle_policy_update(struct file *file,

				    const char __user *ubuf, size_t len)

{

	struct setuid_ruleset *pol;

	char *buf, *p, *end;

	int err;

	pol = kmalloc(sizeof(struct setuid_ruleset), GFP_KERNEL);

	if (!pol)

		return -ENOMEM;

	pol->policy_str = NULL;

	hash_init(pol->rules);

	*child = make_kuid(current_user_ns(), parsed_child);

	if (!uid_valid(*child)) {

		ret = -EINVAL;

		goto free_both;

	p = buf = memdup_user_nul(ubuf, len);

	if (IS_ERR(buf)) {

		err = PTR_ERR(buf);

		goto out_free_pol;

	}

	pol->policy_str = kstrdup(buf, GFP_KERNEL);

	if (pol->policy_str == NULL) {

		err = -ENOMEM;

		goto out_free_buf;

	}

free_both:

	kfree(parent_buf);

free_kern:

	kfree(kern_buf);

	return ret;

	/* policy lines, including the last one, end with \n */

	while (*p != '\0') {

		struct setuid_rule *rule;

		end = strchr(p, '\n');

		if (end == NULL) {

			err = -EINVAL;

			goto out_free_buf;

		}

		*end = '\0';

		rule = kmalloc(sizeof(struct setuid_rule), GFP_KERNEL);

		if (!rule) {

			err = -ENOMEM;

			goto out_free_buf;

		}

		err = parse_policy_line(file, p, rule);

		if (err)

			goto out_free_rule;

		if (_setuid_policy_lookup(pol, rule->src_uid, rule->dst_uid) ==

		    SIDPOL_ALLOWED) {

			pr_warn("bad policy: duplicate entry\n");

			err = -EEXIST;

			goto out_free_rule;

		}

		insert_rule(pol, rule);

		p = end + 1;

		continue;

out_free_rule:

		kfree(rule);

		goto out_free_buf;

	}

	err = verify_ruleset(pol);

	/* bogus policy falls through after fixing it up */

	if (err && err != -EINVAL)

		goto out_free_buf;

	/*

	 * Everything looks good, apply the policy and release the old one.

	 * What we really want here is an xchg() wrapper for RCU, but since that

	 * doesn't currently exist, just use a spinlock for now.

	 */

	mutex_lock(&policy_update_lock);

	rcu_swap_protected(safesetid_setuid_rules, pol,

			   lockdep_is_held(&policy_update_lock));

	mutex_unlock(&policy_update_lock);

	err = len;

out_free_buf:

	kfree(buf);

out_free_pol:

	release_ruleset(pol);

	return err;

}

static ssize_t safesetid_file_write(struct file *file,

				    size_t len,

				    loff_t *ppos)

{

	struct safesetid_file_entry *file_entry =

		file->f_inode->i_private;

	kuid_t parent;

	kuid_t child;

	int ret;

	if (!ns_capable(current_user_ns(), CAP_MAC_ADMIN))

	if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN))

		return -EPERM;

	if (*ppos != 0)

		return -EINVAL;

	switch (file_entry->type) {

	case SAFESETID_WHITELIST_FLUSH:

		flush_safesetid_whitelist_entries();

		break;

	case SAFESETID_WHITELIST_ADD:

		ret = parse_safesetid_whitelist_policy(buf, len, &parent,

								 &child);

		if (ret)

			return ret;

		ret = add_safesetid_whitelist_entry(parent, child);

		if (ret)

			return ret;

		break;

	default:

		pr_warn("Unknown securityfs file %d\n", file_entry->type);

		break;

	return handle_policy_update(file, buf, len);

}

	/* Return len on success so caller won't keep trying to write */

	return len;

static ssize_t safesetid_file_read(struct file *file, char __user *buf,

				   size_t len, loff_t *ppos)

{

	ssize_t res = 0;

	struct setuid_ruleset *pol;

	const char *kbuf;

	mutex_lock(&policy_update_lock);

	pol = rcu_dereference_protected(safesetid_setuid_rules,

					lockdep_is_held(&policy_update_lock));

	if (pol) {

		kbuf = pol->policy_str;