Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull general security subsystem updates from James Morris: "TPM (from Jarkko): - essential clean up for tpm_crb so that ARM64 and x86 versions do not distract each other as much as before - /dev/tpm0 rejects now too short writes (shorter buffer than specified in the command header - use DMA-safe buffer in tpm_tis_spi - otherwise mostly minor fixes. Smack: - base support for overlafs Capabilities: - BPRM_FCAPS fixes, from Richard Guy Briggs: The audit subsystem is adding a BPRM_FCAPS record when auditing setuid application execution (SYSCALL execve). This is not expected as it was supposed to be limited to when the file system actually had capabilities in an extended attribute. It lists all capabilities making the event really ugly to parse what is happening. The PATH record correctly records the setuid bit and owner. Suppress the BPRM_FCAPS record on set*id. TOMOYO: - Y2038 timestamping fixes" * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (28 commits) MAINTAINERS: update the IMA, EVM, trusted-keys, encrypted-keys entries Smack: Base support for overlayfs MAINTAINERS: remove David Safford as maintainer for encrypted+trusted keys tomoyo: fix timestamping for y2038 capabilities: audit log other surprising conditions capabilities: fix logic for effective root or real root capabilities: invert logic for clarity capabilities: remove a layer of conditional logic capabilities: move audit log decision to function capabilities: use intuitive names for id changes capabilities: use root_priveleged inline to clarify logic capabilities: rename has_cap to has_fcap capabilities: intuitive names for cap gain status capabilities: factor out cap_bprm_set_creds privileged root tpm, tpm_tis: use ARRAY_SIZE() to define TPM_HID_USR_IDX tpm: fix duplicate inline declaration specifier tpm: fix type of a local variables in tpm_tis_spi.c tpm: fix type of a local variable in tpm2_map_command() tpm: fix type of a local variable in tpm2_get_cc_attrs_tbl() tpm-dev-common: Reject too short writes ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-11-13 13:30:44 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-11-13 13:30:44 -0500
commit: 55b3a0cb5aeef0961ee18eac058e488f149a0053 (patch)
tree: b8ac5161349f5e5dea8b2a29842fe43ee78f23a2 /security/commoncap.c
parent: dee02770cdcd8bc06a48c917ce5df2fb56cf6059 (diff)
parent: 34d8751fd4ffa34e85ee7e85d34168b3f3f62b42 (diff)
1 files changed, 128 insertions, 65 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index fc46f5b85251..4f8e09340956 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -536,7 +536,7 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
                                          struct linux_binprm *bprm,
                                          bool *effective,
-                                          bool *has_cap)
+                                          bool *has_fcap)
 {
        struct cred *new = bprm->cred;
        unsigned i;
@@ -546,7 +546,7 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
                *effective = true;
        if (caps->magic_etc & VFS_CAP_REVISION_MASK)
-                *has_cap = true;
+                *has_fcap = true;
        CAP_FOR_EACH_U32(i) {
                __u32 permitted = caps->permitted.cap[i];
@@ -653,7 +653,7 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
 * its xattrs and, if present, apply them to the proposed credentials being
 * constructed by execve().
 */
-static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
+static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_fcap)
 {
        int rc = 0;
        struct cpu_vfs_cap_data vcaps;
@@ -684,7 +684,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c
                goto out;
        }
-        rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
+        rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
        if (rc == -EINVAL)
                printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
                       __func__, rc, bprm->filename);
@@ -696,6 +696,115 @@ out:
        return rc;
 }
+static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
+static inline bool __is_real(kuid_t uid, struct cred *cred)
+{ return uid_eq(cred->uid, uid); }
+static inline bool __is_eff(kuid_t uid, struct cred *cred)
+{ return uid_eq(cred->euid, uid); }
+static inline bool __is_suid(kuid_t uid, struct cred *cred)
+{ return !__is_real(uid, cred) && __is_eff(uid, cred); }
+/*
+ * handle_privileged_root - Handle case of privileged root
+ * @bprm: The execution parameters, including the proposed creds
+ * @has_fcap: Are any file capabilities set?
+ * @effective: Do we have effective root privilege?
+ * @root_uid: This namespace' root UID WRT initial USER namespace
+ *
+ * Handle the case where root is privileged and hasn't been neutered by
+ * SECURE_NOROOT.  If file capabilities are set, they won't be combined with
+ * set UID root and nothing is changed.  If we are root, cap_permitted is
+ * updated.  If we have become set UID root, the effective bit is set.
+ */
+static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
+                                   bool *effective, kuid_t root_uid)
+{
+        const struct cred *old = current_cred();
+        struct cred *new = bprm->cred;
+        if (!root_privileged())
+                return;
+        /*
+         * If the legacy file capability is set, then don't set privs
+         * for a setuid root binary run by a non-root user.  Do set it
+         * for a root user just to cause least surprise to an admin.
+         */
+        if (has_fcap && __is_suid(root_uid, new)) {
+                warn_setuid_and_fcaps_mixed(bprm->filename);
+                return;
+        }
+        /*
+         * To support inheritance of root-permissions and suid-root
+         * executables under compatibility mode, we override the
+         * capability sets for the file.
+         */
+        if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
+                /* pP' = (cap_bset & ~0) | (pI & ~0) */
+                new->cap_permitted = cap_combine(old->cap_bset,
+                                                 old->cap_inheritable);
+        }
+        /*
+         * If only the real uid is 0, we do not set the effective bit.
+         */
+        if (__is_eff(root_uid, new))
+                *effective = true;
+}
+#define __cap_gained(field, target, source) \
+        !cap_issubset(target->cap_##field, source->cap_##field)
+#define __cap_grew(target, source, cred) \
+        !cap_issubset(cred->cap_##target, cred->cap_##source)
+#define __cap_full(field, cred) \
+        cap_issubset(CAP_FULL_SET, cred->cap_##field)
+static inline bool __is_setuid(struct cred *new, const struct cred *old)
+{ return !uid_eq(new->euid, old->uid); }
+static inline bool __is_setgid(struct cred *new, const struct cred *old)
+{ return !gid_eq(new->egid, old->gid); }
+/*
+ * 1) Audit candidate if current->cap_effective is set
+ *
+ * We do not bother to audit if 3 things are true:
+ *   1) cap_effective has all caps
+ *   2) we became root *OR* are were already root
+ *   3) root is supposed to have all caps (SECURE_NOROOT)
+ * Since this is just a normal root execing a process.
+ *
+ * Number 1 above might fail if you don't have a full bset, but I think
+ * that is interesting information to audit.
+ *
+ * A number of other conditions require logging:
+ * 2) something prevented setuid root getting all caps
+ * 3) non-setuid root gets fcaps
+ * 4) non-setuid root gets ambient
+ */
+static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
+                                     kuid_t root, bool has_fcap)
+{
+        bool ret = false;
+        if ((__cap_grew(effective, ambient, new) &&
+             !(__cap_full(effective, new) &&
+               (__is_eff(root, new) || __is_real(root, new)) &&
+               root_privileged())) ||
+            (root_privileged() &&
+             __is_suid(root, new) &&
+             !__cap_full(effective, new)) ||
+            (!__is_setuid(new, old) &&
+             ((has_fcap &&
+               __cap_gained(permitted, new, old)) ||
+              __cap_gained(ambient, new, old))))
+                ret = true;
+        return ret;
+}
 /**
 * cap_bprm_set_creds - Set up the proposed credentials for execve().
 * @bprm: The execution parameters, including the proposed creds
@@ -708,61 +817,33 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 {
        const struct cred *old = current_cred();
        struct cred *new = bprm->cred;
-        bool effective, has_cap = false, is_setid;
+        bool effective = false, has_fcap = false, is_setid;
        int ret;
        kuid_t root_uid;
        if (WARN_ON(!cap_ambient_invariant_ok(old)))
                return -EPERM;
-        effective = false;
+        ret = get_file_caps(bprm, &effective, &has_fcap);
-        ret = get_file_caps(bprm, &effective, &has_cap);
        if (ret < 0)
                return ret;
        root_uid = make_kuid(new->user_ns, 0);
-        if (!issecure(SECURE_NOROOT)) {
+        handle_privileged_root(bprm, has_fcap, &effective, root_uid);
-                /*
-                 * If the legacy file capability is set, then don't set privs
-                 * for a setuid root binary run by a non-root user.  Do set it
-                 * for a root user just to cause least surprise to an admin.
-                 */
-                if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
-                        warn_setuid_and_fcaps_mixed(bprm->filename);
-                        goto skip;
-                }
-                /*
-                 * To support inheritance of root-permissions and suid-root
-                 * executables under compatibility mode, we override the
-                 * capability sets for the file.
-                 *
-                 * If only the real uid is 0, we do not set the effective bit.
-                 */
-                if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
-                        /* pP' = (cap_bset & ~0) | (pI & ~0) */
-                        new->cap_permitted = cap_combine(old->cap_bset,
-                                                         old->cap_inheritable);
-                }
-                if (uid_eq(new->euid, root_uid))
-                        effective = true;
-        }
-skip:
        /* if we have fs caps, clear dangerous personality flags */
-        if (!cap_issubset(new->cap_permitted, old->cap_permitted))
+        if (__cap_gained(permitted, new, old))
                bprm->per_clear |= PER_CLEAR_ON_SETID;
        /* Don't let someone trace a set[ug]id/setpcap binary with the revised
         * credentials unless they have the appropriate permit.
         *
         * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
         */
-        is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
+        is_setid = __is_setuid(new, old) || __is_setgid(new, old);
-        if ((is_setid ||
+        if ((is_setid || __cap_gained(permitted, new, old)) &&
-             !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
            ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
             !ptracer_capable(current, new->user_ns))) {
                /* downgrade; they get no more than they had, and maybe less */
@@ -779,7 +860,7 @@ skip:
        new->sgid = new->fsgid = new->egid;
        /* File caps or setid cancels ambient. */
-        if (has_cap || is_setid)
+        if (has_fcap || is_setid)
                cap_clear(new->cap_ambient);
        /*
@@ -800,26 +881,10 @@ skip:
        if (WARN_ON(!cap_ambient_invariant_ok(new)))
                return -EPERM;
-        /*
+        if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
-         * Audit candidate if current->cap_effective is set
+                ret = audit_log_bprm_fcaps(bprm, new, old);
-         *
+                if (ret < 0)
-         * We do not bother to audit if 3 things are true:
+                        return ret;
-         *   1) cap_effective has all caps
-         *   2) we are root
-         *   3) root is supposed to have all caps (SECURE_NOROOT)
-         * Since this is just a normal root execing a process.
-         *
-         * Number 1 above might fail if you don't have a full bset, but I think
-         * that is interesting information to audit.
-         */
-        if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
-                if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
-                    !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
-                    issecure(SECURE_NOROOT)) {
-                        ret = audit_log_bprm_fcaps(bprm, new, old);
-                        if (ret < 0)
-                                return ret;
-                }
        }
        new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
@@ -829,13 +894,11 @@ skip:
        /* Check for privilege-elevated exec. */
        bprm->cap_elevated = 0;
-        if (is_setid) {
+        if (is_setid ||
+            (!__is_real(root_uid, new) &&
+             (effective ||
+              __cap_grew(permitted, ambient, new))))
                bprm->cap_elevated = 1;
-        } else if (!uid_eq(new->uid, root_uid)) {
-                if (effective ||
-                    !cap_issubset(new->cap_permitted, new->cap_ambient))
-                        bprm->cap_elevated = 1;
-        }
        return 0;
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-11-13 13:30:44 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-11-13 13:30:44 -0500
commit	55b3a0cb5aeef0961ee18eac058e488f149a0053 (patch)
tree	b8ac5161349f5e5dea8b2a29842fe43ee78f23a2 /security/commoncap.c
parent	dee02770cdcd8bc06a48c917ce5df2fb56cf6059 (diff)
parent	34d8751fd4ffa34e85ee7e85d34168b3f3f62b42 (diff)