projects / platform / kernel / linux-starfive.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fbd9acb) | patch
LSM: SafeSetID: verify transitive constrainedness
authorJann Horn <jannh@google.com>
Thu, 11 Apr 2019 20:12:43 +0000 (13:12 -0700)
committerMicah Morton <mortonm@chromium.org>
Mon, 15 Jul 2019 15:07:51 +0000 (08:07 -0700)
commit4f72123da579655855301b591535a1415224f123
tree6b9ca3a8a23eb20b41591819ee7fef3b04f207b4tree | snapshot
parentfbd9acb2dc2aa55902c48a83f157082849209fbacommit | diff
LSM: SafeSetID: verify transitive constrainedness

Someone might write a ruleset like the following, expecting that it
securely constrains UID 1 to UIDs 1, 2 and 3:

    1:2
    1:3

However, because no constraints are applied to UIDs 2 and 3, an attacker
with UID 1 can simply first switch to UID 2, then switch to any UID from
there. The secure way to write this ruleset would be:

    1:2
    1:3
    2:2
    3:3

, which uses "transition to self" as a way to inhibit the default-allow
policy without allowing anything specific.

This is somewhat unintuitive. To make sure that policy authors don't
accidentally write insecure policies because of this, let the kernel verify
that a new ruleset does not contain any entries that are constrained, but
transitively unconstrained.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
security/safesetid/securityfs.c diff | blob | history
tools/testing/selftests/safesetid/safesetid-test.c diff | blob | history
Domain: System / Kernel;