1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * SafeSetID Linux Security Module 4 * 5 * Author: Micah Morton <mortonm@chromium.org> 6 * 7 * Copyright (C) 2018 The Chromium OS Authors. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License version 2, as 11 * published by the Free Software Foundation. 12 * 13 */ 14 15 #define pr_fmt(fmt) "SafeSetID: " fmt 16 17 #include <linux/security.h> 18 #include <linux/cred.h> 19 20 #include "lsm.h" 21 22 static DEFINE_MUTEX(uid_policy_update_lock); 23 static DEFINE_MUTEX(gid_policy_update_lock); 24 25 /* 26 * In the case the input buffer contains one or more invalid IDs, the kid_t 27 * variables pointed to by @parent and @child will get updated but this 28 * function will return an error. 29 * Contents of @buf may be modified. 30 */ 31 static int parse_policy_line(struct file *file, char *buf, 32 struct setid_rule *rule) 33 { 34 char *child_str; 35 int ret; 36 u32 parsed_parent, parsed_child; 37 38 /* Format of |buf| string should be <UID>:<UID> or <GID>:<GID> */ 39 child_str = strchr(buf, ':'); 40 if (child_str == NULL) 41 return -EINVAL; 42 *child_str = '\0'; 43 child_str++; 44 45 ret = kstrtou32(buf, 0, &parsed_parent); 46 if (ret) 47 return ret; 48 49 ret = kstrtou32(child_str, 0, &parsed_child); 50 if (ret) 51 return ret; 52 53 if (rule->type == UID){ 54 rule->src_id.uid = make_kuid(file->f_cred->user_ns, parsed_parent); 55 rule->dst_id.uid = make_kuid(file->f_cred->user_ns, parsed_child); 56 if (!uid_valid(rule->src_id.uid) || !uid_valid(rule->dst_id.uid)) 57 return -EINVAL; 58 } else if (rule->type == GID){ 59 rule->src_id.gid = make_kgid(file->f_cred->user_ns, parsed_parent); 60 rule->dst_id.gid = make_kgid(file->f_cred->user_ns, parsed_child); 61 if (!gid_valid(rule->src_id.gid) || !gid_valid(rule->dst_id.gid)) 62 return -EINVAL; 63 } else { 64 /* Error, rule->type is an invalid type */ 65 return -EINVAL; 66 } 67 return 0; 68 } 69 70 static void __release_ruleset(struct rcu_head *rcu) 71 { 72 struct setid_ruleset *pol = 73 container_of(rcu, struct setid_ruleset, rcu); 74 int bucket; 75 struct setid_rule *rule; 76 struct hlist_node *tmp; 77 78 hash_for_each_safe(pol->rules, bucket, tmp, rule, next) 79 kfree(rule); 80 kfree(pol->policy_str); 81 kfree(pol); 82 } 83 84 static void release_ruleset(struct setid_ruleset *pol){ 85 call_rcu(&pol->rcu, __release_ruleset); 86 } 87 88 static void insert_rule(struct setid_ruleset *pol, struct setid_rule *rule) 89 { 90 if (pol->type == UID) 91 hash_add(pol->rules, &rule->next, __kuid_val(rule->src_id.uid)); 92 else if (pol->type == GID) 93 hash_add(pol->rules, &rule->next, __kgid_val(rule->src_id.gid)); 94 else /* Error, pol->type is neither UID or GID */ 95 return; 96 } 97 98 static int verify_ruleset(struct setid_ruleset *pol) 99 { 100 int bucket; 101 struct setid_rule *rule, *nrule; 102 int res = 0; 103 104 hash_for_each(pol->rules, bucket, rule, next) { 105 if (_setid_policy_lookup(pol, rule->dst_id, INVALID_ID) == SIDPOL_DEFAULT) { 106 if (pol->type == UID) { 107 pr_warn("insecure policy detected: uid %d is constrained but transitively unconstrained through uid %d\n", 108 __kuid_val(rule->src_id.uid), 109 __kuid_val(rule->dst_id.uid)); 110 } else if (pol->type == GID) { 111 pr_warn("insecure policy detected: gid %d is constrained but transitively unconstrained through gid %d\n", 112 __kgid_val(rule->src_id.gid), 113 __kgid_val(rule->dst_id.gid)); 114 } else { /* pol->type is an invalid type */ 115 res = -EINVAL; 116 return res; 117 } 118 res = -EINVAL; 119 120 /* fix it up */ 121 nrule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL); 122 if (!nrule) 123 return -ENOMEM; 124 if (pol->type == UID){ 125 nrule->src_id.uid = rule->dst_id.uid; 126 nrule->dst_id.uid = rule->dst_id.uid; 127 nrule->type = UID; 128 } else { /* pol->type must be GID if we've made it to here */ 129 nrule->src_id.gid = rule->dst_id.gid; 130 nrule->dst_id.gid = rule->dst_id.gid; 131 nrule->type = GID; 132 } 133 insert_rule(pol, nrule); 134 } 135 } 136 return res; 137 } 138 139 static ssize_t handle_policy_update(struct file *file, 140 const char __user *ubuf, size_t len, enum setid_type policy_type) 141 { 142 struct setid_ruleset *pol; 143 char *buf, *p, *end; 144 int err; 145 146 pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL); 147 if (!pol) 148 return -ENOMEM; 149 pol->policy_str = NULL; 150 pol->type = policy_type; 151 hash_init(pol->rules); 152 153 p = buf = memdup_user_nul(ubuf, len); 154 if (IS_ERR(buf)) { 155 err = PTR_ERR(buf); 156 goto out_free_pol; 157 } 158 pol->policy_str = kstrdup(buf, GFP_KERNEL); 159 if (pol->policy_str == NULL) { 160 err = -ENOMEM; 161 goto out_free_buf; 162 } 163 164 /* policy lines, including the last one, end with \n */ 165 while (*p != '\0') { 166 struct setid_rule *rule; 167 168 end = strchr(p, '\n'); 169 if (end == NULL) { 170 err = -EINVAL; 171 goto out_free_buf; 172 } 173 *end = '\0'; 174 175 rule = kmalloc(sizeof(struct setid_rule), GFP_KERNEL); 176 if (!rule) { 177 err = -ENOMEM; 178 goto out_free_buf; 179 } 180 181 rule->type = policy_type; 182 err = parse_policy_line(file, p, rule); 183 if (err) 184 goto out_free_rule; 185 186 if (_setid_policy_lookup(pol, rule->src_id, rule->dst_id) == SIDPOL_ALLOWED) { 187 pr_warn("bad policy: duplicate entry\n"); 188 err = -EEXIST; 189 goto out_free_rule; 190 } 191 192 insert_rule(pol, rule); 193 p = end + 1; 194 continue; 195 196 out_free_rule: 197 kfree(rule); 198 goto out_free_buf; 199 } 200 201 err = verify_ruleset(pol); 202 /* bogus policy falls through after fixing it up */ 203 if (err && err != -EINVAL) 204 goto out_free_buf; 205 206 /* 207 * Everything looks good, apply the policy and release the old one. 208 * What we really want here is an xchg() wrapper for RCU, but since that 209 * doesn't currently exist, just use a spinlock for now. 210 */ 211 if (policy_type == UID) { 212 mutex_lock(&uid_policy_update_lock); 213 pol = rcu_replace_pointer(safesetid_setuid_rules, pol, 214 lockdep_is_held(&uid_policy_update_lock)); 215 mutex_unlock(&uid_policy_update_lock); 216 } else if (policy_type == GID) { 217 mutex_lock(&gid_policy_update_lock); 218 pol = rcu_replace_pointer(safesetid_setgid_rules, pol, 219 lockdep_is_held(&gid_policy_update_lock)); 220 mutex_unlock(&gid_policy_update_lock); 221 } else { 222 /* Error, policy type is neither UID or GID */ 223 pr_warn("error: bad policy type"); 224 } 225 err = len; 226 227 out_free_buf: 228 kfree(buf); 229 out_free_pol: 230 if (pol) 231 release_ruleset(pol); 232 return err; 233 } 234 235 static ssize_t safesetid_uid_file_write(struct file *file, 236 const char __user *buf, 237 size_t len, 238 loff_t *ppos) 239 { 240 if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN)) 241 return -EPERM; 242 243 if (*ppos != 0) 244 return -EINVAL; 245 246 return handle_policy_update(file, buf, len, UID); 247 } 248 249 static ssize_t safesetid_gid_file_write(struct file *file, 250 const char __user *buf, 251 size_t len, 252 loff_t *ppos) 253 { 254 if (!file_ns_capable(file, &init_user_ns, CAP_MAC_ADMIN)) 255 return -EPERM; 256 257 if (*ppos != 0) 258 return -EINVAL; 259 260 return handle_policy_update(file, buf, len, GID); 261 } 262 263 static ssize_t safesetid_file_read(struct file *file, char __user *buf, 264 size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) 265 { 266 ssize_t res = 0; 267 struct setid_ruleset *pol; 268 const char *kbuf; 269 270 mutex_lock(policy_update_lock); 271 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); 272 if (pol) { 273 kbuf = pol->policy_str; 274 res = simple_read_from_buffer(buf, len, ppos, 275 kbuf, strlen(kbuf)); 276 } 277 mutex_unlock(policy_update_lock); 278 279 return res; 280 } 281 282 static ssize_t safesetid_uid_file_read(struct file *file, char __user *buf, 283 size_t len, loff_t *ppos) 284 { 285 return safesetid_file_read(file, buf, len, ppos, 286 &uid_policy_update_lock, safesetid_setuid_rules); 287 } 288 289 static ssize_t safesetid_gid_file_read(struct file *file, char __user *buf, 290 size_t len, loff_t *ppos) 291 { 292 return safesetid_file_read(file, buf, len, ppos, 293 &gid_policy_update_lock, safesetid_setgid_rules); 294 } 295 296 297 298 static const struct file_operations safesetid_uid_file_fops = { 299 .read = safesetid_uid_file_read, 300 .write = safesetid_uid_file_write, 301 }; 302 303 static const struct file_operations safesetid_gid_file_fops = { 304 .read = safesetid_gid_file_read, 305 .write = safesetid_gid_file_write, 306 }; 307 308 static int __init safesetid_init_securityfs(void) 309 { 310 int ret; 311 struct dentry *policy_dir; 312 struct dentry *uid_policy_file; 313 struct dentry *gid_policy_file; 314 315 if (!safesetid_initialized) 316 return 0; 317 318 policy_dir = securityfs_create_dir("safesetid", NULL); 319 if (IS_ERR(policy_dir)) { 320 ret = PTR_ERR(policy_dir); 321 goto error; 322 } 323 324 uid_policy_file = securityfs_create_file("uid_allowlist_policy", 0600, 325 policy_dir, NULL, &safesetid_uid_file_fops); 326 if (IS_ERR(uid_policy_file)) { 327 ret = PTR_ERR(uid_policy_file); 328 goto error; 329 } 330 331 gid_policy_file = securityfs_create_file("gid_allowlist_policy", 0600, 332 policy_dir, NULL, &safesetid_gid_file_fops); 333 if (IS_ERR(gid_policy_file)) { 334 ret = PTR_ERR(gid_policy_file); 335 goto error; 336 } 337 338 339 return 0; 340 341 error: 342 securityfs_remove(policy_dir); 343 return ret; 344 } 345 fs_initcall(safesetid_init_securityfs); 346